Effective: June 12, 2026 · Program started: June 12, 2026
Overview
Skylina welcomes responsible security research. Our Bug Bounty Program offers rewards for reporting security vulnerabilities in our platform, API, and associated services. We are committed to working with the security community to keep Skylina safe for everyone.
Reward Tiers
P1 — Critical
$500
Remote code execution, critical data breach, authentication bypass, payment flaws
Examples: SQL injection with data exfiltration, SSRF leading to cloud metadata access, broken authentication allowing account takeover
Examples: Stored XSS with session hijacking, IDOR leading to unauthorized data access, CSRF on sensitive actions
P3 — Medium
$50
Security issues with limited impact or difficult exploitation requirements
Examples: Reflected XSS without session impact, informational disclosure, weak brute-force protections on non-critical endpoints
Rewards are paid via PayPal, bank transfer, or as Skylina platform credits (credit choice at Skylina's discretion). Reward amounts are influenced by severity, exploitability, and business impact. We reserve the right to determine final reward amounts.
In Scope
✅ In scope (eligible for rewards)
api.skylinaai.com and skylinaai.com web application vulnerabilities
Skylina API authentication and authorization flaws
Cross-site scripting (stored or reflected)
Cross-site request forgery on sensitive operations
SQL injection or other command injection
Server-side request forgery (SSRF)
Insecure direct object references (IDOR)
Sensitive data exposure (PII, credentials, API keys)
Payment manipulation or pricing exploits
OAuth or session management flaws
File inclusion or path traversal vulnerabilities
Security misconfiguration with demonstrated impact
❌ Out of scope
Social engineering or phishing attacks against Skylina employees or users
Physical security testing or testing of third-party services
Denial of service attacks or resource exhaustion
Spam or content injection via comments/reviews without security impact
Tab-napping or open redirect vulnerabilities without additional impact
Missing HTTP security headers (HSTS, CSP, etc.) as standalone findings
Vulnerabilities in third-party libraries or services not controlled by Skylina
Self-XSS or XSS in non-user-controlled contexts without demonstrable impact
Rate limiting or brute force on login endpoints without demonstrated account takeover
Reports from automated scanning tools without proof-of-concept
Response SLAs
Our Commitment to Researchers
Initial acknowledgment48 hours
Status update (if not resolved)Every 7 days
Initial triage/comment5 business days
Final resolution (P1)30 days
Final resolution (P2)60 days
Final resolution (P3)90 days
Responsible Disclosure Guidelines
Guidelines for Researchers
Report vulnerabilities promptly to security@skylinaai.com with proof-of-concept details.
Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue (no data exfiltration, no persistence, no lateral movement).
Do not publicly disclose vulnerabilities until we have had a reasonable opportunity to fix them (minimum 30 days after acknowledgment).
Provide sufficient information for us to reproduce and verify the issue, including affected endpoints, parameters, and steps to reproduce.
Do not store, share, or retain any data obtained through vulnerability testing. Delete all gathered data after reporting.
Do not use production accounts or conduct tests that degrade service for other users.
If a vulnerability involves PII or sensitive data, stop immediately and report to us. Do not download or retain any such data.
Legal Safe Harbor
We will not pursue legal action against researchers who, in good faith, follow this program. Provided you act responsibly and comply with these guidelines, we consider your participation covered by our responsible disclosure policy. If we determine that a researcher has violated these terms (e.g., by publicly disclosing a vulnerability before a fix is available, or by exploiting an issue beyond necessary testing), we reserve the right to take appropriate action.