Fathom Analytics security bounty
We reward ethical researchers who share critical security issues as part of our commitment to privacy and security. That way, we can prioritize resolving issues as quickly as possible to protect our customers.
We don’t just offer our undying appreciation and love for reported security vulnerabilities; we offer cold, hard cash (along with that 🖤).
Why we’re doing this
Our small team takes great pride in our security and infrastructure. Over the last few years, we’ve learned so much about best practices, exploitive patterns, and top vulnerabilities—but we also know that no one team can know everything. We’re constantly learning, adapting, and adjusting.
Fathom is always striving for the best security and infrastructure in our industry, and your research helps push us even further by revealing any blind spots.
How rewards work
We pay varying amounts depending on the severity of the vulnerability, but the average bounty range is between $100-$1,000. Payment is based on how critical, impactful or risky an issue is, and we determine the reward amount.
We provide these cash rewards via Wise and provide the reward to reporters who submit original, in-scope issues with our security systems.
Rules for rewards and disclosures
- First, don’t discuss the vulnerability publicly or with anyone else without express consent from Fathom Analytics. Also, do not break any applicable law.
- Don’t do any tests to determine if a vulnerability should be conducted if it will negatively impact or disrupt our services or our customer’s access to our service.
- You must also be the first person to report the vulnerability to be rewarded.
- Fathom Analytics reserves the right to cancel this program at any time, and the decision to pay a reward is entirely at our discretion. We aren’t jerks here, so we’d only not pay a reward if there was a good and rational reason to do so.
Other rules to keep in mind
- Do not try to attempt or gain access to another user’s account or data. For cross-account testing, use your own test accounts.
- DDoS (Distributed Denial of Service) or spam attacks are not allowed.
- If in doubt that you may breach a rule, email us.
We focus on vulnerabilities to usefathom.com (our marketing site) and app.usefathom.com (our application site).
- Remote code execution (RCE)
- Injection vulnerabilities
- File inclusions
- Access Control Issues (IDOR, Privilege Escalation, etc)
- Leakage of sensitive/customer information
- Server-Side Request Forgery (SSRF)
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Other vulnerabilities with apparent and actual impacts
The vulnerability must demonstrate a security impact on our site or application. You must not have compromised the privacy of our users or otherwise violated our terms of service, and you must not have publicly disclosed the vulnerability before the report was closed.
We do not provide rewards for the following things:
- Certificates/TLS/SSL-related issues
- DNS issues (i.e. MX records, SPF records, DMARC records etc.)
- Server configuration issues (i.e., open ports, TLS, etc.)
- User account enumeration
- Clickjacking/Tapjacking and issues only exploitable through clickjacking/tapjacking
- Descriptive error messages (e.g. Stack Traces, application or server errors) - unless it's sensitive data being exposed
- Login & Logout CSRF
- Username/email enumeration via Login/Forgot Password Page error messages
- Host header issues without proof-of-concept demonstrating the vulnerability
- Spam (SMS, email, etc)
- Denial of service attacks (DoS/DDoS)
- Theoretical issues
- Files without sensitive information
- Missing HTTP security headers
Here’s how reporting works
- You email us your report
- We acknowledge your report, if it’s rewardable, and triage it in terms of resolving the issue
- We determine the reward value
- You issue us a tax invoice for the amount
- We pay you via a local bank transfer (sent via wise.com)
- We will update you as we fix the vulnerability you submitted
How to report a security vulnerability
Email us at email@example.com, and we’ll get back to you (typically within five business days).
Please provide a clear report of the issue (one per email) and how to replicate it. When possible, provide all relevant videos, logs, etc.