PPPassed Plan
Get Started

Security

Bug Bounty Program

We pay for security vulnerabilities. If you find something, we want to fix it.

Beta program — rewards paid via PayPal or bank transfer within 30 days of verified fix.

What we pay

CriticalUp to $1,000

Examples

  • Authentication bypass allowing vault access without credentials
  • Zero-knowledge encryption bypass — ability to read vault contents server-side
  • Remote code execution on our servers
  • SQL injection allowing cross-user data access
  • Death verification bypass — accessing vault without proper verification
HighUp to $500

Examples

  • Cross-user data access (IDOR)
  • Privilege escalation to admin
  • Stored XSS in authenticated pages
  • Stripe webhook bypass allowing free subscriptions
  • Rate limiting bypass on authentication endpoints
MediumUp to $200

Examples

  • Reflected XSS
  • CSRF on state-changing endpoints
  • Sensitive data in error messages
  • Open redirect
  • Missing rate limiting on non-critical endpoints
LowUp to $50

Examples

  • Security header misconfiguration
  • Verbose error messages (non-sensitive)
  • Missing HSTS preload
  • Best practice deviations

In scope

  • passedplan.com and all subdomains
  • The Passed Plan iOS and Android apps (when released)
  • The Passed Plan API (api.passedplan.com if applicable)

Out of scope

  • Social engineering attacks against Passed Plan employees or users
  • Physical attacks against our infrastructure
  • Denial of service (DoS/DDoS) attacks
  • Spam or phishing campaigns
  • Issues in third-party services we use (Supabase, Vercel, Stripe, etc.)
  • Vulnerabilities requiring physical device access
  • Issues already reported by another researcher

Rules

  • 1Do not access, modify, or delete user data — test only on accounts you own
  • 2Do not run automated scanners without prior written permission
  • 3Do not publicly disclose before we fix it (responsible disclosure — 90-day window)
  • 4Provide a clear description with steps to reproduce
  • 5Include an impact assessment and any proof of concept (screenshots, video, code)

How it works

1

Submit report to security@passedplan.com

2

We acknowledge within 24 hours

3

We verify and reproduce the issue

4

We fix the vulnerability

5

We pay the reward within 30 days of fix

6

We credit you in our security acknowledgments (optional — we respect anonymity)

Acknowledgments

The following researchers have responsibly disclosed security issues to Passed Plan:

No reports yet — be the first.

Found something?

Email security@passedplan.com

Subject line format: [BUG BOUNTY] Brief description