Security & Bug Bounty Program

Pepe the frog wearing a hat saying 'Glif Security' and trying to fix broken codegenerated using Pepe the Flux by @fab1an

We operate our own bug bounty program and are happy to compensate white-hat hackers for responsible disclosure of security vulnerabilities.

Currently all types of issues across all glif-related domains and subdomains are considered in-scope, including our API. Our domain names include: glif.app, glif.xyz, and glif.ai. Our official social media accounts are also in-scope, and are linked from the footer of the website.

Please note that there are other companies named "glif", and only our domains and social media accounts are part of our program.

To be eligible for a bounty, your disclosure must include the affected URLs and detailed steps to reproduce the issue. Automated crawls and low-effort reports will not receive bounties.

We will provide significantly larger bounties for reports that are meaningful, well-written, and especially reports that include a working proof-of-concept for the exploit. To go above and beyond, include your recommendations for remediating the issue. This saves us lots of time and work, and we appreciate that! And we try to show our appreciation with both words and money.

Please email security@glif.xyz about the issue you've found and we'll get back to you as quickly as possible.

If necessary we can provide PGP keys or switch to Signal for more secure communication.

The size of the bounty paid is based on the severity of the issue - e.g. if it would it cause financial damage, would it reveal personal information, could it be used for phishing, spam or other forms abuse, et al. Additionally, if it allows for mass data access vs. requiring individual users to take action to be compromised.

Thank you for your help!