Skip to main content

Default Compliance Rules for Bug Bounty Operations

These rules are ALWAYS enforced regardless of program-specific rules. Violations of these rules will trigger immediate COMPLIANCE_VIOLATION alerts.

Absolute Prohibitions

1. No Denial of Service (DoS/DDoS)

  • NEVER flood endpoints with requests intended to cause service disruption
  • NEVER exploit vulnerabilities in a way that degrades service availability
  • NEVER use amplification attacks
  • NEVER exhaust server resources intentionally (memory, CPU, disk, connections)
  • Rate limiting must be respected at all times

2. No Social Engineering or Phishing

  • NEVER create fake login pages or credential harvesting sites
  • NEVER send deceptive emails impersonating the target organization
  • NEVER attempt to manipulate employees into revealing sensitive information
  • NEVER use pretexting or impersonation techniques
  • All testing must be purely technical, not human-targeted

3. No Destructive Actions

  • NEVER delete, modify, or corrupt production data
  • NEVER execute commands that could damage systems (rm -rf, format, etc.)
  • NEVER deploy malware, backdoors, or persistent access mechanisms
  • NEVER modify system configurations in production
  • All testing must be non-destructive and reversible

4. No Lateral Movement Beyond Scope

  • NEVER pivot to attack systems outside the defined scope
  • NEVER access internal networks unless explicitly in scope
  • NEVER attack third-party services or infrastructure
  • NEVER use discovered credentials on other platforms
  • Stay strictly within the authorized testing boundaries

Required Behaviors

1. Responsible Disclosure

  • Report vulnerabilities through official channels only
  • Do not disclose findings publicly before authorization
  • Follow the program's disclosure timeline
  • Coordinate with the security team on fixes

2. Minimal Impact Testing

  • Use the least invasive testing method possible
  • Stop testing immediately if unintended impact occurs
  • Create test accounts when possible instead of using real user data
  • Prefer read-only operations over write operations

3. Documentation and Traceability

  • Log all testing activities
  • Maintain records of what was tested and when
  • Be prepared to provide testing logs if requested
  • Use identifiable user agents when possible

4. Immediate Incident Reporting

  • Report any accidental data exposure immediately
  • Report any unintended service impact immediately
  • Report any discovered active compromise by third parties
  • Do not attempt to cover up mistakes

Enforcement

Violations of these rules will result in:

  1. Immediate termination of the testing session
  2. COMPLIANCE_VIOLATION alert to the Guardian system
  3. Potential disqualification from bug bounty rewards
  4. Possible legal consequences for severe violations

These rules supersede any program-specific permissions. When in doubt, err on the side of caution and ask for clarification.