Eko aims to be the all-in-one productivity suite for company staff, providing people with the tools they need to do their best work. Our goal is to build a tool that can be powerful, simple, and secure.
We take security very seriously, and we started this bounty program in order to proactively engage with the independent security researcher community with the goal of improving security for Eko and our customers.
We categorize all security flaws reported in the following ways:
Remote Code Execution
Client-side or server-side vulnerabilities involving command injection
Full access to file system or database
Using SSRF or SQL/NoSQL Injection and others to access arbitrary files or retrieve all data from a database
$2,000 – $5,000
Authentication bypass involving acquiring users login information
$1,000 – $2,000
Logic flaw bugs, information leaks, or bypassing significant security controls
Impersonation, triggering sensitive actions, accessing permissioned information
$250 – $1,000
Execute code on the client
Cross-site scripting and other vulnerabilities occurring on application level
$50 – $250
Other valid security vulnerabilities
CSRF, Clickjacking, information leakage etc.
$50 – $5,000
When a security flaw is found, please submit a report via email to firstname.lastname@example.org. The Report should include a detailed description of your discovery with clear, concise reproducible steps or a working proof-of-concept. If you don’t explain the vulnerability in detail, there may be significant delays in the disclosure process, which is undesirable for everyone.
Eko aims to provide a response to all security flaws submitted to our system via email@example.com within 2 business days. If the security flaw was verified by our internal security team, we will fulfill the bounty within 14 business days.
- Do not discuss any vulnerabilities outside of the program without express consent from the organization.
- Make a good faith effort not to access or destroy another user’s data.
- Make a good faith effort to clarify and support your reports upon request.
- Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.
- Not following these rules will disqualify you from receiving any rewards.