We are calling all bug catchers!

Our goal is to make Hyra perfect for everyone. If you feel there are any issues or areas for improvement, we'd love to hear about them!

We'd love to get your feedback regarding feature and integration requests, our API, and bug reports as well!

Detailed bug reports are more likely to be reproduced and therefore more likely to be fixed.

Reward range

We reward successful bounty hunters with rewards.

P1 - Critical: $100 - $200

P2 - Severe: $50 - $99

P3 - Moderate: $15 - $25

P4 - Low: $5

P5 submissions do not receive any rewards for this programme.

In Scope

The following properties are in the scope of this programme.

All other domains/endpoints other than those listed in the in scope section, are out of the scope.

Target information

  • The target URLs are the same as those used by our real customers, please keep this in mind and act accordingly.

  • Automated vulnerability scans are strictly prohibited.

  • No attacks against Hyra's existing user base.

  • No phishing.

  • No DDoS attacks

Focus areas

  • Cross site request forgery on critical actions

  • Cross site scripting (XSS), including those blocked by our CSP

  • Remote code execution / shell injection

  • Authentication bypass

  • SQL injection (though typically out of the scope, as SQL is not used in Hyra)

  • Insecure direct object references

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Intercom not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to Hyra, it may be reported to this program, and is appreciated - but will ultimately be marked as 'not applicable' and will not be eligible for monetary or points-based compensation.

Payouts above $5.00 can be cashed via PayPal or FPS if you are in the UK. Rewards on the P4 tier will be paid via a Classic Discord Nitro Month or a $5 Roblox Gift Card.

If you a reporting a security vulnerability, please send us a message in the chat or email [email protected].

Did this answer your question?