Register Details

Bug bounty

Bug bounty program terms

CargoX is committed to working with security researchers to improve the safety of our systems. This program is designed to identify and address vulnerabilities responsibly. Participation requires adherence to the outlined rules, and all decisions on scope, eligibility, and rewards are final and determined by us. We appreciate your contributions to strengthening our security.

Your participation in the Bug Bounty Program by submitting the form on the bottom of this page is entirely voluntary and governed by the terms and conditions outlined on this page (“Program terms”) as well as CargoX’s General Terms and conditions, when relevant. Please review these Program terms before submitting a report. By submitting your report, you agree to the Program terms of the CargoX Bug Bounty Program.

Rules of engagement

Out-of-scope reports

If your bug report relates to an issue that is explicitly out of scope, WE WILL NOT RESPOND TO YOUR SUBMISSION. A list of out-of-scope vulnerabilities is provided at the bottom of this page. Please ensure your submissions align with the program's defined scope to receive a response.

Responsible disclosure

Please refrain from publicly disclosing any vulnerabilities before notifying us and allowing sufficient time to address the issue. Unauthorized public disclosure will result in disqualification from the bug bounty program and your liability for damages.

Access to customer data

If you gain access to customer data, please exercise restraint and access only the minimum necessary to demonstrate the vulnerability. Accessing or downloading excessive data (beyond bare minimum required for proof of concept) is strictly prohibited and may result in disqualification from receiving the bounty if such actions are discovered and your liability for damages.
The Participant hereby agrees to comply with all data protection laws that apply. In the event of gaining access to personal data, the Participant agrees that they will sign a Data process addendum with CargoX.

Duplicate submissions

In cases where multiple individuals submit reports for the same vulnerability, the reward will be granted to the first valid submission received. Subsequent submissions for the same issue will not be eligible for a bounty.

Reporting requirements

Include detailed steps to reproduce the issue as described below. Submissions lacking sufficient detail may not be eligible for a bounty.

Severity assessment Revision trail

Vulnerability severity and corresponding rewards will be determined at the sole discretion of CargoX’s security team, based on factors such as exploitability, impact, and the likelihood of real-world abuse. Please see the rewards section below.

Threats or extortion 

Any attempts to threaten, coerce, or extort the company in relation to bug bounty rewards are strictly prohibited and may result in disqualification from the program, termination of participation, and potential legal action and/or criminal prosecution.

Safe harbour 

We pledge not to initiate legal action against researchers who adhere to these Program terms and act in good faith while participating in our bug bounty program.

Scope changes 

We reserve the right to modify the program's scope, rules, or rewards at any time. Any changes will be communicated through this page.

Rewards

  • Eligibility for a reward and the amount of the reward is solely at CargoX discretion. Maximum payout through Bug bounty program is € 1.500,00 (one thousand five hundred euros).

  • Rewards will be based on the impact and severity of the reported issue. The reward amount, if any, will be determined by CargoX’s security team and is non-negotiable. There is no appeal process.

  • Payments will be made via bank transfer. To process the payment, the Participant will be required to provide valid identification (passport, ID document). All rewards are subject to applicable taxes, and it is in the Participant's responsibility to comply with local tax laws. CargoX may process payments only to countries not subject to sanctions imposed by the Republic of Slovenia and European Union.

  • The reward amount and terms will be defined with Security researcher Agreement, based on which the Participant (a.k.a. Security Researcher) will be eligible to receive the reward.

Eligibility criteria for rewards and participation

To participate in the Bug Bounty Program and for report to be eligible for bounty award consideration, you must meet all the following requirements: 

  1. The submission is sent to CargoX using the form on the bottom of the page.

  2. The vulnerability you identify must be original, not previously reported to CargoX, and not publicly disclosed. 

  3. The report must contain clear documentation that provides information required for the report to be processed as stated in Reporting instructions. 

  4. Your report must compile with all the Rules of Engagement.

  5. Your report corresponds with the Program's defined scope.

  6. You are not currently a CargoX employee or contractor, were not a CargoX employee or contractor within 2 years prior to submission, and you did not collaborate on your submission with anyone who was.

  7. You are at least 18 years of age, and, if considered a minor in your place of residence, you have your parent’s or legal guardian’s permission prior to reporting.

  8. You confirm that your actions will comply with all applicable laws and will not disrupt or compromise any data that does not belong to you.

Reporting flow

When you want to submit a report, please follow the following steps:

  1. You submit a report by submitting the form at https://cargox.io/bug-bounty

  2. Our team reviews it and provides feedback as follows:

If the report is out-of-scope:

  1. we will not respond to your submission

If the report is incomplete:

  1. we will not respond to your submission

If the report is complete and in-scope:

  1. We will follow up with you to get more details concerning the vulnerability

  2. Before we can reward you we will ask you to:

    1. Send a proof of ID & payment information

    2. Sign the Security researcher Agreement

Data processing

Your personal data will be processed by CargoX d.o.o., Ameriška ulica 2, 1000 Ljubljana, EU, for the purpose of awarding the prize (Article 6(1)(b) GDPR). If you choose not to provide your personal data, it will not be possible to issue the prize. Your personal data will be retained for 5 years, data necessary for tax purposes will be retained for 10 years. You may exercise your rights to access, rectify, restrict processing, and data portability at any time by contacting [email protected]. If you believe that your personal data is not being handled appropriately, we encourage you to reach out to us first. Otherwise, you have the right to lodge a complaint with the Information Commissioner of the Republic of Slovenia.

The following issues are considered out of scope

  • Self-XSS that cannot be used to exploit other users

  • Verbose messages/files/directory listings without disclosing any sensitive information

  • CORS misconfiguration on non-sensitive endpoints

  • Missing cookie flags

  • Missing security headers

  • Cross-site Request Forgery with no or low impact

  • Presence of autocomplete attribute on web forms

  • Reverse tab nabbing

  • Bypassing rate-limits or the non-existence of rate-limits

  • Best practices violations (password complexity, expiration, re-use, etc.)

  • Clickjacking on pages with no sensitive actions, eg. https://cargox.io/contact-us 

  • CSV Injection

  • Host Header Injection

  • Sessions not being invalidated (logout, enabling 2FA, ..)

  • Hyperlink injection/takeovers

  • Mixed content type issues

  • Cross domain referrer leakage

  • Anything related to email spoofing, SPF, DMARC or DKIM

  • Content injection

  • Username / email enumeration

  • E-mail bombing

  • HTTP Request smuggling without any proven impact

  • Homograph attacks

  • XMLRPC enabled

  • Banner grabbing / Version disclosure

  • Open ports without an accompanying proof-of-concept demonstrating vulnerability

  • Weak SSL configurations and SSL/TLS scan reports

  • Not stripping metadata of images

  • Disclosing API keys without proven impact

  • Same-site scripting

  • Arbitrary file upload without proof of the existence of the uploaded file

  • DDOS

  • Iframe embedding of pages with no sensitive content

Confidentiality (Non-Disclosure Agreement) Provision

Confidential Information

As part of the Bug Bounty Program terms, participants may gain access to non-public, proprietary, or confidential information belonging to CargoX. This includes but is not limited to:

  • Vulnerabilities or security issues discovered during testing;

  • Technical details of CargoX systems, networks, software, or infrastructure;

  • Any non-public data, documentation, or communications received from the CargoX.

Obligation of Confidentiality

Participants agree that they shall:

  • Not disclose, share, or publish any Confidential Information;

  • Use Confidential Information solely for the purpose of responsibly reporting vulnerabilities to CargoX;

  • Take all reasonable precautions to prevent unauthorized access, use, or disclosure of Confidential Information.

Exceptions

The confidentiality obligations shall not apply if the information:

  • Is or becomes publicly available through no breach of this provision;

  • Is lawfully obtained from a third party without restrictions on disclosure;

  • Is required to be disclosed by law, court order, or government regulation, provided that the Participant gives prompt notice to the CargoX to allow for protective measures.

Duration

The obligations under this section shall remain in effect for an indefinite period from the date of disclosure of any Confidential Information, even after the termination of participation in the Program.

Breach and Remedies

Any breach of this provision may result in disqualification from the Program, forfeiture of any rewards, and potential legal action. CargoX reserves the right to seek all available remedies, including injunctive relief and damages.

Intellectual Property Rights

By participating in this Bug Bounty Program and upon the payment of any reward, the participant hereby assigns to CargoX all rights, title, and interest, including any intellectual property rights, in and to the submitted reports, findings, solutions, or any related materials (collectively referred to as the "Submissions").

Participants agree that:

  1. Upon payment, CargoX shall have the exclusive and unrestricted ownership of the Submissions, including the rights to use, reproduce, modify, distribute, and commercialize the findings in any manner, worldwide and in perpetuity.

  2. The participant retains no rights to the Submissions and agrees not to use, disclose, or share the Submissions with any third party without prior written consent from CargoX.

  3. If required, the participant will cooperate with CargoX to complete any documents or take further actions necessary to ensure CargoX's IP rights for the Submission.

Participants acknowledge that payment of the agreed reward constitutes full and final compensation for the transfer of intellectual property rights to CargoX.

Violations

Violating these Program terms may result in, but is not limited to: 

  1. Revocation of Report eligibility, 

  2. Denial of potential rewards, 

  3. Temporary or permanent revocation of reporter eligibility, 

  4. Removal from current engagements and/or prohibition from future engagement eligibility.

  5. Eventual liability for damages.

Changes to program terms 

CargoX reserves the right to terminate, discontinue or modify the Program terms at its discretion at any time without prior notice. Changes to the Program Terms may be made by posting a revised version through this page. By continuing to participate in the Bug Bounty Program after CargoX posts any such changes, you accept the Program Terms, as modified.

CargoX Bug Bounty Form

Form for submitting bug bounty reports in accordance with the conditions explained above.