SOC 2 CertifiedGDPR CompliantISO 27001WCAG AAA
24/7 Enterprise SupportLog In

Taps.IM

ENTERPRISE
Security Research Program

Bug Bounty Program

Rewards up to $50,000

Help us secure the future of encrypted communications. We reward security researchers who responsibly disclose vulnerabilities in our zero-knowledge messaging platform.

Submit VulnerabilityHall of Fame
$387,000
Total Rewards Paid
152
Vulnerabilities Fixed
1,847
Security Researchers
2.3 Days
Average Response Time

Reward Tiers

Our rewards are based on the security impact and exploitability of the vulnerability

πŸ”₯

Critical

$25,000 - $50,000

Vulnerability Examples:
Remote Code Execution (RCE)
Authentication bypass leading to account takeover
Cryptographic implementation flaws
Zero-knowledge proof manipulation
Federation protocol exploitation
Complete E2EE bypass
⚠️

High

$5,000 - $25,000

Vulnerability Examples:
Privilege escalation vulnerabilities
SQL injection with data access
Significant cryptographic weaknesses
Message interception/tampering
Federation metadata manipulation
Cross-tenant data access
⚑

Medium

$1,000 - $5,000

Vulnerability Examples:
Cross-Site Scripting (XSS)
Information disclosure
Business logic flaws
Insecure direct object references
Rate limiting bypass
Minor cryptographic issues
ℹ️

Low

$250 - $1,000

Vulnerability Examples:
CSRF with minimal impact
Information leakage
Missing security headers
Minor configuration issues
UI/UX security improvements
Documentation vulnerabilities

Program Scope

Understanding what's covered and what's not in our bug bounty program

In Scope

TapsIM Web Platform (app.taps.im)
TapsIM Mobile Apps (iOS/Android)
TapsIM Federation Server (GOServer)
API endpoints (api.taps.im)
Client-side cryptographic implementations
Zero-knowledge proof systems
Federation protocol security
End-to-end encryption mechanisms

Out of Scope

Third-party services and dependencies
Issues requiring physical access
Social engineering attacks
Denial of Service (DoS) attacks
Brute force attacks on authentication
Issues in outdated browser versions
Theoretical cryptographic attacks without PoC
Issues requiring user interaction without security impact

Hall of Fame

Recognizing the security researchers who help keep TapsIM secure

CH
@CryptoHunter
Cryptographic Analysis
πŸ† Elite
7
Vulnerabilities Found
$85,000
Total Rewards
ZM
@ZKProofMaster
Zero-Knowledge Protocols
πŸ₯‡ Expert
5
Vulnerabilities Found
$67,000
Total Rewards
FS
@FedSecure
Federation Security
πŸ₯ˆ Veteran
12
Vulnerabilities Found
$45,000
Total Rewards
EE
@E2EExploit
End-to-End Encryption
πŸ₯‰ Pro
8
Vulnerabilities Found
$38,000
Total Rewards
MS
@MobileSecRes
Mobile Security
⭐ Rising
15
Vulnerabilities Found
$32,000
Total Rewards
IG
@InfraGuardian
Infrastructure Security
πŸ”’ Trusted
6
Vulnerabilities Found
$28,000
Total Rewards

Submission Process

Our streamlined process ensures fast response times and fair rewards

1

Report Submission

Day 1

Submit vulnerability via encrypted portal

2

Initial Triage

1-2 Days

Security team confirms and categorizes

3

Investigation

3-7 Days

Technical analysis and impact assessment

4

Fix Development

1-4 Weeks

Patch development and testing

5

Reward Payment

2-5 Days

Payment processing and Hall of Fame entry

Rules of Engagement

Please follow these guidelines to ensure responsible disclosure

βœ… Do's

β€’ Provide clear reproduction steps
β€’ Include proof-of-concept when possible
β€’ Allow reasonable time for fixes
β€’ Respect user privacy and data
β€’ Use dedicated test accounts
β€’ Report through official channels

❌ Don'ts

β€’ Access other users' data
β€’ Perform destructive testing
β€’ Disclose publicly before fix
β€’ Spam or flood our systems
β€’ Social engineer employees
β€’ Use automated scanning tools

πŸ›‘οΈ Legal Safe Harbor

TapsIM provides legal safe harbor for security research conducted in accordance with our bug bounty program guidelines. We will not pursue legal action against researchers who:

β€’ Follow responsible disclosure practices
β€’ Avoid privacy violations and data destruction
β€’ Only test against designated targets
β€’ Make good faith efforts to avoid harm

Ready to Submit a Vulnerability?

Use our secure, encrypted portal to report security vulnerabilities. All submissions are processed within 48 hours.

Contact Security Team
PGP encrypted submissions
Fast response guarantee
Anonymous submissions welcome