Vulnerability Disclosure Policy

Pyrus takes security very seriously, and investigates all reported vulnerabilities. This page describes our practice for addressing potential vulnerabilities in all Pyrus apps.

Investigating and Reporting Suspected Vulnerabilities

If you have a security or privacy concern with Pyrus, please contact us at security@pyrus.com. The information you share with Pyrus as part of this process is kept confidential within Pyrus. It will not be shared with third parties without your permission.

So that we may more effectively respond to your report, please provide any supporting material (proof-of-concept code, tool output, etc.) that would be useful in helping us understand the nature and severity of the vulnerability.

Pyrus will typically respond to you within 2 business days, acknowledging receipt of the report, and outline the next steps in the process.

When investigating a vulnerability, please, only ever target your own accounts. Never attempt to access anyone else's data. We recommend that you create an account dedicated only to testing before beginning any tests, since we cannot guarantee that you will get access back to your account if it is disabled due to your testing activities.

Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks.

Reward for vulnerabilities

A reported vulnerability may qualify for a monetary reward, which is paid out after the vulnerability review is complete. You are responsible for any tax implications depending on your country of residency and citizenship.

The reward amount is chosen at the discretion of Pyrus. Typically, higher rewards are paid for unusually clever or severe vulnerabilities, or those that could affect many users; and lower rewards for vulnerabilities that require unusual user interaction.

Typically, for qualifying vulnerabilities the reward is paid out within 1-2 weeks after the initial email report is received by Pyrus at security@pyrus.com.

Qualifying vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:

  • Cross-site scripting,
  • Cross-site request forgery,
  • Authentication or authorization flaws,
  • Server-side code execution bugs.

In addition, significant abuse-related methodologies are also in scope for this program if the reported attack scenario displays a design or implementation issue in the Pyrus web, mobile, or desktop app that could lead to significant harm.

Non-qualifying vulnerabilities

Depending on their impact, some of the reported issues may not qualify. Although we review them on a case-by-case basis, here are some of the common scenarios that typically do not earn a monetary reward:

Flaws affecting the users of out-of-date browsers. The security model of the web is constantly being fine-tuned. Problems will typically not be rewarded if they affect only the users of browsers not on the following list:

  • Google Chrome, current and two preceding versions,
  • Firefox, current and two preceding versions,
  • Safari, current and two preceding versions,
  • Microsoft Edge.

Flaws affecting the users of out-of-date mobile operating systems. Similarly, problems will typically not be rewarded if they affect only the users of Pyrus mobile apps installed in mobile operating systems not on the following list:

  • Android 5.0 and above,
  • iOS 11.0 and above.

Recent vulnerabilities in 3rd-party dependencies. Usually, reports regarding vulnerabilities in 3-rd party dependencies (e.g. libraries, modules, etc) won't be rewarded if less than 30 days passed since the issue was fixed upstream.

If somebody else also found the same bug. You will qualify for a reward only if you were the first person to alert us to a previously unknown flaw.

If you disclose the bug publicly before Pyrus had a chance to fix it. We at Pyrus make our best effort to respond promptly and fix bugs in a sensible timeframe. In exchange, we ask for reasonable advance notice.