You are using an outdated browser. Please upgrade your browser to improve your experience and security.

Empire Flippers Bug Bounty Policy

$8,000 rewarded – last reward: Jan 2024

Empire Flippers cares about the security of our systems and the protection of customer data. This is why we have a bug bounty program, to encourage security specialists to report vulnerabilities to us before disclosing them to the general public.

Targets & Rewards
As a general guide, we follow Bugcrowd’s Vulnerability Rating Taxonomy. Cash rewards, at our discretion, will be in the range of:

https://api.empireflippers.com – Backend Ruby on Rails API
https://app.empireflippers.com – Frontend React client

P1 – $3000
P2 – $2000
P3 – $1000
P4 – $200
P5 – $0

https://empireflippers.com – WordPress

P1 – $750
P2 – $500
P3 – $250
P4 – $50
P5 – $0

Access
You can register an account that has the same level of access as customers.

Focus Areas
Empire Flippers stores personally identifiable information, such as: bank account statements and passport/driving license scans. We also store sensitive information on how our sellers’ business operates, for example, profit and loss statements. A lot of our integrations are with Google Drive and files are uploaded there, in addition to Amazon S3.

On the sell side of our marketplace, we ask our sellers to connect to several 3rd party providers that provide us with sensitive information: we use Plaid to verify proof of funds, Google Analytics API to collect and analyze traffic information about a website, and Amazon APIs to collect FBA store information that assists with P&L generation.

On the buy side, we go to great lengths to protect seller information, such as requiring ID and proof of funds verification before we provide private information about a business on our marketplace (the URL of the business and P&L statement).

For a list of latest updates for areas of testing, please refer to our changelog.

Out-of-Scope

  • Do NOT perform DoS or DDoS attacks.
  • URLs that are outside of the targets.
  • Social engineering attacks.
  • Do NOT in any way attack our end users or engage in the trade of stolen/breached user credentials.

Contact

Please email your vulnerability reports to support@empireflippers.com. Your ticket will be assigned to our engineering team for investigation. Please allow us a few days to investigate your report.

Thank you for helping provide a safe and secure place for buying and selling online businesses!