Routescan maintains a security-research program to encourage responsible disclosure of vulnerabilities in our systems. We welcome reports from security researchers, ethical hackers, and developers who wish to help us improve the safety and reliability of our services.
To participate, you must agree to:
- Avoid actions that could compromise user privacy, degrade the user experience, disrupt our production systems, or cause data loss or corruption.
- Use only the official channels we provide to communicate vulnerability details.
- Notify us promptly when you discover a security issue, and refrain from public disclosure until the matter has been addressed.
- Allow us a reasonable period of at least 7 working days to analyze the issue and respond to you.
We reserve the right to evaluate the validity, severity, and impact of any reported vulnerability at our sole discretion.
Eligibility and RewardsWe may provide monetary rewards to the first researcher who reports a valid security vulnerability that leads to a meaningful change in our code or configuration.
Rewards are paid in cryptocurrency, up to a maximum of $2,500 per month, and the amount will depend on:
- The technical severity of the issue.
- The potential impact on users or systems.
- The effort required to reproduce and verify the vulnerability.
Example of the types of vulnerabilities that may qualify for higher-value rewards include:
- Remote code execution (RCE) on our systems.
- Injection flaws (e.g., SQL injection) that expose sensitive data or allow unauthorized access.
- Server-Side Request Forgery (SSRF) with demonstrable internal impact.
- Access control or authorization flaws that enable privilege escalation or information disclosure.
- Business-logic or workflow weaknesses that can be exploited to bypass intended protections.
Lower-severity or informational findings (for example, where the risk is minimal even if a configuration change is made) may be acknowledged and documented internally but may not receive a monetary reward.
Scope of the ProgramThe bug bounty program applies to:
Vulnerabilities must be practically exploitable and demonstrate a realistic security risk, not purely theoretical concerns.
Out of Scope and Non-eligible FindingsThe following types of findings are generally not eligible for a bounty, unless they combine with other flaws to create a clearly serious business-risk scenario evaluated at our discretion:
- Spelling or typographical errors, UI/UX quirks, visual glitches, and data-entry inconsistencies.
- Vulnerabilities that rely primarily on social-engineering or deception (e.g., phishing).
- Issues found in third-party services, libraries, or platforms not under our direct control or listed above.
- Network-level Denial-of-Service or DDoS-related patterns.
- HTTPS-related or TLS-related issues (e.g., certificate configuration, missing headers, server-info disclosures).
- DNS-related or general server-configuration items (e.g., open ports, default banners).
- Spam-related abuse or social-engineering-style attack patterns.
- Issues in third-party integrations or components.
- Self-XSS or other XSS variants that do not affect other users.
- CSRF-related or CSRF-XSS corner cases around login/logout flows.
- Brute-force or enumeration-style patterns via login or password-recovery mechanisms.
- Configuration or "best-practice"-style suggestions that do not correspond to a concrete, exploitable flaw.
How to Submit a ReportTo submit a complete security-vulnerability report, please provide:
- A clear description of the component or endpoint involved, and the potential impact on data or services.
- Reproducible steps to demonstrate the issue, including any relevant proof-of-concept code, screenshots, or screen recordings.
- Your preferred name or handle and a link (e.g., to Twitter, Reddit, HackerOne, etc.) if you would like to be acknowledged in our security-research notes.
- A list of the specific explorer or service instance affected.
You should submit your report via the Interactive Support Hub chat, accessible through the chat icon in the bottom-right corner of the Routescan.io page.