Bug Bounty Hall of Fame
At PromptBase we take the security of our marketplace seriously. We reward researchers who confidentially and responsibly disclose vulnerabilities they find in our platform.
Scope & rewards
Rewards depend on the severity, exploitability, and impact of the issue. The ranges below are guidelines, not guarantees. For high-quality reports demonstrating exceptional impact or creativity, we routinely pay above the listed range.
We aim to acknowledge reports within 48 hours and triage within 5 business days.
- Account takeover
- Payment or balance manipulation
- Remote code execution
- Mass user data exfiltration
- Stored cross-site scripting (XSS)
- Authentication or authorization bypass
- Privilege escalation
- Insecure direct object reference (IDOR)
- Reflected XSS
- Sensitive information disclosure
- Business logic flaws
- Subscription / paywall bypass
- Minor information disclosure
- Tabnabbing & open redirects
- Clickjacking on sensitive actions
- Missing security best practices with demonstrable impact
Out of scope: social engineering, denial of service, physical attacks, brute force, vulnerabilities in third-party services we don't control, and anything requiring privileged access you already had legitimately. Cosmetic or UX-only bugs, missing security headers without a working exploit, self-XSS, clickjacking on pages with no sensitive actions, automated scanner output without a working proof-of-concept, email spoofing / SPF / DMARC issues, version disclosure, and any report that doesn't include a demonstrable impact are also out of scope.
Hall of fame
The researchers below have helped keep PromptBase safe. Thank you.