Backyard Bandwidth Bug Bounty Program

Scope

We only pay for vulnerabilities that directly compromise critical Backyard Bandwidth systems. The following domains are in-scope:

• backyardbandwidth.com
• api.backyardbandwidth.com

Anything else is out of scope. Do not send us reports outside these systems.

Read Before Submitting

We only reward submissions that demonstrate a serious, exploitable security impact such as:

• Remote code execution (RCE)
• Authentication bypass or privilege escalation
• Account takeover with no user interaction
• Unauthorized access to sensitive data
• Any vulnerability that compromises user privacy, security, or anonymity (e.g., username deanonymization, exposure of PII, or bypass of privacy protections)

If your report does not clearly show one of the above impacts, it will be ignored.

Program Rules

• Every submission must include reproducible steps, proof-of-concept, and a clear impact statement.
• Automated scanner output, generic issues, or vague “possible vulnerabilities” will be closed immediately.
• Only the first valid report of a vulnerability is eligible for a reward.
• Attempts to re-submit previously denied or duplicate issues will result in a permanent ban from the program.
• Brute-forcing usernames is cryptographically infeasible.

Not eligible (don’t waste your time or ours):

• Missing or misconfigured headers (CORS, CSP, HSTS, etc.) unless chained to real exploitation
• Reflected/DOM XSS without account compromise or sensitive data theft
• Clickjacking, open redirects, or SSL/TLS warnings with no exploitable chain
• CAPTCHA bypasses that don’t directly lead to account compromise
• Email/SPF/DKIM/DMARC “best practice” complaints
• Scanner dumps, outdated library versions, or theoretical vulnerabilities
• Self-XSS, social engineering, phishing, or anything requiring user cooperation
• Denial-of-service or rate-limiting tests
• Any exploit that relies on guessing or brute-forcing a username

Rewards

Reward amounts are based only on proven severity and impact:

• High Impact (RCE, auth bypass, sensitive data theft): $750–$1,000+
• Moderate Impact (significant account compromise with proof): $200–$500
• Low Impact or anything not clearly exploitable: $0

We may issue rewards as service credits instead of cash. Reward decisions are final.

Safe Harbor

We will not take legal action against researchers acting in good faith and within these rules. Do not retain, share, or misuse any sensitive data you access.

Submit a Report

Reminder: If your report is out-of-scope or low impact, it will be ignored without response.