Fidel VDP Program

  • FidelBounty offers a comprehensive and efficient platform to manage their bug bounty programs. Our platform allows companies to set up customized challenges, receive vulnerability reports, and communicate with hackers in a secure and streamlined manner. With our extensive network of skilled hackers, companies can tap into a diverse talent pool and receive valuable insights to improve their cybersecurity.


Inscope assets

  • any subdomain own by fidelbounty: *

program terms and conditions

  • You must show that you could exploit a vulnerability, but you must not exploit it. You must not: access, modify, copy, download, delete, compromise or otherwise misuse others’ data; access non-public information without authorization; degrade, interrupt or deny services to our users; and/or incur loss of funds that are not your own.
  • You must not leverage the existence of a vulnerability or access to sensitive or confidential data to make threats, extortionate demands, or ransom requests.
  • any form of scanners that intensly affect our system are not acceptable and can lead to  ban from the program.
  • Your testing must not violate any applicable laws or regulations.
  • By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without fidel’s prior written approval.
  • You will be responsible for any tax implications related to any bounty payment you receive, as determined by the laws of Ethiopia.
  • You must be 18 years of age or older.
  • You must not be employed by fidel or any of its affiliates. You must also not be an immediate family member of someone employed by fidel or any of its affiliates.
  • By reporting a bug, you grant fidel  and its affiliates a perpetual, irrevocable, worldwide, royalty-free license to use, copy, adapt, develop, create derivative work from, or share your submission for any purpose. You waive all claims arising from your submission, including breach of contract or implied-in-fact contract.
  • Whether to provide a payment for the disclosure of a bug and the amount of the payment is entirely at our discretion, and we may cancel or modify the program at any time.
  • Only the first responsibly-disclosed submission of a vulnerability instance will be marked as valid, and any subsequent reports will not be eligible for our program.

Ineligible Vulnerabilities 

Fidel does not consider the following to be eligible vulnerabilities:

  • Denial of service
  • Reports of spam
  • Social engineering
  • Self-XSS
  • Content/text spoofing
  • Unconfirmed reports from automated vulnerability scanners
  • Disclosure of server or software version numbers
  • Hypothetical subdomain takeovers without supporting evidence
  • Session invalidation or other improved security related to account
  • management when a credential is already known (e.g., password reset link
  • does not immediately expire, adding MFA does not expire other sessions, etc.)
  • Perceived security weaknesses without concrete evidence of the ability to compromise a user (e.g., missing rate limits, missing headers, etc.)
  • Reports exploiting the behaviour of, or vulnerabilities in, outdated browsers
  • User/merchant enumeration
  • Best practice reports without a valid exploit (e.g. use of “weak” TLS ciphers).

submit your report to: