# General rules and regulations **General rules:** * The program may be canceled at any time, and awards are at the sole discretion of the bug bounty panel. * Participants must not be on any sanctions lists or reside in countries on sanctions lists (e.g., North Korea, Iran, etc.). * Proof of identity is required due to local laws. * Participants are responsible for any applicable taxes. * All awards are subject to applicable law. * Participants must adhere to the reporting guidelines provided. **Eligibility for Rewards:** * Issues without a Proof of Concept (POC) are not eligible for bounty rewards. * Duplicate reports of the same vulnerability are not eligible for additional rewards. * Publicly disclosing a vulnerability before it's resolved makes it ineligible for a bounty. * The vulnerability report should not be related to activities that violate the service's terms of service or any laws. **Vulnerability Submission:** * One report per vulnerability * The first report for a specific vulnerability is accepted. * Reports for vulnerabilities already known are not accepted. * Reports submitted for vulnerabilities explicitly listed as out of scope are not accepted. * If a chain security vulnerability is detected using multiple security vulnerabilities, separate reporting is allowed. * Higher rewards are paid for clear, well-written submissions. * A Proof of Concept (POC) must be included to be eligible for rewards. Please include test code, scripts, and detailed instructions. The easier we can reproduce and verify the vulnerability, the higher the reward. * Include a clear description of how to fix the issue. * Vulnerability reports should be submitted through the designated channels. **Testing Guidelines:** * Testing must not violate any law or compromise any data that the participant does not own. * Participants should not access or modify other users' data during testing and should only use accounts under their control. * Vulnerabilities allowing access to user data should be reported responsibly, without unauthorized access. * Testing should be limited to verifying the presence and impact of the vulnerability. **Prohibited Actions:** * Social engineering methods (e.g., phishing, vishing, smishing) and physical attacks (e.g., computer theft, SIM card copying) are strictly prohibited. * Denial of Service (DoS) attacks must not be attempted. * Any actions that could compromise the integrity or availability of our system **Submission Requirements:** * Reports must be submitted in English. * All details about the vulnerability must be shared, and a Proof of Concept (PoC) must be provided. * If multiple vulnerabilities are discovered, researchers should submit separate reports for each distinct issue. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.auditone.io/platform/bug-bounty/general-rules-and-regulations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.