Request & Consola

The Request Finance bug bounty program currently targets security issues in the following scopes:

<a href="https://app.request.finance" rel="nofollow noopener noreferrer" target="_blank">https://app.request.finance</a>

<a href="https://request.finance" rel="nofollow noopener noreferrer" target="_blank">https://request.finance</a>

- <a href="https://app.request.finance" rel="nofollow noopener noreferrer" target="_blank">https://app.request.finance</a>
- <a href="https://request.finance" rel="nofollow noopener noreferrer" target="_blank">https://request.finance</a>
- Request Finance mobile app

It includes all the features that are live or in beta.

The rules of our bug bounty program are the following:

Issues already known to the Request team are not eligible for bounty rewards. This includes issues already submitted by someone else.

Public disclosure of a vulnerability makes it ineligible for a bounty.

The Request core development team, employees, and all other people paid by Request Labs or the Request Network Foundation, directly or indirectly, are not eligible for rewards.

The Request bounty program considers a number of variables in determining rewards. Determinations of eligibility, score, and all terms related to rewards are at the sole and final discretion of the Request Finance bug bounty panel.

- Issues already known to the Request team are not eligible for bounty rewards. This includes issues already submitted by someone else.
- Public disclosure of a vulnerability makes it ineligible for a bounty.
- The Request core development team, employees, and all other people paid by Request Labs or the Request Network Foundation, directly or indirectly, are not eligible for rewards.
- The Request bounty program considers a number of variables in determining rewards. Determinations of eligibility, score, and all terms related to rewards are at the sole and final discretion of the Request Finance bug bounty panel.

The value of rewards paid out will vary depending on severity. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood:

Reward sizes are guided by the rules below, but are ultimately determined at the sole discretion of the Request Foundation bug bounty panel. We also take into account the efforts put to find and report the vulnerability, including efforts put at giving proofs and solutions.

- Critical: up to 20 000 €
- High: up to 15 000 €
- Medium: up to 10 000 €
- Low: up to 2 000 €
- Note: up to 500 €

By e-mail: <a href="mailto:security@request.finance" rel="nofollow noopener noreferrer" target="_blank">security@request.finance</a>.

The bug bounty program has no end date until communicated otherwise.

Critical vulnerabilities reported to security@request.finance will be rewarded up to €20,000.

Scope

Rules and rewards

How to report