Version: 1.0

Effective Date: October 13, 2025

<aside> 💡

Acknowledgment within 48 hours and status updates every 7 business days. Contact: [email protected]

</aside>

1. Overview

Passguard values the security research community. We operate EU-hosted services that help detect and respond to infostealer infections. If you discover a vulnerability affecting Passguard assets, please report it responsibly so we can fix it and reward you appropriately.

2. In-scope Assets

Product	Host / Asset	Notes
Website	passguard.com	Public website (marketing, docs, blog, KB). Also in
scope: any other asset clearly owned and
operated by Passguard.
Platform	app.passguard.com	Customer-facing app/dashboards, auth, alerts, data.
External API (Production) api.passguard.com		Customer/partner API (keyed, production).
Screening Portal	passguard.app	Screening/search portal.
API Hub (Developer Portal) app.passguard.dev		Important: developer console, key
issuance/rotation, docs, sample apps. Elevated
sensitivity.
Dev API (Sandbox)	api.passguard.dev	Mock data only, intentionally works without an
API key. Lower payouts (25–50% of production)
unless systemic/production impact is demonstrated.
Internal API	Private/internal domains	In scope if publicly reachable and a valid
vulnerability is demonstrated. Eligible for 2× the
standard bounty.

3. Out of Scope (unless chainable to real impact)

Third-party services not owned by Passguard.
DoS/DDoS, traffic flooding, or resource-exhaustion tests.
Social engineering, phishing of staff/customers.
Purchasing or interacting with criminal marketplaces on our behalf.
Automated mass scanning beyond rate limits (see Rules of Engagement).
Cosmetic issues or missing headers without a practical exploit path.

4. Rules of Engagement

Do no harm: use your own/test accounts; do not access, modify, or exfiltrate real customer data.
Default rate limit ≤ 5 requests/second. No stress/load testing without prior written approval.
Identify research traffic (e.g., User-Agent: security-research/ and X-Passguard-Researcher: ).
Stop and report immediately if you encounter sensitive data; capture minimal evidence only.