Sharing this decision via a blog post, the firm revealed that the new program will be open for all security researchers and bug hunters.
Although, the company already had a private program running since 2014. Under this program, they invited select hackers to find vulnerabilities in the firm’s products. They then acknowledged the hackers via Hall of Fame besides awarding bounties.
And now, the company has decided to expand this program allowing researchers and bug hunters globally to find and report vulnerabilities in their products.
We want to find and fix as many vulnerabilities in our products as possible, to protect our customers and the data they entrust to us. We also want to learn from and support the broader security community.
Our focus is on strong auth (sign-in, sessions, OAuth, account recovery), access control (bypasses, faults, CSRF, etc), and injection prevention (SQL, XSS, method args, etc).They have also explicitly listed all those issues that Basecamp considers out-of-scope for this program.
Also, any attempts targeting other users’ accounts, social engineering, automated scanning, and brute-forcing will disqualify the bug reports.
As for the bounties, the rewards primarily range between $100 to $10,000 for low-severity bugs to critical bugs. Though, the critical bug reports offer a hefty bounty that starts from $5000.
Interested users can visit the Basecamp HackerOne page to find more details about this program.
