AedoBuild
Log inGet started

Bug bounty program

Find a security issue? We pay for responsibly disclosed vulnerabilities.

How to report

Email a detailed report to security@aedobuild.com. PGP key available on request. We respond within 24 business hours and acknowledge valid reports within 5 days.

Please include: a clear description, reproduction steps, the impact, and (if you can) a proof-of-concept. Screenshots and video help a lot.

Scope

In scope:

  • The main application at aedobuild.com and *.aedobuild.com
  • The mobile resident portal
  • The public API

Out of scope:

  • Denial of service, volumetric attacks, rate-limit abuse
  • Social engineering of AedoBuild staff or customers
  • Physical attacks against our offices or data centers
  • Issues in third-party services we use (Stripe, Resend, Vercel, etc.) — report those to the vendor
  • Findings from automated scanners without a working PoC
  • Self-XSS, missing CSP headers without impact, clickjacking on non-sensitive pages

Rewards

Bounties are awarded based on severity and impact. We use the CVSS v3.1 scoring system as a baseline, with final amounts at our discretion based on quality of report and real-world impact.

SeverityReward rangeExamples
Critical$1,000 – $5,000Auth bypass, RCE, exposing other orgs' data
High$500 – $1,000Privilege escalation within an org, IDOR with sensitive data
Medium$100 – $500Stored XSS, CSRF, broken access control on minor endpoints
Low$50 – $100Reflected XSS, missing security headers with impact

Rules

  • Do not access, modify, or delete data belonging to others.
  • Use only your own test accounts. Sign up at aedobuild.com/signup if needed.
  • No social engineering, phishing, or physical attacks.
  • Give us reasonable time to fix issues before public disclosure (90 days is standard).
  • Submit one vulnerability per report.
  • One bounty per unique issue. Duplicates go to the first reporter.

Safe harbor

We will not pursue legal action against researchers who follow these rules. We treat your report as authorized testing. If a third party initiates legal action against you because of work done under this policy, we will make it known that your activity was authorized.

Hall of fame

We thank researchers publicly (with consent). Submit a valid report and you'll be listed below.

No reports yet. Be the first.