We want Orca Scan to be safe for everyone. If you find a vulnerability and report it responsibly, we’ll investigate, fix it, and reward you if it meets our criteria.
We appreciate anyone who takes the time to help protect our community. Our bug bounty program exists to recognise that effort and ensure it’s rewarded fairly.
What you can test
You can report a security issue in any of the following Orca Scan services:
Allowed
- Orca Scan web app and authenticated features
- Official Orca Scan apps on iOS and Android
- Public Orca Scan REST API endpoints
- Backend services that we operate and expose publicly
Not allowed
- Systems owned by third parties (we do not control them)
- Social engineering or phishing
- Brute forcing or credential guessing
- Testing that harms performance or causes downtime
- Accessing or using real customer data
If you are unsure whether something is allowed, ask us before testing.
How the process works
- Find a valid security issue Focus testing on in-scope targets only.
- Submit a report Include steps, proof of concept, and why it matters.
- We review the issue Our team confirms severity, risk, and impact.
- We fix the issue quickly You will get updates during the process.
- You receive a reward Payouts depend on severity, impact, and report quality.
We aim to reply to all valid submissions within 72 hours.
What you can earn
We pay rewards for confirmed, non-duplicate vulnerabilities.
| Severity | What it means | Typical payout |
|---|---|---|
| Critical | Account takeover, remote code execution, major data exposure | $500 – $2,000 |
| High | Privilege escalation, serious authorisation bypass | $400 – $1,000 |
| Medium | Sensitive data exposure, persistent XSS | $200 – $500 |
| Low | Minor issues that still pose a security risk | $100 – $200 |
Clear steps and a solid proof of concept help us move faster and may increase the reward.
Rules you must follow
To be eligible for rewards:
- Only test features that are in scope
- Avoid actions that disrupt service for others
- Use your own test account wherever possible
- Do not access, share, or store real customer data
- Keep vulnerability details private until we fix the issue
- Follow the law at all times
We support good-faith security research. Malicious activity is not allowed.
Legal protection for researchers
If you follow these rules and act responsibly:
- You will have safe harbour while testing
- We will not take legal action against you
- We will work with you if something unexpected happens
If you are in doubt, please contact us before proceeding.
How to report a vulnerability
Submit your report using our secure form:
After you submit
We will:
- Confirm we received your report
- Review the issue and assign a severity
- Share progress updates as we work on a fix
- Award a bounty if the issue is validated
Bug Bounty FAQs
Who can participate in the Bug Bounty program?
Anyone. Whether you are a professional researcher or someone who just noticed something unusual, we welcome your help.
Will every report receive a reward?
No, only confirmed and eligible findings receive payment. Reports with no security impact or duplicates may not qualify.
Can I share the vulnerability publicly?
Only after we fix the issue or give written approval. Public disclosure before that may disqualify the reward.
What if I accidentally access customer data?
Stop testing immediately and report the results to us. Do not store, share, or keep the data. We will prioritise the fix.
Can I use automated tools?
Yes, as long as they do not harm performance or trigger denial of service behaviour.
Questions about reporting a security issue?
You can chat with us live or drop us an email at hello@orcascan.com
