Responsible Disclosure

The security of user data and communication is of paramount importance to APUtime. To ensure the best security for our service, we invite responsible disclosure of any vulnerabilities you find in APUtime.

These principles of responsible disclosure are, but are not limited to:

- Accessing or displaying only customer data that belongs to you.

- Refraining from utilizing scanning techniques that could lead to a deteriorating service for other customers (e.g. by overloading the site).

- Adhering to the provisions of our Terms Of Service.

- Keeping any vulnerabilities undisclosed until APUtime has been informed and had a reasonable amount of time to solve the issue.

- Sharing any information regarding vulnerabilities identified through the bug bounty program is strictly prohibited.In order to be eligible for a reward, your submission must be validated by APUtime. We use the following rules to decide on the validity of requests and the reward compensation provided.


We are interested in security vulnerabilities that can be used to access user data that is not yours. We will only reward a vulnerability if it can be utilized on its own or combined with another vulnerability you report to do this. General "bugs" are not eligible for a reward, and anything that is not an exploit is classified as a "bug". The exploit must be based on weaknesses in APUtime's systems. The severity of the issue may be lowered due to the presence of compensating controls and context.


Our engineers must be able to reproduce the security issue based on the information provided in your report. Reports that are not detailed enough will not be considered for a reward. Reports that provide detailed instructions and operational code are more likely to be rewarded.

Video required

False and robotic reports are constantly growing and are not acceptable and reproducible. To be report accepted, we require the video which demonstrates the vulnerability and access user data that is not yours.


Everything in the domain space with the exception of all listed in Unaccepted section.

We accept only vulnerabilities connected with the APUtime application. All external business supporting sites are excluded (eg. www., roadmap., status., blog., learn., etc. on


1. DMARC policy

2. Automated scanning tools (nmap,, Nessus, Qualys, …)

3. Denial of Service vulnerabilities (DOS/DDOS)

4. Social Engineering, Phishing

5. Mixed-content scripts

6. Missing Cookie Flags

7. Vulnerabilities that are only exploitable if a potential victim actively takes steps to make themselves vulnerable, such as installing non-standard software.

8. User Enumeration

9. Password Complexity

10. Vulnerabilities on Third-Party Products

11. Practices for Enhancing Security Where Other Controls are in Place.

12. CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc.

13. Subdomain Takeover

14. Clickjacking

15. Self XSS

16. Email Spoofing - SPF Records Misconfiguration

17. Content Spoofing

18. Stack Traces, Path Disclosure, Directory Listings

19. SSL/TLS controls Where Other mitigating Controls are in Place

20. Banner Grabbing

21. Reflected File Download

22. Reports on Outdated browsers

23. Demonstrating the lack of an impact from Host header Injection

24. HTTP Trace Method

25. UI APP behaviour changes based on API responses modification


Only one reward will be given for each vulnerability reported.

If multiple reports of the same issue are received, the first clear report will be the only one to receive a reward.

We are flexible when it comes to our reward system and do not have a minimum or maximum amount; the reward will depend on the severity, impact, and quality of the report.

However, we are unable to grant rewards to individuals residing in countries listed on the sanctions list (e.g. Cuba, Iran, North Korea, Sudan & Syria, Russia). This is a discretionary program and APUtime reserves the right to cancel the program at any time. The decision to pay a reward is at our discretion.


Please use the support chat or email us on support(at)