OctopusOctopus/Docs
Get Started
Security

Security Policy & Bug Bounty

Last updated: May 2026

1. Overview

We take the security of Octopus seriously. If you believe you have found a security vulnerability in our cloud-hosted service, we encourage you to report it through our coordinated disclosure program. Eligible reports may receive a monetary reward and recognition in our hall of fame.

2. How to Report

Send a detailed report to [email protected]. Please include:

  • A clear description of the vulnerability and its impact
  • Step-by-step reproduction instructions
  • Affected endpoints, parameters, or components
  • Proof-of-concept code or screenshots where applicable
  • Your name or handle for hall-of-fame credit (optional)

For sensitive reports, request our PGP key in your initial message. Please do not disclose the issue publicly until we have confirmed a fix.

3. Response Timeline

  • Initial acknowledgement: within 3 business days
  • Triage & severity rating: within 7 business days
  • Fix target: 30 days for critical/high, 90 days for medium/low
  • Public disclosure: coordinated, typically after the fix is deployed and customers have had time to update

4. Scope

The following assets are in scope for the bug bounty program:

  • octopus-review.ai and its subdomains
  • The Octopus cloud application and its public APIs
  • Authentication and session handling on the cloud service
  • Billing and payment flows on the cloud service

5. Out of Scope

The following are not eligible for rewards under this program:

  • Self-hosted Octopus instances (please report through our public issue tracker as security advisories)
  • Third-party services we depend on (GitHub, Bitbucket, Stripe, OpenAI, Anthropic, Qdrant, Cloudflare) — report to them directly
  • Denial-of-service attacks, volumetric or otherwise
  • Social engineering, phishing, or physical attacks against Octopus staff or infrastructure
  • Automated scanner output without a demonstrated, verified impact
  • Missing security headers, SPF/DKIM/DMARC, or TLS configuration issues without a concrete exploit
  • Self-XSS or clickjacking on non-sensitive pages
  • Rate-limiting issues on non-authentication endpoints
  • Version or stack disclosure without further impact
  • Issues requiring outdated browsers or rooted devices
  • Best-practice recommendations without a working proof of concept
  • Vulnerabilities in third-party dependencies already disclosed upstream

6. Rules of Engagement

To remain eligible, security researchers must:

  • Test only against accounts and organizations you own or have explicit permission to test
  • Never access, modify, or delete data belonging to other users — stop and report as soon as access is demonstrated
  • Not run automated scans that degrade service for other users
  • Not perform denial-of-service or load testing
  • Not use social engineering against staff, customers, or vendors
  • Report findings as soon as possible and avoid public disclosure until we have shipped a fix
  • Comply with all applicable laws

7. Rewards

Reward amounts are determined at our discretion based on severity (CVSS 3.1), exploitability, and report quality. Indicative ranges:

  • Critical (e.g. remote code execution, authentication bypass, large-scale data exposure): $500 to $2,000
  • High (e.g. account takeover, privilege escalation, sensitive data leak): $200 to $500
  • Medium (e.g. stored XSS, SSRF, IDOR with limited impact): $50 to $200
  • Low (e.g. open redirects, state-changing CSRF): $25 to $50

Only the first reporter of a given vulnerability is eligible. Duplicate reports, theoretical issues, and out-of-scope findings do not qualify. Payouts are made via bank transfer or PayPal once a fix has been verified.

8. Hall of Fame

Researchers who responsibly disclose valid vulnerabilities are credited (with their consent) in our public hall of fame at /docs/security/hall-of-fame. You may choose to remain anonymous or use a handle.

9. Safe Harbor

We will not pursue legal action against, or support law-enforcement investigation of, security researchers who:

  • Make a good-faith effort to comply with this policy
  • Avoid privacy violations, destruction of data, and interruption or degradation of our services
  • Only interact with accounts they own or have permission to test
  • Give us reasonable time to investigate and fix an issue before any public disclosure

Activity conducted in accordance with this policy is considered authorized under our Terms and Conditions and is exempt from the Acceptable Use restrictions found there. If legal action is initiated by a third party against you for activity conducted under this policy, we will make this authorization known.

10. Contact

Security reports: [email protected]