Security Vulnerability Disclosure & Bug Bounty Policy

At Seacayago.com, we take the security of our systems and our users’ data seriously. If you discover a security vulnerability, we strongly encourage you to report it to us immediately. We appreciate responsible disclosure and will make every effort to promptly investigate and address legitimate security issues.

Before submitting a report, please carefully read this policy, including our core principles, submission guidelines, and reward structure.

Responsible Disclosure Principles

If you follow the guidelines below when reporting a security issue, we will not pursue legal action or enforcement investigations against you. We ask that:

  1. You provide reasonable time for us to investigate and resolve the issue before disclosing it publicly or sharing the details with others.
  2. You do not access or modify private data or accounts without explicit permission from the account holder.
  3. You make a good-faith effort to avoid privacy violations, data destruction, service disruption, or degradation.
  4. You do not exploit the vulnerability in any way beyond what is necessary to demonstrate the issue.
  5. You comply with all applicable laws and regulations while conducting your research.

Bug Bounty Program

We recognize and reward security researchers who help us keep our platform secure. Bounties are awarded at the sole discretion of Seacayago.com based on risk, impact, reproducibility, and overall report quality.

To qualify for a bounty, you must:

  1. Follow our responsible disclosure principles (outlined above).
  2. Report a genuine security vulnerability that creates a security or privacy risk in our systems or infrastructure. (We reserve the right to determine what constitutes a security risk.)
  3. Submit your report through our official security reporting channel. Please do not contact individual employees.
  4. If your testing causes unintentional access to confidential data or system disruptions, disclose this in your report.
  5. Understand that response times may vary depending on report volume and severity.

We reserve the right to publish accepted reports (anonymously if requested) to improve transparency and awareness.

Reward Guidelines

Reward amounts are based on severity, exploitability, and report quality. Below are maximum payouts per severity level:

  • Critical Severity ($200):
    Vulnerabilities that lead to full account takeover, remote code execution, admin privilege escalation, or financial theft.
    Examples:
    • Remote code execution
    • SQL injection leaking sensitive data
    • Authentication bypass (vertical privilege escalation)
    • Full access to user accounts
  • High Severity ($100):
    Vulnerabilities affecting platform-wide security.
    Examples:
    • Lateral authentication bypass
    • Stored XSS affecting other users
    • Local file inclusion
    • Insecure authentication cookie handling
  • Medium Severity ($50):
    Vulnerabilities that affect multiple users with minimal interaction.
    Examples:
    • Logic flaws
    • Insecure direct object references
  • Low Severity (Recognition only):
    Vulnerabilities that affect individual users and require user interaction or specific conditions.
    Examples:
    • Open redirects
    • Reflected XSS
    • Low-sensitivity data leaks

Important Notes:

  • Detailed reports with clear, reproducible steps are required. Vague or incomplete submissions will not qualify for a bounty.
  • If duplicate reports are submitted, only the first fully reproducible report will be rewarded.
  • Multiple issues stemming from the same root cause will be treated as one submission.

How to Report a Vulnerability

If you believe you’ve found a security vulnerability, please report it to us through our security center or contact us using the details below:

📧 Email: Contact@seacayago.com
📞 Phone: +1 (971) 298-1394