Platform Developers Docs API Network Security Roadmap Contact
Public · Year 16 of zero breaches

Help us stay unhacked.

Find a real vulnerability, get paid. Coordinated disclosure, a clear scope, fair rewards, and credit in the hall of fame.

Submit a finding Read the scope
Rewards

Pay scales with severity.

Bands below are guidance, not a contract - final amount accounts for impact, exploitability, and report quality. Confirmed criticals get an immediate ack and same-day payment.

Critical
€5–15k
RCE · auth bypass · funds exfil
  • Remote code execution on prod
  • Wallet drain or fund redirect
  • Cross-account auth bypass
  • Federation key compromise
High
€1.5–5k
Privilege escalation · stored XSS
  • Vertical privilege escalation
  • Stored XSS hitting other accounts
  • SQL injection (read or write)
  • SSRF reaching internal services
Medium
€400–1.5k
CSRF · IDOR · misconfig
  • CSRF on state-changing actions
  • IDOR with non-trivial impact
  • Subdomain takeover
  • Insecure cookie / header misconfig
Low
€80–400
Self-XSS · open redirect · info leak
  • Self-XSS without amplification
  • Open redirect (login flow)
  • Verbose error / version disclosure
  • Rate-limit gaps with low impact
Scope

In and out.

In scope

  • Web app: app.ivo.cy, internetivo.com, all federation peer dashboards listed on /network-status.
  • Public API: api.ivo.cy/v1 (production and sandbox).
  • Mobile apps: latest released iOS and Android builds.
  • WHMCS addon: latest tagged release. Source available on request under NDA.
  • Federation protocol: ECDSA signing, registry, peer admission.

Out of scope

  • Findings against third parties (Stripe, Cloudflare, Postmark) - please report to them directly.
  • DoS / volumetric attacks, click-jacking on pages without sensitive actions, missing best-practice headers without an exploitable impact.
  • Self-disclosed credentials, social engineering, physical attacks.
  • Issues requiring root access on the victim's device.
  • Outdated dependency advisories without a working PoC.

Rules of engagement

  • Test only on accounts you own. Use the sandbox where possible.
  • Do not access, modify, or exfiltrate other users' data. If you stumble on it, stop and tell us.
  • Coordinated disclosure: please don't publish until we've shipped a fix. We commit to a fix window proportional to severity.
  • One report per issue. Duplicates are paid to the first reproducible submitter.
  • No automated scanning that meaningfully degrades service. If you must, contact us first.

How we handle reports

  1. Acknowledge within 24 hours.
  2. Triage within 72 hours - severity assigned, scope confirmed, dup-checked.
  3. Pay within 14 days of confirmed reproduction (criticals same day).
  4. Disclose publicly with credit, if you'd like, after the fix is live.

Safe harbour

Good-faith research within these rules will not be the subject of legal action by Internetivo Ltd. We will, on request, advocate on your behalf if a third party brings a claim related to your work under this program.

Hall of fame

Researchers who made us better.

Sample entries shown - public hall of fame begins as approved write-ups land.

2026 · Critical
@neutron-flux

Discovered an ECDSA signature replay window during the Q1 federation registry rollout. Patched within 6 hours.

2026 · High
@m4ria_c

Reported a stored XSS in the dispute evidence panel that could reach arbitrators. Triage and fix shipped same day.

2025 · High
@panayiotis

Found an IDOR on the legacy admin investments view - pre-Goal-1 audit. Surface has since been removed from the codebase.

Want your handle here? security@internetivo.com