Vartopia wants you to responsibly disclose vulnerabilities through our Bug Bounty Program. We don’t want researchers put in fear of legal consequences because of their good faith attempts to detect bugs and vulnerabilities. We cannot bind any third party, so do not assume that this protection extends to any action against any third party, including those related to good faith security research. If in doubt, please contact us before engaging in any specific action you think might be outside of the scope of this policy.

• Because both identifying and non-identifying information can put a researcher at risk, we limit the information we share with third parties. We may provide non-identifying substantive information from your report to an affected third party, but only after notifying you and receiving a written binding commitment that the third party will not pursue legal action against you. We will only share identifying information (name, email address, phone number, etc) with a third party if you give your written permission to do so.
• If your good faith security research as part of the Vartopia Bug Bounty Program violates certain restrictions in our website policies, the safe harbor terms permit a limited exemption. 

This section makes sure that security researchers are safe from any prosecution when they act in good faith and comply with the rules of this Program.

• Vartopia will not take civil action or file a criminal complaint against participants for accidental violations or infringements of Vartopia’s rights performed in compliance with this Policy.
• Vartopia will not take civil action or file a criminal complaint against participants for trying to circumvent the security measures deployed in order to protect the services in-scope for this Program.
• Any non-compliance with this Policy may result in exclusion from the Program. For minor breaches, a warning may be issued. For severe breaches, the organizers reserve the right to take civil action and/or file a criminal complaint.
• If a legal action is initiated by a third party against a participant and the participant has complied with this Policy, Vartopia will take the necessary measures to make it known to the competent authorities that such participant’s actions have been conducted in compliance with this Policy.

In Scope Targets : my.vartopia.com

Vartopia reserves the right to not reward any submission if we so choose, and we will not provide compensation for time spent researching. Bounties are awarded only to the first unique report of a previously unidentified vulnerability. Subsequent reports will be closed as duplicates and not eligible for a bounty. Vulnerability severity and reward amounts are determined at the discretion of Vartopia. Reward amounts and vulnerability severity classifications are subject to change at any time. Bounty payments are made via XTRM, which is currently our preferred method of payment, but we reserve the right to change the payment method at our sole discretion.

When working with us according to this policy, you can expect us to:

• Submissions to this program should be submitted here. Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps may be ineligible for a reward.
• Automated testing/scanning must be kept under 60 requests per minute.
• Make a good faith effort to avoid privacy violation, disruption of service and destruction of data.
• Avoid submitting offensive content to the platform.
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity.
• This program does not allow disclosure. You may not publicly disclose information about vulnerabilities found in this program without explicit written permission from Vartopia
• Do not perform any tests that will disrupt services or impair others’ ability to use those services.
• If a vulnerability provides unintended access to data, do not access the data beyond the minimum extent necessary to effectively demonstrate the presence of a vulnerability.
• If you encounter any sensitive data during testing such as Personally Identifiable Information (PII), or other confidential information, stop and submit a report immediately.
• Testing must not violate any applicable laws.
• In case that a reported vulnerability was already known, it will be flagged as a duplicate.

• Spam, social engineering and physical intrusion.
• DoS/DDoS attacks or brute force attacks.
• Vulnerabilities that are limited to non-current browsers.
• Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts.
• Recently disclosed zero-day vulnerabilities in commercial products where no patch or a recent patch is available.
• Reports that state that software is out of date/vulnerable without a proof-of-concept. 

Questions regarding this policy may be sent to security@vartopia.com. Vartopia encourages security researchers to contact us for clarification on any element of this policy. 

Please contact us if you are unsure if a specific test method is inconsistent with or unaddressed by this policy before you begin testing.