Bug Bounty Program

We offer monetary rewards for valid security vulnerabilities based on their severity and impact. All rewards are paid in USD.

Note: We strictly prioritize vulnerabilities with demonstrated impact. Theoretical issues, best-practice deviations, or bugs without a working proof-of-concept exploiting sensitive data/access are not eligible for monetary rewards.

2.1 In-Scope Assets
The following are within scope of this program:

• Owl Browser application (Current Stable & Beta)
• License validation, activation, and payment integration systems
• MCP server implementation (Core Logic)
• Browser stealth/fingerprinting protection bypasses
• owlbrowser.net and its subdomains
• portal.owlbrowser.net (license portal)
• Core API endpoints handling sensitive user data

2.2 Out-of-Scope & Non-Qualifying Issues
The following are NOT eligible for rewards and should not be reported unless they have a critical, demonstrated impact:

• CSRF on forms with no sensitive actions (e.g., logout, contact forms)
• Self-XSS or XSS requiring unlikely user interaction (e.g., pasting code)
• Clickjacking on pages without sensitive state changes
• Missing HTTP security headers (CSP, HSTS, X-Frame-Options) without exploit
• Email configuration issues (SPF, DKIM, DMARC) or email spoofing
• Content Spoofing, Text Injection, or Open Redirects without additional impact
• Stack traces, path disclosures, or version information disclosures
• Denial of Service (DoS/DDoS) or spam/rate-limiting issues
• Reports from automated scanners without manual verification and working PoC
• Third-party services or dependencies (unless the issue is in our implementation)
• Social engineering, phishing, or physical attacks

3.1 Vulnerability Requirements

• New and Unknown: The vulnerability must not be previously known to us or publicly disclosed
• Original Discovery: You must be the first to report the issue
• Reproducible: Clear steps to reproduce the vulnerability must be provided
• Valid Security Impact: Must demonstrate real security impact, not theoretical

3.2 Report Requirements

• Detailed written description of the vulnerability
• Step-by-step reproduction instructions
• Proof of concept (code, screenshots, or video)
• Impact assessment and potential attack scenarios
• Affected versions and environments
• Suggested remediation (optional but appreciated)

3.3 Researcher Requirements

• Must be 18 years of age or older
• Cannot be a current or former employee of Olib AI (within 12 months)
• Cannot be a resident of a country under U.S. trade sanctions
• Must be able to receive payment via bank transfer or PayPal

• Accessing, modifying, or deleting data belonging to other users
• Executing or attempting denial of service attacks
• Sending unsolicited messages to users (spam, phishing)
• Testing on production systems without authorization
• Publicly disclosing vulnerabilities before they are fixed
• Violating any applicable laws or regulations
• Exploiting vulnerabilities beyond what is necessary for proof of concept
• Sharing vulnerability details with third parties
• Automated scanning that degrades service performance

5.1 How to Submit
Send your vulnerability report to:

5.2 Report Format
Please include the following in your submission:

• Subject: [BUG BOUNTY] Brief description of the vulnerability
• Summary: One paragraph overview of the issue
• Severity: Your assessment (Critical/High/Medium/Low)
• Affected Component: Which system/feature is affected
• Steps to Reproduce: Detailed, numbered steps
• Proof of Concept: Code, screenshots, or video evidence
• Impact: What an attacker could achieve
• Environment: OS, browser version, etc.

We are committed to responding to security reports in a timely manner:

When conducting security research in accordance with this policy, we consider your research to be:

• Authorized concerning any applicable anti-hacking laws
• Authorized concerning any relevant anti-circumvention laws
• Exempt from restrictions in our Terms of Service that would interfere with conducting security research
• Lawful, helpful to the overall security of the Internet, and conducted in good faith

You are expected, as always, to comply with all applicable laws. If at any point you have concerns or are uncertain whether your security research is consistent with this policy, please contact us at security@owlbrowser.net before proceeding.

Coordinated Disclosure:
We request that you give us reasonable time to investigate and address the vulnerability before any public disclosure. We typically request 90 days from the initial report, though this may vary depending on the complexity of the fix required.

8.1 Reward Determination
All reward decisions are made at the sole discretion of Olib AI. We reserve the right to modify reward amounts, decline to pay rewards, or terminate this program at any time.

8.2 Duplicate Reports
If multiple researchers report the same vulnerability, only the first valid report will receive a reward. We determine priority by the timestamp of receipt of a complete, valid report.

8.3 Tax Obligations
You are responsible for any tax obligations arising from rewards received. Depending on your jurisdiction and the reward amount, we may require tax documentation (W-9 for U.S. residents, W-8BEN for non-U.S. residents).

8.4 Confidentiality
By participating in this program, you agree to keep all vulnerability details confidential until we confirm the issue has been resolved and authorize public disclosure.

8.5 No Employment Relationship
Participation in this program does not create an employment, partnership, or agency relationship between you and Olib AI.

8.6 Governing Law
This program is governed by the laws of the State of Georgia, United States, consistent with our Terms of Service.

We are incredibly grateful to the security researchers who help make Owl Browser safer for everyone. While not every valid report qualifies for a monetary reward (e.g., lower severity issues, valid CSRF without sensitive actions, or other findings that improve our posture), we want to recognize your contributions.

2026 Hall of Fame

Sumit Sahoo

Security Researcher

For security reports and questions about this program:

Thank you for helping keep Owl Browser and our users safe!

Owl Browser is designed for legitimate business automation, including web testing, data collection for research, accessibility auditing, and workflow automation. We require all users to:

• Comply with all applicable laws and regulations in their jurisdiction
• Respect website terms of service and robots.txt directives
• Avoid unauthorized access to systems, accounts, or data
• Not use the software for fraud, harassment, or any malicious purpose
• Sign a Non-Disclosure Agreement before accessing the software

We vet all prospective customers to ensure alignment with these principles. Misuse of Owl Browser will result in immediate license revocation without refund, as outlined in our Terms of Service and License Agreement.