Print Logo
You're using an older browser that we are unable to fully support. Your experience with our site may be less than optimal due to our focus on performance, security and reliability. Consider upgrading your browser if you have problems using our site. Learn More

Get Paid to Report Serious Bugs and Security Issues

Put your experience to work for cash or store credit, but most of all to make everyone's experience here better and more secure.


Responsible Disclosure

If you checkout or submit contact or lead forms, use
Make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our services. Do not access or modify data that does not belong to you. Do not make any information public until the issue has been resolved.

In order to encourage responsible disclosure, we will not bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.

This is Eligible

We decide if the minimum severity threshold is met and whether it was previously reported. Anything which has the potential for financial loss or data breach is of sufficient severity, including: (only the highest severity for a given issue is eligible)

Only the highest severity for a given issue is eligible

$US 3,100.00 - $US 3,500.00 Remote code execution / SQL injection
$US 800.00 - US$ 2,000.00 Authentication bypass or privilege escalation
$US 500.00 Click jacking
$US 500.00 Obtaining user information but not enumeration
$US 300.00 XSS
$US 300.00 CSRF
$US ? Other at our discretion

This is In Scope

* (not eligible for CSRF)
Silver Gold Bull Android app

This is Outside of Scope, Not Eligible

CSRF on checkout page (temporary 2020-05-29)
Rate limiting
Vulnerabilities on assets hosted by third parties including, but not limited to, those with CNAME entries to third parties, such as:
• affiliates.silvergoldbull.*
• autodiscover.silvergoldbull.*
• faq.silvergoldbull.*
• ifaq.silvergoldbull.*
• ira.silvergoldbull.*
• loan.silvergoldbull.*
• rrsp.silvergoldbull.*
• rsp.silvergoldbull.*
• sell.silvergoldbull.*
• sip.silvergoldbull.*
• storage.silvergoldbull.*
• trade.silvergoldbull.*
(The above list is a representative sample and not an exclusive list of all Silver Gold Bull subdomains hosted by third parties.)
Denial of service
Previously reported
Out of date software
Best Practices
Attacks requiring physical access to a user's device
Password and account recovery policies, such as reset link expiration or password complexity
Missing security headers which do not lead directly to a vulnerability
Use of a known-vulnerable library (without evidence of exploitability)
Issues related to software or protocols not under Silver Gold Bull control
Reports from automated tools or scans
Reports of spam
Vulnerabilities affecting users of outdated browsers or platforms
Social engineering of Silver Gold Bull staff or contractors
Any physical attempts against Silver Gold Bull property or data centers
faq.silvergoldbull.* websites
ifaq.silvergoldbull.* websites

Apply Rate Limits of 1 per second to Automated Scanning

If you employ automated scanning tools, their requests must be rate limited to not exceed 1 requests per second. Failure to do so may be considered a DoS attack and will result in disqualification. Automated vulnerability scanners commonly have low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. Please submit an issue only if you have a reproduce-able proof-of-concept.

Send a Rich Report

Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc. Quality not quantity. Keep focused on the technical details and provide precise explanations; stay clear of off-topic commentary. Provide a concrete attack scenario. How will this impact the company or our users?

Payment Terms

Payment for all eligible bug reports will be made via PayPal. It is the responsibility of the researcher to have a PayPal account in order to receive the reward. Payment instructions will be provided when the bug is confirmed eligible. The reward must be accepted within 90 days after the bug is confirmed eligible.

We will respond to reports according to severity.

[email protected]