Security is very important to us. If you discover any issue regarding security, please disclose the information responsibly by sending an email to security@count.ly and not by creating a GitHub issue.
All software related security bugs with severity of medium and higher will be awarded accordingly with a bug bounty reward.
Critical Severity: software can be exploited at any time without any additional information
High Severity: some additional information, access or action required (from the user, like clicking on injected link) for software to be exploited
Medium Severity: the impact is limited (for example, can only access limited information) or requires special conditions to achieve it (when server is configured in specific way)
Low - no bounty rewards, does not directly lead to vulnerability, but provides a possibility (like exposing software version, which can be mapped to specific vulnerabilities), old dependencies, server misconfiguration
Exclusion
Server specific configurations and deployment specific configurations due to on premise nature of our software. All server configuration related issues will be reported to related departments/parties/companies, but we cannot guarantee any bounty rewards for them.