#############################
#  VisualSitemaps Bug-Bounty Policy
#  Version: 1.0 — 2025-01-01
#############################

# 1. CONTACT
Contact: mailto:support@visualsitemaps.com
Preferred-Languages: en

# 2. SCOPE
# Anything hosted under *.visualsitemaps.com and api.visualsitemaps.com
# — including staging and beta sub-domains — is in scope.
# The following are out of scope:
# · Denial-of-Service tests (volumetric or application-layer)
# · Social-engineering of staff or customers
# · Third-party services not operated by VisualSitemaps
# · Findings that require physical access or MITM on user’s network

# 3. REWARDS
# • Low severity (CVSS < 4.0): public thanks + swag  
# • Medium severity (CVSS 4.0-6.9): US $100-$500  
# • High severity (CVSS 7.0-8.9): US $500-$2 000  
# • Critical (CVSS ≥ 9.0 or auth-bypass/RCE): US $2 000-$5 000  
# Payouts are processed via PayPal or ACH within 30 days of triage.

# 4. DISCLOSURE POLICY
# • Submit the full vulnerability details, including proof-of-concept, 
#   to the CONTACT addresses above.  
# • Do not publicly disclose the issue until we confirm it is fixed—or
#   we grant written permission for coordinated disclosure.  
# • Do not access, modify, or destroy customer data. Use test accounts
#   only; if you inadvertently encounter real data, report it immediately
#   and purge all local copies.  

# 5. RESPONSE TIMELINE
# Receipt acknowledgement:      ≤ 3 business days  
# Initial triage & severity:    ≤ 7 business days  
# Fix or mitigation deployed:   ≤ 30 calendar days for high/critical  
# Status updates:               Weekly until closed

# 6. SAFE-HARBOR
# We will not pursue legal action or public-safety referral against 
# security researchers who:  
# · Follow this policy in good faith  
# · Avoid privacy violations and service disruption  
# · Give us a reasonable time to remediate before disclosure  

 

# Thank you for helping keep VisualSitemaps secure!