Truely Bug Bounty Program
Welcome to Truely bug bounty program. Your contributions to our security are highly valued. If you discover a security issue, we encourage you to report it to us responsibly.
Published on June 23, 2025
Bounty Rewards
The rewards for reporting security vulnerabilities vary depending on the severity of the vulnerability. We offer a range of rewards, from $50 to $400.
|
Severity Level* |
Bounty |
|
Informational |
None |
|
Low |
50 USD or Merchandise |
|
Medium |
100 USD |
|
High |
200 USD |
|
Critical |
400 USD |
*For details of the severity level, please see the section on “Vulnerability Types” below.
When a monetary bounty is applied, eligible reports will be assessed.
For all High and Critical vulnerabilities, the internal assessment will also be applied to ensure alignment with our business priorities and development strategies.
Scope
Brands that are in scope
- Truely
Note: All the domains and subdomains owned by the above group companies are in scope.
Timeline to response
|
Type of response |
Business Days |
|
Response back and forth |
5-21 days |
|
Time to Bounty |
40-45 days |
|
Time to Resolution |
Depends on the impact severity and complexity |
Disclosure Guidelines
By providing a submission under this Program or agreeing to the Program Terms, you agree and undertake, at all times, to maintain as confidential your report, and that you shall not distribute, disclose or use (other than for the strict purpose of this Bug Bounty Program) any information relating to your findings or the contents of your report, or allow such information and contents of your report to be distributed, disclosed to, or used by any third party in any way without Truely prior written approval.
Failure to comply with the Program Terms, including these disclosure guidelines, will result in immediate disqualification from the Bug Bounty Program and ineligibility for receiving any bounty payments, without prejudice to any other remedies or rights that the Truely may have.
How to Report a Security Issue
Please use the form below to submit your security findings. We appreciate your cooperation in making our systems more secure.
Vulnerability Types
Truely will only award monetary rewards for reports demonstrating meaningful impact based on the Bounty Reward Level set out above. The following table provides examples of vulnerabilities and their various severities. All decisions on the severity of a vulnerability are at Truely discretion and shall be final.
|
Severity |
Examples |
|
Critical |
RCE on production server, bulk personally identifiable information (PII) exposure, source code access, mass account take over |
|
High |
Restricted or limited account take-over, privesc |
|
Medium |
Business logic error with monetary impact |
|
Low |
Exposed API keys with low privileges |
|
Informational |
Duplicate, out of scope report |
Report Eligibility
Truely reserves the right to decide if the minimum severity threshold is met and whether the vulnerability was previously reported.
To qualify for a reward under the Bug Bounty Program, your report should:
-
Be the first to report a specific vulnerability. Reported issues that are already known to us will be closed as duplicates;
-
Contain a clear description of vulnerability being reported and an explanation of the steps required to reproduce the vulnerability; and
-
Include evidence of the vulnerability. This might include videos, screenshots, exploit code, traffic log, full web/API requests and responses, email address or user ID of any test accounts, and IP address used during testing.
Scope for Web applications
In-scope vulnerabilities
The following findings are included in the Bug Bounty Program:
-
Remote code execution (RCE) (Please refer to RCE guideline to secure your bounty)
-
Injection attacks [SQL, XML, XXE, CRLF, SSI]
-
Server-Side Request Forgery
-
Insecure Deserialization
-
Path Normalization
-
Cross-site scripting (XSS)
-
Directory traversal
-
API rate limiting bypass
-
JWT vulnerabilities
-
Significant security misconfiguration with a verifiable vulnerability
-
Exposed usable credentials, API keys, etc.
-
Improper/Broken Authentication
-
Missing/Incorrect Authorization: Horizontal Privilege Escalation; Vertical Privilege Escalation; IDOR, Authorization Bypass
-
If a reproducible proof of concept is not included, the report is closed as "informational."
-
Mass harvesting/crawling public information in a short time (emails, phone numbers, ads details)
-
Cross-site request forgery (CSRF) only for sensitive functions in a privileged context
Out-of-scope vulnerabilities
The following findings are specifically excluded from the Bug Bounty Program:
-
Physical interaction against the Truely property
-
Social engineering attacks, including those targeting or impersonating internal employees or customers by any means (.e.g.,Customer support channels, social media)
-
Limited username/email/phone number enumeration on customer-facing systems
-
Scanner output or scanner-generated reports, including automated or active exploit tool
-
Man-in-the-middle attacks, for example:
-
Intercepting HTTPS/HTTP traffic (like eavesdropping in a coffee shop)
-
Compromised end-devices (PCs, phones) that proxying all traffic to hackers without the victim's notice
-
Any vulnerabilities without a specific, demonstrable impact:
-
Missing Security HTTP Headers (without proof of exploitability)
-
Use of known-vulnerable library (without proof of exploitability)
-
Verbose error pages (without proof of exploitability)
-
Any activity that could lead to the disruption of our service
-
DoS/DDoS
-
Brute Force attacks
-
Spam attacks
-
Any vulnerabilities that require significant/unlikely/theoretical user interaction (.e.g., disabling browser controls)
-
"Self" XSS | HTTP Host Header XSS | Flash based XSS
-
Open redirection, except:
-
Clicking on Truely and got redirected immediately
-
Redirection causes the loss of sensitive data (.e.g., Session tokens, PII)
-
Issues with SSL certificates
-
Incomplete/Missing SPF/DKIM
-
Exposed creds that are no longer valid (Truely will confirm)
-
Software Version Disclosure
-
Missing cookie flags
-
Reflected file download
-
Arbitrary text injections
-
Clickjacking/UI Redressing
-
Missing Security Best Practices
-
Autocomplete attribute on web forms
-
Login/logout CSRF
-
Vulnerabilities in any Wordpress-based subdomains
Note: 0-day or any other known CVE vulnerabilities impacting our services can only be reported after 30 days. We have teams internally track the CVEs.
Remote code execution (RCE) guidelines
For all RCE reports, a failure to provide any of the information below may result in ineligibility for the bounty payment
-
Source IP address
-
Timestamp (with timezone)
-
Full server request, responses (copyable)
-
Filename of any uploaded file
-
Callback IP and port, if applicable
-
Any data that was accessed (deliberately or inadvertently)
You may not:
-
Modify any files or data (including permissions)
-
Delete anything
-
Interrupt normal operation (.e.g. reboot/restart)
-
Create persistent connection (.e.g. backdoor)
-
View any files
All decisions are at the discretion of the Truely Pte Ltd and our decision shall be final.
DON'T TAKE OUR WORD FOR IT, TRY TRUELY TODAY
Best refund policy. No strings.