Security Bug Bounty and

Vulnerability Program

The Traceless Bug Bounty and Vulnerability program is designed to encourage security research and to reward those who help us make our product safer and more secure.


General Eligibility

To be eligible for a reward under this program:

The security bug must be original and previously unreported (either by another researcher or Traceless analysis tools). Duplicate submissions within 72 hours will split the bounty between reporters. If duplicate submissions are of unequal quality, the split will be at the level of the lesser report, and the greater report will receive a pro-rated additional bounty on top of the split.
There is a two week grace period that begins when the vulnerability is checked into the primary source repository. If the issue is identified internally within that time, it is ineligible for a bounty, even if the issue is not recognized as a security vulnerability at time of first identification. If it lasts undiscovered for more than two weeks, it becomes eligible for a bounty.
The security bug must be a part of Traceless application code, not the code of a third party. We will not pay bounties for vulnerabilities in third-party libraries incorporated into shipped client code or third-party websites utilized by Traceless.
You must be old enough to be eligible to participate in and receive payment from this program in your jurisdiction, or otherwise qualify to receive payment, whether through consent from your parent or guardian or some other way.
You must not be an employee, contractor of Traceless Inc.
You should use your best effort not to access, modify, delete, or store user data or Traceless' data. Instead, use your own accounts or test accounts for security research purposes.
You should use your best effort not to access, modify, delete, or store user data or Traceless' data. Instead, use your own accounts or test accounts for security research purposes.
If you inadvertently access, modify, delete, or store user data, we ask that you notify Traceless immediately at and delete any stored data after notifying us.
You must not be on a US sanctions list or in a country (e.g. Cuba, Iran, North Korea, Crimea region of Ukraine, Sudan, and Syria) on the US sanctions list.
You must not exploit the security vulnerability for your own gain.
Before sharing any part of the security issue with a third party, you must give us a reasonable amount of time to address the security issue.
All submissions will be covered under Traceless Terms of Service granting us permission to make use of all submissions.
Do not threaten or attempt to extort Traceless. We will not award a bounty if you threaten to withhold the security issue from us or if you threaten to release the vulnerability or any exposed data to the public.

Safe Harbor

Traceless strongly supports security research into our product and wants to encourage that research.

As a result, we will not threaten or bring any legal action against anyone who makes a good faith effort to comply with this Bug Bounty Program, or for any accidental or good faith violation of this policy. This includes any claim under the DMCA for circumventing technological measures to protect the services and applications eligible under this policy.

As long as you comply with this policy:

  • We consider your security research to be “authorized” under the Computer Fraud and Abuse Act,
  • We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that would prohibit your participation in this policy, for the limited purpose of your security research under this policy.

We understand that our systems and services are interconnected with third-party systems and services. While we can authorize your research on Traceless’ systems and services, and promise that Traceless will not bring or threaten litigation against you for your efforts under this policy, we cannot authorize efforts on third-party products or guarantee they won’t pursue legal action against you. However, if a third party threatens or brings any legal action against you for your efforts under this policy, we are willing to make clear—to the Court, the public, or otherwise–that we authorized your efforts to test and research the security of Traceless’ eligible systems and services.

If you’re not sure whether your conduct complies with this policy, please contact us first at and we will do our best to clarify.

Modified from the Mozilla Bug Bounty Program, used under a creative commons license.