Basecamp Formally Launch Bug Bounty Program to Public

After years of running private vulnerability disclosure, Basecamp has now launched their bug bounty program to the public. All bug bounty hunters can participate in this program via HackerOne.

Basecamp Bug Bounty Program

Reportedly, Basecamp has decided to formally launch the bug bounty program for all.

Sharing this decision via a blog post, the firm revealed that the new program will be open for all security researchers and bug hunters.

Although, the company already had a private program running since 2014. Under this program, they invited select hackers to find vulnerabilities in the firm’s products. They then acknowledged the hackers via Hall of Fame besides awarding bounties.

And now, the company has decided to expand this program allowing researchers and bug hunters globally to find and report vulnerabilities in their products.

We want to find and fix as many vulnerabilities in our products as possible, to protect our customers and the data they entrust to us. We also want to learn from and support the broader security community.

Bounties up to $10,000

According to the details shared, the bug bounty program will accept bug reports for vulnerabilities in HEY and Basecamp websites and mobile apps. Regarding the vulnerabilities accepted under this program, they stated,

Our focus is on strong auth (sign-in, sessions, OAuth, account recovery), access control (bypasses, faults, CSRF, etc), and injection prevention (SQL, XSS, method args, etc).

They have also explicitly listed all those issues that Basecamp considers out-of-scope for this program.

Also, any attempts targeting other users’ accounts, social engineering, automated scanning, and brute-forcing will disqualify the bug reports.

As for the bounties, the rewards primarily range between $100 to $10,000 for low-severity bugs to critical bugs. Though, the critical bug reports offer a hefty bounty that starts from $5000.

Interested users can visit the Basecamp HackerOne page to find more details about this program.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients