Scholify Bug Bounty Program Norms

As a part of Scholify’s commitment to a seamless user experience, we reward contributors who share with us the reports of any bugs or errors affecting a seamless experience. We make it a priority to resolve the reported issues as quickly as possible in order to best serve our users. Scholify also offers public recognition for those who report valid bugs and any suggestions towards improving/solving them.

Eligibility and Participation Requirements

In order to be eligible for an Scholify Bug Bounty Program, the issue must occur on the latest publicly available versions of the Scholify Android/iOS app or the website. These eligibility rules are meant to protect our users until an update is available, ensure Scholify can quickly verify reports and create necessary updates, and properly reward those doing original research. Researchers must:

To participate in this bug bounty you must:

• Not be employed by Scholify, a family member of a person employed by Scholify, or a contractor of Scholify.
• Not be in violation of any national state, or local law or regulation with respect to any activities directly or indirectly related to the Bug Bounty Program.

To qualify for a bounty you must:

• Be the first to report a specific vulnerability
• Report a vulnerability only through the process outlined
• Disclose the vulnerability responsibly and directly to Scholify. Disclosure to other third parties before or during bug review will invalidate the submission
• Not seek or leverage the vulnerability for additional or external bounties or rewards
• Be the first party to report the issue to the Scholify Product Team
• Provide a clear report, which includes a working exploit (detailed below)
• Not disclose the issue publicly before Scholify releases the security advisory for the report. (Generally, the advisory is released along with the associated update to resolve the issue)

Report and Payout Guidelines

The goal of the Scholify Bug Bounty Program is to ensure a smooth, safe, and seamless experience to our users through understanding both vulnerabilities and their effects. Reports that include a basic proof of concept instead of a working exploit are eligible to receive no more than 50% of the maximum payout amount. Reports lacking necessary information to enable Scholify to efficiently reproduce the issue will result in a significantly reduced bounty payment, if accepted at all. A complete report includes:

• A detailed description of the issues being reported.
• Any suggestions on how to improve.
• Enough information for Scholify to be able to reasonably reproduce the issue.
• The name(s) of the Scholify product or technology and the respective version information.
• Detailed description of the bug or any potential vulnerability.
• Proof-of-concept that details the reproduction of the bug or the potential vulnerability.

The more details provided in the initial report, the easier it will be for Scholify to evaluate your report.

Sending your report

Send your report by email to bugbounty@scholifyme.com. Include all relevant videos, images, crash logs, and system diagnosis reports in your email.

Terms and Conditions

You must not disrupt, compromise, or otherwise damage data or property owned by Scholify or other parties. This includes attacking any devices or accounts other than your own (or those for which you have explicit, written permission from their owners), and using phishing or social engineering techniques.

1. You must not disrupt Scholify services.
2. Immediately both stop your research and notify Scholify on the email before any of the following occur:
   • You access any accounts or data other than your own (or those for which you have explicit, written permission from their owners).
   • You disrupt any Scholify service
3. You must comply with all applicable laws, including local laws.
4. Scholify Bug Bounty Program payments are granted solely at the exclusive discretion of Scholify.
5. You are responsible for the payment of all applicable taxes, if any.
6. A participant in the Scholify Bug Bounty Program (“SBBP Participant”) will not be deemed to be in breach of applicable Scholify license provisions which provide that a user of Scholify may not copy, decompile, reverse engineer, disassemble, attempt to derive the source code of, decrypt, modify, or create derivative works of such Scholify, for in scope actions performed by that SBBP Participant where all of the following are met:
   • The actions were performed during good-faith security research, which was — or was intended to be — responsibly reported to Scholify;
   • The actions were performed strictly during participation in the Scholify Bug Bounty Program; and
   • Neither the actions nor the SBBP Participants have otherwise violated these policies such as violating legal requirements 1, 2, and 3, above.

If you follow the program terms, we will not initiate a lawsuit or law enforcement investigation against you in response to your report. Please understand that this waiver does not apply to your security research that involves the networks, systems, information, applications, devices, products, or services of another party (which is not Scholify). We cannot and do not authorize security research in the name of other entities.

Confidentiality Obligations

“Confidential Information” means any information that is marked or otherwise designated as confidential at the time of disclosure or that a reasonable person would consider confidential based on the circumstances and content of the disclosure, and which is disclosed in connection with a Scholify Bug Bounty Program. Confidential Information does not include information that: (i) is or becomes known to the receiving party from a source other than one having an obligation of confidentiality to the disclosing party; (ii) is or becomes publicly known or otherwise ceases to be confidential, except through a breach of this Agreement; or (iii) is independently developed by the receiving party.

Before engaging in any testing or submitting findings you agree that you will (i) hold in confidence and not disclose to any third party any Confidential Information, except as approved in writing by disclosing party; (ii) protect such Confidential Information with at least the same degree of care that the Researcher uses to protect its own Confidential Information, but in no case, less than reasonable care; (iii) use the disclosing party’s Confidential Information for no purpose other than the use permitted by the disclosing party; and (iv) immediately notify disclosing party upon discovery of any loss or unauthorized disclosure of disclosing party’s Confidential Information

ALL SUBMISSIONS ARE CONFIDENTIAL INFORMATION OF THE PROGRAM OWNER UNLESS OTHERWISE STATED IN THE BOUNTY BRIEF. This means no submissions may be publicly disclosed at any time unless the Program Owner has otherwise consented to disclosure.

Good Faith Participation

All participants in the Bug Bounty Program must act in good faith when investigating vulnerabilities. "Good Faith" means:

• Play by the Rules -- Abide by the terms and conditions specified herein. If you have any questions or concerns about the terms and conditions, please reach out directly to the Scholify team about it.
• Don't be a jerk. You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as making extortionate demands or ransom requests or trying to shake us down. In other words, if you find a vulnerability, report it to us with no conditions attached.
• Work for Good -- You should never leave a system or users in a more vulnerable state than when you found them. This means that you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering, or spam.

Failure to act in good faith will result in immediate disqualification from the Bug Bounty Program and ineligibility for receiving any benefit of the Bug Bounty Program.

Intellectual Property

By submitting your content to Scholify (your “Submission”), you agree that Scholify may take all steps needed to validate, mitigate, and disclose the vulnerability, and that you grant Scholify any and all rights to your Submission needed to do so.
For any further support, write to us at bugbounty@scholifyme.com