Bug Bounty Program

Here at Castos we are constantly thriving to create a better, more secure, and more performant platform for our customers and the podcasting industry.

As a technology company, we know that no software program is perfect, and our product is never done. A big part of creating an industry-leading platform is crafting a welcoming channel for bugs, vulnerabilities, and security concerns to be reported in a confidential manner.

Here at Castos, we take privacy and security very seriously. As a result, we encourage everyone to participate in our open bug bounty program, which incentivizes researchers and hackers alike to responsibly find, disclose, and help us resolve security vulnerabilities. As with many bug bounties out there, Castos has a fairly straightforward and simple set of rules that help protect both us and those looking to disclose. Thanks for participating and happy bug hunting!

How we approach security issues

  • Castos will not take legal action against users for disclosing vulnerabilities as instructed here.
  • Vulnerability reports will always be responded to as fast as possible—usually within 24 hours.
  • Based on the validity, severity, and scope of each issue, we’ll reward you with either a mention in our security researcher hall of fame or a financial reward.
  • If you’d like, you’ll be listed in our Security Research Hall Of Fame!

Program Rules

  • Only use and test on accounts and servers you directly own. Testing should never affect other users.
  • Testing should be limited to sites and services that Castos directly operates. We will not accept reports for third-party services or providers that integrate with Castos through our APIs, integration partners, or directories.
  • Don’t perform any actions that could harm the reliability or integrity of our services and data. Some examples of harmful activities that are not permitted under this bounty include: brute forcing, denial of service (DoS), spamming, timing attacks, etc.
  • Don’t use scanners or automated tools to find vulnerabilities.
  • No information about issues found should be publicly disclosed or shared until we’ve completed our investigation and resolution. After confirmation, you are free to document and publish any information about the issues you’ve found in accordance with HackerOne’s disclosure guidelines.

Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are generally considered out of scope (note, this is not an exhaustive list):
  • Account/E-mail enumeration
  • Attacks requiring MITM or physical access to a user’s device
  • Brute force attacks
  • Clickjacking
  • Content spoofing and text injection
  • CSRF vulnerabilities
  • Denial of Service attacks
  • Email SPF, DKIM, and DMARC records
  • Invite enumeration
  • Missing HttpOnly/Secure cookie flags
  • Open CORS headers
  • Publicly accessible login panels
  • Reports from scanners and automated tools
  • Reports on the subdomains feedback.castos.com, status.castos.com, and support.castos.com
  • Self-exploitation (like token reuse and console scripting)
  • Social engineering or phishing attacks targeting users or staff

Found a rare species of bug?