Cerebrum Security Disclosure & Bug Bounty

At Cerebrum, we value the security of our systems as much as the privacy of our clients. Our robust compliance solutions are designed to ensure optimal security, and we are dedicated to continuously improving our safeguards.

Bug Bounty Program

We believe that securing our platforms is an ongoing effort, and we acknowledge the valuable role that security researchers play in this process. To show our appreciation, we are launching our Bug Bounty Program. We invite researchers to identify and report potential vulnerabilities in our system.

This program is specifically designed to encourage you to notify us of any previously unreported vulnerabilities. Please note, the bounty will only be paid if the vulnerability reported is unknown to us and was not yet reported.

Security Vulnerability Categories & Bounty Amounts

Low-Level Vulnerabilities: These issues may cause minor inconvenience, but they aren’t likely to pose a serious risk.
Examples: Lack of proper rate limiting, overly verbose error messages, session management issues, missing security headers.
Bounty: $200
Medium-Level Vulnerabilities: These vulnerabilities could potentially affect the functionality of our systems or compromise the privacy of a small subset of data.
Examples: Weak authorization checks leading to privilege escalation through IDOR, lax CSRF token validation, poor API input validation, missing or expired TLS certificates, insecure file uploads.
Bounty: $500
High-Level Vulnerabilities: These vulnerabilities could jeopardize the security of our platform or compromise sensitive data on a large scale.
Examples: SQL injection attacks, leaks of sensitive PII, subversion of existing encryption measures, arbitrary code execution on the server, access to hashed API keys or passwords.
Bounty: $1,500
Critical-Level Vulnerabilities: These vulnerabilities could cause a complete system compromise or a catastrophic data breach.
Examples: Complete authentication bypass, cloud environment access or takeover, direct access to the database.
Bounty: $3,000

Reporting Procedure

We ask you to not disclose the vulnerability publicly before it has been resolved. To report a vulnerability:

Document the nature of the vulnerability, steps to reproduce it, and potential impacts. Please include your preferred contact information and PGP key so we are able to communicate back.
Ensure that no sensitive data is included in your report unless absolutely necessary.
Encrypt the report to our PGP key (see below).
Email your report to security@cerebrum.com.
Please use the subject format "[VULNERABILITY_TIER] SEVERITY: Security Vulnerability Report for Cerebrum". For example: "HIGH SEVERITY: Security Vulnerability Report for Cerebrum".
Ensure that you do not include any sensitive data in the subject line.

Encryption & Sensitive Data Handling

If possible, please use our PGP key to encrypt your communications. In cases where you must include sensitive data in your report, do not send this data in an unencrypted format!

Our public PGP key is printed on this page, and is also available for download via Google Drive. If you download the PGP key from Google Drive, ensure that the last modified date is before July 22nd, 2023.

Thank You!

Like the billions of neurons working together in our brain, your contributions help us enhance the robustness of Cerebrum’s security. We appreciate your collaboration and look forward to working together to improve our cybersecurity defenses! Thank you for your help and being a good samaritan!