Pushfor Bug Bounty Programme

If you believe you have found a security vulnerability on Pushfor, please disclose it to us responsibly. We will investigate all genuine reports straight away and we will not pursue law enforcement actions if you follow our responsible disclosure policy outlined below. The rewards range from £100 to £5000.

We ask that you:

  • Report the issue as soon as possible. Allow for a reasonable amount of time for a response, and patching.
  • Do not further exploit the vulnerability; if you inadvertently do so, you must include this in your report.
  • Do not access any personal or company data; if you inadvertently do so, you must include this in your report.
  • Do not disclose the vulnerability to anyone else.
    Include the type of issue, a proof of concept, and an explanation of what an attacker could do with it.
  • Note that not all bugs are security bugs. Pushfor will ultimately determine the nature and seriousness of each report.
  • Note that if a report is duplicated, we will award the bounty to the first person to make the report.
  • Our intention is to pay similar amounts for similar reports, but past amounts do not guarantee future payouts.
  • Send the report to security-report@pushfor.com and do not use any other channels to notify us. If you would like to use PGP, include this in your email.

The bug bounty program is limited to:

Pushfor application websites (e.g. web.pushfor.com, push2link.com, payments.pushfor.com, app.pushfor.com)
Pushfor mobile applications (i.e. IOS and Android)
Pushfor desktop applications (i.e. Windows and Mac)