Bug Bounty Program

At Pokee AI, security is a top priority. We value the work of security researchers who help us keep our platform and users safe. If you discover a security vulnerability, we want to hear from you.

Reward Tiers

Bounties are awarded based on the severity of the verified vulnerability. All reports are evaluated on a case-by-case basis.

Low Severity
$100

Minor issues with limited impact, such as non-sensitive information disclosure, low-risk misconfigurations, or UI-level bugs with minimal security implications.

Medium Severity
$200

Issues that could lead to limited data exposure, privilege escalation in restricted contexts, or meaningful bypasses of non-critical security controls.

Critical Severity
$500+

Severe vulnerabilities such as remote code execution, authentication bypass, SQL injection, access to sensitive user data, or full account takeover.

Pokee AI reserves the right to determine the final severity classification and reward amount for all reported vulnerabilities. Exceptional findings may receive higher rewards at our discretion.

Scope

In Scope

  • pokee.ai — main website and web application
  • api.pokee.ai — public-facing API endpoints
  • Authentication and authorization mechanisms
  • Payment and billing flows
  • User data handling and storage
  • PokeeClaw environment isolation

Out of Scope

  • Third-party services and integrations not operated by Pokee
  • Social engineering, phishing, or physical attacks against Pokee employees
  • Denial-of-service (DoS/DDoS) attacks
  • Spam or rate-limiting issues without a security impact
  • Vulnerabilities in outdated browsers or platforms we do not support
  • Reports from automated scanners without a demonstrated proof of concept
  • Clickjacking on pages with no sensitive actions
  • Missing security headers that do not lead to a demonstrable exploit

What to Report

We are interested in vulnerabilities that have a real security impact. Examples include, but are not limited to:

  • Remote code execution (RCE)
  • SQL injection, NoSQL injection, or command injection
  • Cross-site scripting (XSS) with demonstrable impact
  • Cross-site request forgery (CSRF) on sensitive actions
  • Authentication or session management flaws (e.g., account takeover, session fixation)
  • Insecure direct object references (IDOR) leading to unauthorized data access
  • Server-side request forgery (SSRF) with access to internal resources
  • Privilege escalation between users or roles
  • Exposure of sensitive data (API keys, credentials, PII)
  • Sandbox escape or container breakout

How to Report

Send your report to support@pokee.ai with "Bug Bounty" in the subject line.

Please include the following in your report:

  1. Description — A clear summary of the vulnerability and its potential impact.
  2. Steps to reproduce — Detailed, step-by-step instructions that allow us to reliably reproduce the issue.
  3. Proof of concept — Screenshots, screen recordings, HTTP request/response logs, or working exploit code.
  4. Affected asset — The URL, endpoint, or component where the vulnerability exists.
  5. Suggested severity — Your assessment of the impact (Low, Medium, or Critical).
  6. Your contact info — How we can reach you for follow-up questions.

Our Process

1

Acknowledgment

We will acknowledge receipt of your report as soon as possible.

2

Verification

Our security team will review and attempt to reproduce the issue. We may reach out for additional information. Please allow us reasonable time to investigate and verify.

3

Severity Assessment

We will classify the severity based on factors including exploitability, impact, and affected scope. We do our best to evaluate every report fairly, and we welcome your input, but the final determination of severity and reward amount rests with Pokee AI.

4

Remediation & Reward

Once the vulnerability is confirmed and patched, we will reach out to discuss and arrange the bounty payment.

Rules of Engagement

  • Do not access, modify, or delete data belonging to other users. Use your own test accounts only.
  • Do not perform actions that could degrade service availability (e.g., DoS, brute force, excessive scanning).
  • Do not publicly disclose a vulnerability before we have had a reasonable opportunity to address it.
  • Act in good faith. Research should be conducted in a way that avoids privacy violations, data destruction, or service interruption.
  • One report per vulnerability. If you find multiple instances of the same class of bug, please group them into a single report.
  • You must be the first to report the vulnerability to be eligible for a reward.
  • Pokee AI employees, contractors, and their immediate family members are not eligible.

Safe Harbor

We consider security research conducted in accordance with this policy to be authorized. We will not pursue legal action against researchers who discover and report vulnerabilities responsibly and in compliance with the rules above. If legal action is initiated by a third party against you for activities conducted in accordance with this policy, we will make it known that your actions were authorized by Pokee AI.

Found something?

Help us keep Pokee AI safe. Report a vulnerability today.

Report a Vulnerability