Security Researchers Welcome

We value the security community's efforts in making our systems more secure. This policy outlines how to report vulnerabilities responsibly.

Scope

This policy applies to vulnerabilities discovered in:

  • *.cyberez.com - All Cyberez domains and subdomains
  • Cyberez Mobile Apps - iOS and Android applications
  • Public APIs - All documented REST and GraphQL endpoints
  • Daemon Interfaces - Public-facing daemon interaction points
  • Quantum Encryption Services - Client-side implementations only

Out of Scope

  • Physical security issues
  • Social engineering attacks
  • Denial of Service (DoS/DDoS) attacks
  • Internal employee systems
  • Daemon core architecture (classified)

Reporting Process

1

Discover

Find a security vulnerability in our systems

2

Document

Create a detailed report with proof of concept

3

Encrypt

Use our PGP key to encrypt sensitive details

4

Submit

Send to security@cyberez.com

5

Collaborate

Work with our team on verification and fixes

What We Need

Your report should include:

  • Vulnerability Type: XSS, SQLi, RCE, etc.
  • Affected Component: URL, parameter, or service
  • Steps to Reproduce: Clear, numbered steps
  • Proof of Concept: Screenshots, videos, or code
  • Impact Assessment: What an attacker could achieve
  • Suggested Fix: If you have recommendations

Our Commitment

Response Time

Initial response within 24 hours, triage within 72 hours

Safe Harbor

No legal action for good-faith security research

Recognition

Public acknowledgment in our Security Hall of Fame

Rewards

Bounties for qualifying vulnerabilities (see table below)

Bounty Rewards

Severity Examples Reward Range
Critical RCE, Daemon control, Quantum key exposure $10,000 - $50,000
High Authentication bypass, SQLi, Privilege escalation $3,000 - $10,000
Medium Stored XSS, CSRF, Information disclosure $500 - $3,000
Low Self-XSS, Missing security headers, Version disclosure $100 - $500

Disclosure Timeline

  • 0 days: Initial report received
  • 1-3 days: Initial triage and response
  • 7-30 days: Vulnerability verification and fix development
  • 30-90 days: Patch deployment to production
  • 90 days: Coordinated public disclosure

Daemon-Related Vulnerabilities

Vulnerabilities involving daemon behavioral exploitation or signal manipulation are considered CRITICAL and may qualify for expedited handling and enhanced rewards. Please note that intentional daemon backdoors for emergency shutdown are not considered vulnerabilities.

Legal Safe Harbor

Cyberez Systems International considers activities conducted consistent with this policy to constitute "authorized" conduct under the Computer Fraud and Abuse Act. We will not initiate or support legal action against you for efforts conducted in accordance with this policy.

If legal action is initiated by a third party against you for your security research, we will make it publicly known that your actions were conducted in compliance with this policy.

Signal Integrity: Security research conducted during high degradation periods (below 85%) may produce inconsistent results. Please note environmental signal levels in your reports.