Account Schedule a Demo
Back
Back
Back

Security Vulnerability Reward Program

Help us make our products and network more secure.

About the Program

At Gifty, the security of our products and network is a high priority. When releasing new products and updates, we dedicate significant attention to testing security and stability. Despite this care, vulnerabilities may be overlooked during our internal testing, potentially becoming publicly accessible. If you've discovered a security issue in our products or network, please report it as quickly as possible and before making any public announcements. This gives us the opportunity to work together with you to address the problem and prevent misuse.

About Gifty

Gifty is a SaaS company that provides gift card, loyalty and marketing solutions to businesses. We help companies administer and distribute their gift cards across multiple channels (webshop, EPOS systems, app, social media), process transactions, and manage and collect customer data.

Guidelines for Researchers

Follow these guidelines when actively searching for security issues:

  • Use test accounts when actively searching for vulnerabilities, which we can easily identify. When registering accounts, indicate that you are testing by using a plus-address with "secresearch" in your email address. For example: [email protected].
  • Execute a maximum of 10 requests per second to our APIs and systems.
  • Handle access to systems or data responsibly. Never collect more data than strictly necessary to demonstrate the issue. Never view, edit or delete third-party data.
  • Clearly describe your finding and provide a step-by-step plan so we can reproduce it. Support your plan with screenshots where possible.
  • Send your report to [email protected].
  • Do not share the issue with others until it has been resolved and you have received our permission.

Processing Procedure

  • We will process your report confidentially. We will not share your personal data with third parties without your consent, unless necessary to comply with legal obligations. You may submit reports under a pseudonym.
  • Within 5 working days, we will confirm receipt of your report with a preliminary assessment of the severity and the expected timeline for resolving the issue.
  • Within 60 days, but often sooner, we will analyse the problem and implement changes if necessary. We may ask you to verify this for us. If we cannot meet this timeline in exceptional situations, we will communicate this to you.

Bug Bounty

We want to encourage the reporting of security issues and therefore pay bug bounties for reported problems that meet the requirements. Once the issue has been resolved, we will let you know if the report qualifies for a bug bounty. Gifty determines the severity classification and whether the report qualifies.

The amount of the bug bounty depends on various factors, such as how likely a vulnerability is to be exploited, how easy it is to do so, and what damage this would cause. We use the tables below as a guideline for determining the reward.

Environment Low Medium High Critical
Primary application (api.gifty.nl, dashboard.gifty.nl) €50 €100 €350 €1.000
Secondary applications (wallet.gifty.nl, insights.gifty.nl, *.docs.gifty.nl, *.pos.gifty.nl) x €75 €150 €500

In Scope

Domains:

  • api.gifty.nl
  • wallet.gifty.nl
  • dashboard.gifty.nl
  • insights.gifty.nl
  • docs.gifty.nl
  • backend.docs.gifty.nl
  • *.pos.gifty.nl

Systems:

  • Dashboard (dashboard.gifty.nl)
  • Mobile app for businesses (iOS and Android)
  • Order module for consumers

Out of Scope

The following systems and vulnerabilities fall outside our Security Vulnerability Reward Program. An exception is made when these systems can demonstrably be used to exploit our primary systems.

Third-party services:

  • CDN providers (except configuration errors)
  • Payment Service Providers (except integration errors)
  • Email providers

Infrastructure and networks:

  • Monitoring systems (status.gifty.nl)
  • Development and test environments
  • Marketing websites and systems (blog.gifty.nl, gifty.nl)

Low-impact vulnerabilities:

  • Missing HTTP headers and cookie flags without demonstrable practical misuse
  • Publication of server and software information (for example via headers)
  • Missing rate-limiting
  • Theoretical security issues without proof of misuse
  • Edge cases requiring an unrealistic combination of circumstances
  • Automated scans and reports
  • Email spoofing
  • DNSSEC related problems

Specific attack methods:

  • Brute-forcing
  • CSRF on unimportant actions and systems
  • Self-XSS related problems
  • Social engineering attacks (including phishing)
  • (D)DoS attacks
  • Security vulnerabilities requiring physical access to our systems

Other excluded reports:

  • Disruptions to our services
  • Problems requiring outdated systems or plugins
  • Problems that are already known to us
  • Edge cases requiring an unrealistic combination of circumstances
Request Samples