Security Research
Find bugs.
Get rewarded.
GhostlyX takes security seriously. If you discover a vulnerability in our platform, we want to hear from you. Responsible disclosure earns recognition, merchandise, and for critical findings, a lifetime Scale plan on us.
Submit a report48h
Initial response target
Lifetime
Scale plan for critical bugs
100%
Responsible disclosure
Free
Swag for every valid find
What you can earn
Rewards are determined by severity and impact. Every valid, in-scope report earns at minimum a place in our security hall of fame.
Lifetime Scale plan
The full reward for vulnerabilities that have a direct, material impact on customer data, account security, or platform integrity.
- GhostlyX Scale plan, forever, free
- Exclusive GhostlyX swag pack
- Named in our security hall of fame
- Personal thank-you from the team
GhostlyX swag
Meaningful vulnerabilities that require specific conditions to exploit, or impact a limited subset of users.
- GhostlyX branded merchandise
- Limited-edition sticker pack
- Named in our security hall of fame
Recognition
Low-severity findings and best-practice recommendations that help us improve our security posture.
- Named in our security hall of fame
- Personal thank-you from the team
The swag
Every qualifying report earns exclusive GhostlyX merchandise. Critical and high-severity findings unlock the full swag pack.
In scope
The following targets are in scope for the GhostlyX bug bounty program. Reports affecting these systems are eligible for rewards when they meet our severity and impact criteria.
ghostlyx.com
The GhostlyX web application and marketing site, including authentication, billing, dashboard, all user-facing features, forms, and any data submission flows.
Public REST API
All versioned API endpoints documented at ghostlyx.com/api-reference, including authentication and rate limiting.
Tracking script
The JavaScript snippet served from cdn.ghostlyx.com, including data collection and transmission security.
Authentication systems
Login, registration, password reset, two-factor authentication, and OAuth social login flows.
Out of scope
The following are not eligible for rewards. Reports falling into these categories will be closed without action.
Social engineering
Phishing, vishing, or any attempt to manipulate GhostlyX employees or customers.
Physical attacks
Attempts to gain physical access to GhostlyX infrastructure or offices.
Denial of service
Flooding, resource exhaustion, or any attack intended to degrade availability.
Third-party services
Vulnerabilities in services used by GhostlyX but owned and operated by third parties (e.g. Stripe, AWS).
Previously reported issues
Bugs that have already been reported and are known to the GhostlyX security team.
Automated scan output
Raw output from scanners without a demonstrated, exploitable impact.
How we define severity
Severity is assessed based on the confidentiality, integrity, and availability impact following the CVSS framework. Final classification is at GhostlyX's discretion.
Critical
Remote code execution, SQL injection exposing customer data, authentication bypass giving access to any account, mass data exposure, or privilege escalation to admin.
High
Stored XSS affecting multiple users, IDOR exposing another user's private analytics data, payment flow manipulation, or account takeover requiring minimal interaction.
Medium
Reflected XSS with limited impact, CSRF on sensitive actions, information disclosure of non-critical data, or rate-limit bypass on authentication endpoints.
Low
Non-sensitive information disclosure, missing security headers, open redirects, or best-practice deviations without direct exploitability.
How to submit a report
Verify it is in scope
Check the scope section above before submitting. Reports for out-of-scope targets will be closed without review. If you are unsure, email us and ask.
Document the vulnerability
Prepare a clear description of the issue, the steps required to reproduce it, the potential impact, and any supporting screenshots, videos, or proof-of-concept code.
Email [email protected]
Send your report to [email protected] with the subject line "Bug Bounty Report". Do not disclose the vulnerability publicly or to third parties before we have had an opportunity to remediate.
Wait for acknowledgement
We aim to acknowledge all reports within 48 hours and will keep you updated on our investigation. Please allow reasonable time for remediation before any coordinated public disclosure.
Rules of engagement
Researchers who follow these rules are protected from legal action. We are grateful for your help and will treat all reports fairly and transparently.
Do not access customer data
Stop immediately if you encounter personal or customer data. Do not read, copy, or exfiltrate data beyond what is necessary to demonstrate the vulnerability.
Do not disrupt the service
Testing must not degrade availability or performance for other users. Do not run automated scans against production without prior written permission.
Report in good faith
Submit reports to GhostlyX privately before any public disclosure. Coordinated disclosure is encouraged and we will work with you on timing.
Test only on accounts you own
Create a free GhostlyX account for testing. Do not test against other users' accounts, sites, or data without explicit permission.
No automated exploitation
Manual testing only. Automated vulnerability scanning without permission is not permitted and will not be rewarded.
One report per issue
Submit each distinct vulnerability as a separate report. Bundling multiple issues reduces clarity and may delay triage.
Frequently asked questions
What is the GhostlyX bug bounty program?
The GhostlyX bug bounty program rewards security researchers who responsibly disclose vulnerabilities in GhostlyX products and infrastructure. Rewards range from exclusive GhostlyX merchandise for low-severity findings up to a lifetime Scale plan plus swag for critical vulnerabilities.
How do I report a security vulnerability?
Send your report to [email protected] with the subject line "Bug Bounty Report". Include a clear description, reproduction steps, impact assessment, and any proof-of-concept material. We aim to acknowledge all reports within 48 hours.
What qualifies as a critical vulnerability?
Critical vulnerabilities include remote code execution, SQL injection exposing customer data, authentication bypass allowing access to any account, mass data exposure, and privilege escalation to administrative access. These qualify for the lifetime Scale plan reward.
When is a lifetime Scale plan awarded?
A lifetime Scale plan is awarded when a vulnerability is confirmed as critical or high severity, is in scope, was not previously known to us, and was reported in good faith following our responsible disclosure guidelines.
What is the GhostlyX Scale plan worth?
The Scale plan is our top tier, normally priced at $69 per month. A lifetime plan means free access to all Scale features, including session replay, heatmaps, unlimited sites, and all future features, with no expiry and no conditions.
Do I need to be a professional security researcher?
No. The program is open to anyone. Independent researchers, students, developers, and hobbyists are all welcome. The only requirement is that you follow the rules of engagement and report responsibly.
How long does it take to process a report?
We aim to acknowledge reports within 48 hours. The time to remediate varies by severity and complexity. We will keep you updated throughout the process and notify you when the issue is resolved and your reward is ready.
Can I disclose the vulnerability publicly?
We ask that you do not disclose publicly until we have remediated the issue and coordinated a disclosure timeline with you. We are happy to support coordinated disclosure and credit you publicly for your discovery.
Found something? Tell us.
We appreciate every report, big or small. Responsible disclosure keeps our customers safe and earns you a place in the GhostlyX security hall of fame, plus rewards for qualifying finds.