Bug Bounty Program

Why TurboPentest Has a Bug Bounty

A security platform must hold itself to the highest security standards. TurboPentest's bug bounty program invites the security community to test the platform itself and report vulnerabilities responsibly. If we ask you to trust us with your pentesting, we must prove our own security posture is robust.

The program is open to all security researchers. You do not need to be a TurboPentest customer to participate.

Scope

In Scope

The following assets are in scope for the bug bounty program:

• Web Application — turbopentest.com (all routes including /api, /learn, etc.)
• REST API — All turbopentest.com/api/v1 endpoints
• Authentication System — Login, registration, session management, OAuth flows
• Webhook System — Webhook delivery, signature verification, callback handling
• MCP Server — The npm-distributed MCP server package
• GitHub Action — The turbopentest/action GitHub Action
• Payment Processing — Stripe integration, credit purchasing, and billing flows

Out of Scope

The following are explicitly excluded:

• Phase 1 Tools — Vulnerabilities in third-party tools (Nmap, ZAP, Nuclei, etc.) should be reported to their respective maintainers
• P4L4D1N Agents — The AI agents themselves (prompt injection against the pentesting agents is not a vulnerability in TurboPentest)
• Social Engineering — Phishing, pretexting, or social engineering attacks against TurboPentest employees
• Denial of Service — Volumetric DoS or DDoS attacks
• Third-Party Services — Vulnerabilities in Neon, Upstash, Vercel, or other infrastructure providers
• Previously Reported — Issues already reported by another researcher and under remediation

Severity Tiers and Rewards

Rewards are based on the severity of the vulnerability and its potential impact on TurboPentest users.

Critical (Rewards: 100-200 credits)

Vulnerabilities that could lead to:

• Remote code execution on TurboPentest infrastructure
• Access to other users' pentest results or account data
• Bypass of authentication to access any user's account
• Access to stored payment information or billing data
• Compromise of the webhook signing mechanism allowing forged notifications

High (Rewards: 50-100 credits)

Vulnerabilities that could lead to:

• Privilege escalation (regular user gaining admin access)
• Stored XSS that executes in other users' sessions
• IDOR (Insecure Direct Object Reference) exposing other users' data
• API authentication bypass
• Credit manipulation (spending others' credits or generating free credits)

Medium (Rewards: 20-50 credits)

Vulnerabilities that could lead to:

• Reflected XSS requiring user interaction
• CSRF on sensitive actions (password change, email change, API key generation)
• Information disclosure of non-sensitive internal data
• Rate limiting bypass on sensitive endpoints
• Insecure default configurations

Low (Rewards: 5-20 credits)

Vulnerabilities that could lead to:

• Missing security headers (with demonstrated impact)
• Verbose error messages revealing stack traces or internal paths
• Subdomain takeover on non-sensitive subdomains
• Email enumeration via login or registration endpoints
• Missing best practices with minimal security impact

Informational (No reward, but acknowledged)

• Theoretical vulnerabilities without a proof of concept
• Issues requiring unlikely or impractical attack scenarios
• Best practice recommendations without security impact

Reporting Process

How to Submit

1. Email — Send your report to security@turbopentest.com
2. Include — A clear description of the vulnerability, steps to reproduce, proof-of-concept (screenshot, video, or code), and the potential impact
3. Do not — Exploit the vulnerability beyond what is necessary for the proof of concept. Do not access other users' data, exfiltrate data, or cause service disruption.

Report Template

Use this structure for your report:

**Title**: [Brief description of the vulnerability]

**Severity**: [Your assessment: Critical/High/Medium/Low]

**Affected Asset**: [URL, endpoint, or component]

**Description**: [Detailed explanation of the vulnerability]

**Steps to Reproduce**:
1. [Step 1]
2. [Step 2]
3. [Step 3]

**Proof of Concept**: [Screenshots, video, or code]

**Impact**: [What an attacker could achieve]

**Suggested Fix**: [Optional but appreciated]

Response Timeline

• Acknowledgment: Within 24 hours of submission
• Triage: Within 3 business days — we confirm validity and assign severity
• Fix: Depends on severity — Critical (24 hours), High (7 days), Medium (30 days), Low (90 days)
• Reward: Credits issued within 5 business days of fix deployment
• Disclosure: Coordinated disclosure allowed 90 days after fix, or earlier with mutual agreement

Responsible Disclosure

TurboPentest follows a coordinated disclosure model:

• Do not disclose publicly until the fix is deployed and the disclosure window has passed
• Do not test against other users' accounts — Create your own test accounts
• Stop testing if you access real user data — Report immediately and do not proceed further
• Do not automate at scale — Manual testing with reasonable request volumes only

Researchers who follow responsible disclosure practices receive public acknowledgment on our security hall of fame (with permission).

Hall of Fame

The TurboPentest Security Hall of Fame (turbopentest.com/security/hall-of-fame) recognizes researchers who have responsibly disclosed valid vulnerabilities. Entries include the researcher's name (or handle), the date, and the severity tier. Specific vulnerability details are not published.

Being listed on the Hall of Fame requires:

• A valid, in-scope report
• Following responsible disclosure practices
• Opting in to public acknowledgment

Bug Bounty Hunter Discord Role

Researchers who submit at least one valid report earn the Bug Bounty Hunter role on the TurboPentest Discord server. This role provides recognition and access to the #bug-bounty channel for discussing security research methodology with other hunters.