Security
Bug bounty program
We pay for verified, in-scope security findings. The program is currently invite-only on Intigriti while we stabilise post-pentest. If you’d like an invitation, see “How to get in” below.
Status
Phase: private, invite-only.
Why invite-only? Two reasons.
- We want signal, not noise. A small invited cohort of experienced researchers produces fewer duplicates and fewer automated-scanner reports than an open program.
- We need to reliably triage what comes in. meandai is single-operator; a flood of low-quality submissions is worse than no submissions.
We expect to expand to a public program 6–12 months after the second annual external pentest, once our triage capacity is proven.
How to get in
Two paths:
- Intigriti reputation. If you have a verified Intigriti profile with established triage history (rough bar: 10+ accepted reports across other programs), email security@meandai.io with your handle and we’ll invite you on Intigriti.
- Reported via responsible disclosure first. Submit a high-quality finding via our responsible disclosure process. If we accept and ship the fix, we’ll invite you to the bug bounty program for future research.
Reward bands
Awards are paid in EUR via Intigriti, on accepted, in-scope findings, after the fix is verified. Severity is determined by meandai using CVSS v3.1 + business impact; we’ll explain the rationale on each finding.
| Severity | Examples | Reward |
|---|---|---|
| Critical | Cross-tenant data access, auth bypass, RCE, capability token forgery, mass-tenant impact | €1,000 – €5,000 |
| High | Single-tenant data access, privilege escalation, stored XSS in dashboard, injection that bypasses PromptArmor | €500 – €1,500 |
| Medium | CSRF on state-changing endpoint, weak crypto on a non-critical surface, auth-state info leak | €100 – €500 |
| Low | Reflected XSS without sensitive context, missing Strict-Transport-Security on a non-critical surface | €50 – €150 |
Bonus multipliers: chained findings (multi-step exploit chains) up to 1.5×; finding that prompts an architectural change up to 2×; first reporter on a duplicate gets the full bounty, late duplicates get nothing.
Scope
Same as responsible disclosure scope. The bug bounty program does not add new targets — it adds payment for the same set of findings.
Out of scope: see responsible disclosure. Note especially: automated-scanner output without manual verification, DoS, and social engineering are firmly out.
Triage SLAs
- Acknowledgement: 5 business days (typically <72h).
- Severity assigned: within 7 business days of acknowledgement.
- Fix scheduled: P0 within 24h, P1 within 7 days, P2 within 30 days, P3 within 60 days or risk-accepted with rationale shared with the reporter.
- Payment: within 14 days of fix verification.
What we reject
We’ll mark findings as not-applicable for these reasons:
- Out of scope per the responsible disclosure list.
- Duplicate — first reporter gets the bounty.
- Already known — if we have it in the remediation log or it’s been disclosed in a prior pentest, no bounty (we’ll show you the proof).
- Not exploitable — theoretical findings without a working repro do not qualify.
- Tested on user data — if you used another customer’s account or data without consent, this voids the bounty AND the safe-harbour.
Hall of fame
Researchers who submit accepted findings are invited to the hall of fame with their preferred handle (or anonymous).
Bug bounty version 1.0 — published 2026-05-04. Engineering details at docs/security/BUG_BOUNTY_PROGRAM.md.