Contact: mailto:security@sharesies.co.nz # Sharesies recognises the value of independent security researchers in the security echo system, though Sharesies does not operate a formal bug bounty program we may offer researchers a reward (bug bounty) for findings to show our gratitude to researchers and encourage them to report further findings. # # That said, due to our regulatory requirements we explicitly do not authorise targeted security testing or scanning against our platform or the creation of accounts for such purposes. # # Payments are at our discretion and typically only for high/critical risk findings such as broken authentication. # # Due to anti-money-laundering requirements we need to confirm the identity of any researchers before we pay a reward. These are the options we offer researchers: # # To accept a reward from us, you would need to be able to provide: # # A photo of you with an NZ or internationally recognised identity document that we can verify (passport, NZ drivers license) and a bank account in the same name as the ID to transfer the payment to. # # We recognise that some researchers are very keen to retain anonymity for a variety of perfectly valid reasons. Sharesies is a financial institution and subject to anti-money-laundering regulation and reporting that makes it difficult for us to pay funds to unidentified individuals. We welcome suggestions of additional payment mechanisms that meet our AML obligations. # # To make the triage process go smoothly, we ask that reporters provide the following: # # - Full requests and responses, including header information. Screenshots are acceptable as long as they don’t obscure any information. Textual format is preferred, both is excellent. # - Relevant timeline of requests leading up to and exploiting the reported issue. # - Email address of any accounts used for testing. # - Clear reproduction steps. If we can’t reproduce your finding, it will likely get closed with no reward. # - If possible, provide a video screen capture showing all your reproduction steps.