From b66db5f61a41f5b4e8c460e050bcc60521eb6293 Mon Sep 17 00:00:00 2001
From: Stefan Rinke <sker65@gmail.com>
Date: Sun, 22 Sep 2024 19:10:11 +0200
Subject: [PATCH] Initial for bug bounty policy (#266)

* - initial

* - lint fix

* - wording
---
 bug-bounty-program.mdx | 91 ++++++++++++++++++++++++++++++++++++++++++
 mint.json              |  2 +-
 2 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 bug-bounty-program.mdx

diff --git a/bug-bounty-program.mdx b/bug-bounty-program.mdx
new file mode 100644
index 0000000..2db7a6e
--- /dev/null
+++ b/bug-bounty-program.mdx
@@ -0,0 +1,91 @@
+---
+title: Bug Bounty Program
+description: "Policy for security flaws and bugs and bug bounty rewards"
+icon: "bug"
+---
+
+## Introduction
+
+At **Octomind**, security is at the core of everything we do. Our SaaS platform provides business critical test generation and execution,
+and we are committed to providing a secure environment for our users. We recognize that no technology is perfect, and we invite the global
+community to help us identify potential vulnerabilities through our **Bug Bounty Program**.
+
+If you believe you’ve found a security issue in our system, we encourage you to report it to us. By responsibly disclosing security
+vulnerabilities, you are helping us protect our users and improve our services.
+
+## Program Scope
+
+### In Scope:
+
+- All services under the domain **octomind.dev**
+- SaaS platform, APIs, and related integrations
+
+### Out of Scope:
+
+- Third-party services or platforms (unless explicitly mentioned)
+- Social engineering (e.g., phishing attacks)
+- Physical security
+- Denial of Service (DoS) attacks or anything that affects service availability
+- Vulnerabilities in third-party libraries without demonstrable exploitability on **octomind.dev** services
+
+## Rewards
+
+Our reward program is based on the severity and impact of the vulnerability. Rewards will be determined by our internal assessment team, taking into account:
+
+- Vulnerability criticality
+- Potential impact on our users and infrastructure
+- Quality of the report and clarity of the reproduction steps
+
+| Severity | Example Impact                              | Minimum Reward |
+| -------- | ------------------------------------------- | -------------- |
+| Low      | Minor security misconfigurations            | $50            |
+| Medium   | Sensitive information exposure              | $100           |
+| High     | Unauthorized access to accounts or data     | $500           |
+| Critical | Remote Code Execution, privilege escalation | $1,000+        |
+
+**Note:** Rewards are at the sole discretion of Octomind’s security team, and we reserve the right to adjust based on the severity, impact, and report quality.
+
+## Eligibility
+
+To be eligible for a bounty, you must:
+
+1. Follow our **Responsible Disclosure Guidelines**.
+2. Not be an employee or contractor of **Octomind** or its subsidiaries.
+3. Be the first to report a previously unknown vulnerability.
+4. Avoid privacy violations, destruction of data, or interruption of service.
+
+## Responsible Disclosure Guidelines
+
+We ask that you:
+
+- Report vulnerabilities **privately** to our security team at [security@octomind.dev](mailto:security@octomind.dev).
+- Give us a reasonable amount of time to address the issue before publicly disclosing it (we aim to respond within 5 business days).
+- Do not exploit or further manipulate the vulnerability in any way other than for testing purposes.
+
+## How to Report
+
+1. **Summary**: Provide a clear description of the vulnerability.
+2. **Steps to Reproduce**: Provide detailed instructions on how to reproduce the issue.
+3. **Impact**: Explain the potential impact of the vulnerability.
+4. **Screenshots or Proof of Concept**: Include any supporting documentation that can help us understand the issue.
+
+Submit your report via email at [security@octomind.dev](mailto:security@octomind.dev).
+
+## Exclusions
+
+The following types of reports **will not** be eligible for a reward:
+
+- Findings from automated tools without clear exploitability
+- Bugs that require excessive or unlikely user interaction
+- Vulnerabilities affecting outdated or unsupported browsers or platforms
+- Issues related to browser cookies or best practices that do not lead to a specific vulnerability
+
+## Legal
+
+You must comply with all applicable laws when conducting research and must not engage in any illegal activity. By submitting a report, you agree that you are legally authorized to do so and that your actions align with the terms of this Bug Bounty Policy.
+
+## Contact
+
+For questions related to this program or to submit a report, please email [security@octomind.dev](mailto:security@octomind.dev).
+
+Thank you for helping us keep **Octomind** and our users safe!
diff --git a/mint.json b/mint.json
index e8aacd6..9aca8a0 100644
--- a/mint.json
+++ b/mint.json
@@ -103,7 +103,7 @@
     },
     {
       "group": "Advanced",
-      "pages": ["variables", "rate-limiting"]
+      "pages": ["variables", "rate-limiting", "bug-bounty-program"]
     },
     {
       "group": "Changelog",