Bug Bounty Program

Participate in the Borderless Bug Bounty Program

Bounties for verified security vulnerabilities reported by third party ethical security researchers.

Version: 2025-10-14

Overview of the program

Bounty

Borderless will pay bounties for ethically reported vulnerabilities that were previously unidentified by Borderless.

Terms

The submission of reports implies acceptance of the terms of this program. Participants should carefully review all terms below before participating.

Payment

Payment will be made through the Borderless AI platform.

person seeing the benefits of the refferal program

Bounties

Rewards by severity of issue (determined by Borderless AI)
All amounts in USD

  • Critical - $600
  • High - $300
  • Medium - $75
  • Low - $25

Requirements

The program requirements include the following:

  1. Research must be done on the Test environment: https://app.borderless.ninja/ .
    1. Testing on the production site (app.hireborderless.com) is NOT allowed.
    2. Fake resources (users, contracts, legal entities) should NOT be created in production (app.hireborderless.com) for the purposes of testing. Researchers may create one real user account, which will be used to pay them (see below), and one legal entity, for themselves in the production environment.
    3. Several resources of each type may be created in the Test environment (app.borderless.ninja) by researchers as needed.
  2. No proprietary data for other customers must be accessed from the production environment: app.hireborderless.com.
  3. No damage must be done to production data.
  4. No causing downtime to the production site is allowed.
  5. No harm to Borderless, its business, its customers, or its partners is allowed.
  6. Reports must not be disclosed to others until Borderless has had 12 months to complete remediation in all systems.
  7. The incident reports must not be used to tarnish Borderless’ public reputation.
  8. All reported bugs must be reproducible on an up-to-date device assuming the customer follows best practices for that device,

Limitations

While Borderless has throttling in place, the limits are intentionally different between the Test and Production environments. It is generally not useful to test throttling in the Test environment without knowing the exact throttle thresholds for that specific environment, which Borderless does not disclose.

Submission and payment process

Please review each step

  1. Create a payment account on the Borderless AI platform https://app.hireborderless.com/console/contractor
    1. After creating your account, select the Contractor console using the upper left-hand selector.
    2. Complete the first 3 onboarding steps, including:
      1. Completing your user profile,
      2. Verifying your identity, and
      3. Adding a payment method.
    3. Do NOT perform any penetration testing on this site, per the terms outlined above, or you may be disqualified from the program.
  2. Submit the report using this form: https://forms.gle/zqqY8VoJvjwBZKJY8
    1. Each unique issue must be submitted individually through the form.
  3. An ethically reported vulnerability will be verified and assigned a severity by the Borderless Security Team.
    1. These definitions are internal, aligned with industry standards, and aligned with Borderless' independent security auditors.
    2. Severity definitions are not subject to reporter redefinition.
  4. You will receive an email in 1-2 months.
    1. Correspondence will use security@hireborderless.com, but do not email this address before completing steps and waiting to hear back.
  5. Borderless will pay the security researcher through the Borderless platform.
    1. The researcher will be invited to join the company's own account on the Borderless platform.
    2. After accepting the invitation with their own Borderless user, the researcher will submit an invoice through the Borderless platform.
    3. Borderless will pay the invoice through through the Borderless global payments feature.

Disqualifications

Please review each warning

⚠️ Warning

The program is intended exclusively to enable third party researchers to submit critical vulnerabilities, such as missing authentication on endpoints, or similarly critical issues.

Submitters can be disqualified for any violations of the program. Previously submitted reports may not qualify for payment and no further issues will be accepted from that reporter.
Example reasons for disqualification:
  1. Submitting issues for functionality OUTSIDE of app.borderless.ninja (SMTP / email configurations, reports about other subdomains or marketing pages).
  2. Sending multiple reports for low severity items, such as
    1. Reports about email address validations,
    2. Reports about configuration best practices,
    3. Reports about the application's choice of security token TTLs, session timeouts, session invalidation policies, etc.
  3. Sending reports to Borderless outside the defined submission process above.
  4. Sending emails requesting changes to the severity assessment without additional evidence that materially alters the technical or business impact originally evaluated.
  5. Any communication or action that is considered as harassment, or is inconsistent with a respectful, productive exchange.
    1. This includes repeatedly emailing requesting status updates.
Report format

Complete reports are more likely to be accepted

Summary

1-2 line description of the issue

Vulnerability details

- Description of vulnerability
- Detailed steps to reproduce the vulnerability
- Description of impact

Proof of concept

Proof of concept demonstrating the vulnerability, using the test environment.
This should include a screen recording, or a screenshot, showing information disclosure or corruption.

Any HTTP requests submitted as evidence of the reported issue should be submitted in the form of a cURL command.

Recommended fix

Additional information

Social
© YEAR Borderless AI