Skip to main content
Honeycomb welcomes responsible disclosure of security vulnerabilities. This page covers the core terms of our bug bounty program. Where the circumstances require interpretation or judgment, we apply our discretion based on the situation and your conduct.

In scope

This program covers security vulnerabilities affecting services provided by us at ui.honeycomb.io and api.honeycomb.io, including:
  • Web application vulnerabilities, such as XSS, CSRF, SQLi
  • Authentication issues
  • Authorization issues
  • Remote code execution

Out of scope

The following are not covered by this program, regardless of any in-scope coverage indicated above:
  • Any issues related to www.honeycomb.io, docs.honeycomb.io, or info.honeycomb.io
  • Social engineering
  • Out-of-date browsers and plugins
  • Vulnerabilities in third-party applications that don’t directly affect Honeycomb’s data or services
  • Issues already known to us or previously reported by others
  • Issues we’ve determined to be of acceptable risk

Ineligible activities

The following activities are out of scope, ineligible for a reward, and may result in an IP ban from our services and removal from the program:
  • Denial of service (DoS) attacks, or any action that generates excessive traffic
  • Testing rate limiting
  • Using automated tooling in a way that generates excessive traffic
  • Spam of any kind
  • Engaging with our support team as part of your report

Non-qualifying vulnerabilities

We don’t award rewards for vulnerabilities that are trivial or broadly applicable across services, including:
  • Lack of password length restrictions
  • Demonstrating that a page can be iFramed without identifying a clickjackable link on that page
  • Self-XSS
  • Vulnerabilities that require privileged access to the victim’s device, such as a rooted phone
  • User existence or enumeration vulnerabilities
  • Password complexity requirements
  • Insecure cookie settings for non-sensitive cookies
  • Bugs that require highly unlikely user interaction to exploit
  • Reports from automated tools or scans without an accompanying demonstration of exploitability
  • Text-only injection in error pages
  • Automatic hyperlink construction by third-party email providers
  • Using email mutations (+, ., etc.) to create multiple accounts from a single email address

Researcher responsibilities

We work with researchers who follow responsible disclosure practices. To participate, you must:
  • Allow us reasonable time to investigate and mitigate an issue before disclosing or sharing it with others.
  • Not interact with other users or accounts without their explicit, informed consent.
  • Avoid all privacy violations and any disruption of service to other users and accounts.
  • Not exploit any security risk you discover, including through additional demonstrations of the same risk.
  • Comply with all applicable laws and regulations.
  • Submit reports that clearly demonstrate applicability to Honeycomb’s tools, systems, or infrastructure.
  • Provide your real name, proof of identity if requested, and a non-cash payment method.

Submitting a report

Send your report to security@honeycomb.io. Reports submitted via BCC are not accepted.

Rewards

All rewards are at our discretion. We aim to align reward amounts with the severity of the reported vulnerability and appreciate the time and effort responsible researchers invest.