• Follow HackerOne’s disclosure guidelines.
• Delete any test data or accounts you have created as part of the research.
• Don’t attack or interact with end-users.
• Don’t engage with stolen user data, including credentials.
• Don’t use automated scans or testing, including DoS attacks.
• Don’t use social engineering attacks, such as phishing.
• Don’t engage in physical testing of Scholar Fund employees or their equipment.
  

Failure to comply with these rules results in immediate disqualification.

• *.scholarfundwa.org
• *.scholarfund.io

• Provide a detailed report including clearly reproducible steps, consequences, impact, any test accounts you may have used along with test data.
• Make sure to report independent vulnerabilities in separate tickets.
• Make sure to give your report a clear title that describes the vulnerability.
• Your submission must include written instructions for reproducing the vulnerability. Any report without clear reproduction steps or that includes only a video PoC may be ineligible for a reward.

You may be eligible to receive a monetary reward if:

• You are the first person to submit a site or product vulnerability
• The vulnerability is considered to be a valid security issue by our team
• You have complied with all Program Rules

All bounty amounts will be determined by our team, who will evaluate each report and assign a severity level that determines the amount of the monetary reward to be received. The severity levels are decided internally based on the type of vulnerability and potential impact. Below you can find an overview of samples for each severity level:

Severity level: None - $0

• Issues not related with security, such as non-200 HTTP response codes, application or server errors, etc.
• Issues without a clear security impact, such as logged-out CSRF, missing HTTP security headers (including HSTS), SSL issues, password policy issues, or clickjacking on pages with no sensitive actions.
• Issues affecting outdated applications or components, no longer in use or maintained
• Issues affecting third-parties, such as third-party apps or services we use (such as Airtable, Avochato, and third-party user management and authentication platforms)
• Issues involving Spam or Social Engineering techniques, such as SPF and DKIM, and lack of DMARC or DNSSEC.
• Issues involving server information disclosure, namely `X-Powered-by` and `Server` response headers. Exceptions may exist whenever disclosed information contains a server version with an associated CVE disclosure.
• Issues involving server-side request forgery (SSRF) on services that perform active requests by design, unless it is proven that sensitive information can be leaked.
• Bugs requiring exceedingly unlikely user interaction. (eg. account takeover through SSO login)
• Reports that require privileged access to the target's devices or that are otherwise outside our control. These include but are not limited to: access to browser cookies and/or other tokens used to impersonate the user, access to user's email address, etc.
• Clickjacking issues that occur on pre-authenticated pages, or the lack of X-Frame-Options, or any other non-exploitable clickjacking issues.
• Missing rate limits, unless it can lead to an exploitable vulnerability.
• Specific to client apps
  
• User data stored unencrypted
• Lack of obfuscation
• Runtime hacking exploits that involve manipulation of running code or its environment

Severity level: Low - $100

• Open redirections
• Server misconfiguration or provisioning errors
• Information leaks or disclosure excluding sensitive user data
• Reflected XSS
  
• Other low-severity issues

Severity level: Medium - $200

• CSRF / XSRF
• SSRF to an internal service
• Stored XSS
• Other medium-severity issues
  

Severity level: High - $500

• Information leaks or disclosure including sensitive user data
• Other high-severity issues

Severity level: Critical - $1000

• SQL injection
• Remote code execution
• Privilege escalation
• Broken authentication
• SSRF to an internal service, resulting in critical security risk
• Other critical-severity issues
  

Severity level: Critical

• SQL injection
• Remote code execution
• Privilege escalation
• Broken authentication
• SSRF to an internal service, resulting in critical security risk
• Other critical-severity issues
  

All bounties are paid out via PayPal.

Scholar Fund's team retains the right to determine if the submitted vulnerability is eligible.

All determinations as to the amount of a bounty made by the Scholar Fund Bug Bounty team are final.

Scholar Fund recognizes Bug Bounty finders would like to thank these individuals for earning rewards under the Bug Bounty program: https://airtable.com/shr8bsiFGFnFgcAM7