Last updated on March 26, 2021

We are committed to keeping our websites and applications secure. We’d love to award responsible disclosed vulnerabilities.

Qualifying Vulnerabilities

Designs or implementation issues that can adversely affect the confidentiality and integrity of our user data will be part of the program’s scope. Some common irregularities include:

  • Cross-site scripting
  • Cross-site request forgery
  • Mixed-content scripts
  • Authentication or authorization flaws
  • Server-side code execution bugs

For concern of the availability of our services to all users, we request that you do not carry out any attempts of DoS attacks, leverage black hat SEO techniques, spam, brute force authentication, or do other similarly questionable actions. We also discourage the use of any vulnerability testing tools that may automatically generate very significant volumes of web traffic.

Monetary Rewards Value for Security Vulnerabilities

Monetary rewards for qualifying bugs range from Credits to $2,000, depending on the class of bugs and impact on business. You can find the value of the security vulnerabilities from the table below:

High Medium Low
Probability 2 High $200 $100  
Medium $100 $50 $10
Low $50 $10

1. Assessment on the Impact is based on the attack’s potential for causing privacy violations, financial loss, and other user harm, as well as the user-base reached.

2. Assessment on the Probability takes into account the technical skill set needed to conduct the attack, the potential motivators of such an attack, and the likelihood of the vulnerability being discovered by an attacker.

Please note that the final amount of reward is at the discretion of the rewards panel based on the assessment of probability and impact. The decision will be final and disputes will not be entertained.

Investigation and Report of Bugs

When you investigate a vulnerability, please use your own account as the target of the attack. Do not attempt to access someone else’s data, or engage in activities that will be disruptive or damaging to other users.

In the case where the same vulnerability is present on multiple products, do combine the issues and send one report. If you have found a vulnerability, please contact us at Note that we will only be able to answer technical vulnerability reports.

Note that only the first report on a specific vulnerability will be rewarded, subsequent duplicated reports on the same issue will not be rewarded. first report on the specific vulnerability will be rewarded. Please include steps in plain texts to reproduce the vulnerability, complete with video and/or images.

Legality Grounds

AhaSave is unable to issue rewards to individuals who are on sanctions lists, or who are in countries (i.e. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You will be responsible for any tax implications depending on your country of residence and citizenship. There may be additional restrictions imposed upon you, depending on your local law.

This reward program is not a competition. It is an experimental and discretionary rewards program that will allow our team to work on vulnerabilities that were discovered by tech enthusiasts. Note that AhaSave holds the final discretion to cancel the program at any time and decision to award the monetary reward. Lastly, your testing must not violate any law, or disrupt and/or compromise any data that is not your own.