Bug Bounty Program

Help us keep Killswitch secure and earn rewards for responsibly disclosing security vulnerabilities.

Overview

At Killswitch, security is our top priority. We handle sensitive user data with zero-knowledge encryption, and we want to ensure our systems remain secure. We appreciate the work of security researchers who help us identify and fix vulnerabilities responsibly.

Note: Killswitch is currently a pre-revenue startup. Our bounty amounts reflect this stage, but we're committed to rewarding researchers fairly and will increase rewards as we grow.

Scope

In Scope

  • killswitch.app (main application)
  • API endpoints (/api/*)
  • Authentication and session management
  • Client-side encryption implementation
  • File sharing and access controls
  • Deadman switch functionality

Out of Scope

  • Third-party services (Stripe, Twilio, etc.)
  • Social engineering attacks
  • Physical security attacks
  • Denial of service (DoS/DDoS)
  • Rate limiting issues (unless leading to account takeover)
  • Missing security headers without demonstrated impact

Reward Tiers

Critical

$150-300

RCE, auth bypass, master key exposure

High

$75-150

Account takeover, data leakage, privilege escalation

Medium

$25-75

XSS, CSRF, information disclosure

Low

$10-25

Minor security misconfigurations

Rewards are determined based on severity, impact, and quality of the report.

Rules & Guidelines

1

Don't access or modify other users' data

Create your own test accounts. Never attempt to access real user data.

2

Don't disrupt our services

Avoid actions that could affect availability for other users.

3

Responsible disclosure

Give us 90 days to fix the issue before public disclosure. We'll work with you on timing if needed.

4

One vulnerability per report

Submit separate reports for each vulnerability to help us track and address them efficiently.

5

Provide clear reproduction steps

Include detailed steps, screenshots, or videos to help us understand and verify the issue.

How to Report

Send your security findings to:

hello@killswitch.app

Please include "Security" in the subject line

Please include:

  • Description of the vulnerability
  • Step-by-step reproduction instructions
  • Potential impact assessment
  • Screenshots, videos, or proof-of-concept code (if applicable)
  • Your preferred payment method (PayPal email for bounties)

We aim to acknowledge reports within 48 hours and provide an initial assessment within 7 days.

Thank You for Helping Keep Us Secure

Your efforts make Killswitch safer for everyone. Check out our Hall of Fame to see researchers we've acknowledged.

Security Hall of Fame Our Security Model