Platform Developers Docs API Network Security Roadmap Contact
Public · Year 16 of zero breaches

Help us stay unhacked.

Find a real vulnerability, get paid. Coordinated disclosure, a clear scope, fair rewards, and credit in the hall of fame.

Submit a finding Read the scope
Rewards

Pay scales with severity.

Bands below are guidance, not a contract - final amount accounts for impact, exploitability, and report quality. Confirmed criticals get an immediate ack and same-day payment.

Critical
€5-15k
RCE · auth bypass · funds exfil
  • Remote code execution on prod
  • Wallet drain or fund redirect
  • Cross-account auth bypass
  • Federation key compromise
High
€1.5-5k
Privilege escalation · stored XSS
  • Vertical privilege escalation
  • Stored XSS hitting other accounts
  • SQL injection (read or write)
  • SSRF reaching internal services
Medium
€400-1.5k
CSRF · IDOR · misconfig
  • CSRF on state-changing actions
  • IDOR with non-trivial impact
  • Subdomain takeover
  • Insecure cookie / header misconfig
Low
€80-400
Self-XSS · open redirect · info leak
  • Self-XSS without amplification
  • Open redirect (login flow)
  • Verbose error / version disclosure
  • Rate-limit gaps with low impact
Scope

In and out.

In scope

  • Web app: app.ivo.cy, internetivo.com, all federation peer dashboards listed on /network-status.
  • Public API: api.ivo.cy/v1 (production and sandbox).
  • Mobile apps: latest released iOS and Android builds.
  • WHMCS addon: latest tagged release. Source available on request under NDA.
  • Federation protocol: ECDSA signing, registry, peer admission.

Out of scope

  • Findings against third parties (Stripe, Cloudflare, Postmark) - please report to them directly.
  • DoS / volumetric attacks, click-jacking on pages without sensitive actions, missing best-practice headers without an exploitable impact.
  • Self-disclosed credentials, social engineering, physical attacks.
  • Issues requiring root access on the victim's device.
  • Outdated dependency advisories without a working PoC.

Rules of engagement

  • Test only on accounts you own. Use the sandbox where possible.
  • Do not access, modify, or exfiltrate other users' data. If you stumble on it, stop and tell us.
  • Coordinated disclosure: please don't publish until we've shipped a fix. We commit to a fix window proportional to severity.
  • One report per issue. Duplicates are paid to the first reproducible submitter.
  • No automated scanning that meaningfully degrades service. If you must, contact us first.

How we handle reports

  1. Acknowledge within 24 hours.
  2. Triage within 72 hours - severity assigned, scope confirmed, dup-checked.
  3. Pay within 14 days of confirmed reproduction (criticals same day).
  4. Disclose publicly with credit, if you'd like, after the fix is live.

Safe harbour

Good-faith research within these rules will not be the subject of legal action by Internetivo Ltd. We will, on request, advocate on your behalf if a third party brings a claim related to your work under this program.

Hall of fame

Researchers who made us better.

Illustrative only. Entries below are placeholders to show what the published hall of fame will look like. The real list begins with the first approved write-up.
2026 · Critical
@neutron-flux

Discovered an ECDSA signature replay window during the Q1 federation registry rollout. Patched within 6 hours.

2026 · High
@m4ria_c

Reported a stored XSS in the dispute evidence panel that could reach arbitrators. Triage and fix shipped same day.

2025 · High
@panayiotis

Found an IDOR on the legacy admin investments view - pre-Goal-1 audit. Surface has since been removed from the codebase.

Want your handle here? security@internetivo.com