As a part of CAST AI’s commitment to providing secure products, we reward contributors who share with us the reports of any bugs affecting security.
Bounties can range from $50 for minor issues to over $1,000 for critical flaws.
List of endpoints
api.cast.ai
What it does: This endpoint is the entry point to our API. What to look for: We are generally interested in application logic bugs, privilege escalation, RCE.
What it runs on: API is written in Golang.
console.cast.ai
What it does: This subdomain lets you access a client-side interface that calls the API (api.cast.ai).
What it runs on: web app is written in React.
To qualify for a bounty you must
- Be the first to report a specific vulnerability
- Not seek or leverage the vulnerability for additional or external bounties or rewards
- Provide a clear report, which includes a working exploit:
- A detailed description of the issues being reported.
- Any suggestions on how to improve.
- Enough information for CAST AI to be able to reasonably reproduce the issue.
Rules
CAST AI Bug Bounty Program payments are granted solely at the exclusive discretion of CAST AI. You are responsible for the payment of all applicable taxes if any.
We appreciate people testing our security, but CAST AI customers must not be affected by any research or tests. Under any circumstance, do not:
- Violate any laws.
- Access or change accounts of other CAST AI customers;
- Damage or change our systems;
- Compromise the availability of our services (e.g. Denial of Service);
- Run scanning tools or test the Cloud Providers infrastructure;
- Use any social engineering techniques to access our systems or reach to CAST AI employees;
- Test our partners;
- Reveal any private data to third parties or to the public;
Send your report by email to bugbounty@cast.ai.
