Security Vulnerability Disclosure Policy

If you discover a security vulnerability on GardenExposed, we encourage you to report it to us immediately. We review all legitimate reports and work quickly to resolve verified security issues.

Please review the following guidelines before submitting a report.

Fundamentals

If you follow the principles below while reporting a security issue to GardenExposed, we will not initiate legal action or enforcement investigations related to your report.

We ask that you:

  • Provide us with reasonable time to investigate and resolve the issue before publicly disclosing it.
  • Do not access private accounts or sensitive data without permission from the account owner.
  • Make a good-faith effort to avoid privacy violations, service interruptions, or destruction of data.
  • Do not exploit the vulnerability beyond what is necessary to demonstrate the issue.
  • Comply with all applicable laws and regulations.

Security Reward Program

We appreciate security researchers who help improve the safety of our platform by responsibly disclosing vulnerabilities.

Reward eligibility is determined at the sole discretion of GardenExposed based on the severity, impact, and quality of the report.

To qualify for a potential reward, you must:

  • Follow all disclosure fundamentals listed above.
  • Submit a valid security vulnerability affecting privacy or security.
  • Provide detailed and reproducible steps.
  • Disclose any accidental access to private information during testing.
  • Submit reports directly through our official contact channels.

Reward Guidelines

Rewards are based on the impact and severity of the vulnerability.

The first valid report of a vulnerability is eligible for consideration. Multiple vulnerabilities caused by the same root issue may be treated as a single report.

Critical Severity – Up to $200

  • Remote Code Execution (RCE)
  • Remote Shell or Command Execution
  • Authentication Bypass
  • SQL Injection exposing sensitive data
  • Full account compromise

High Severity – Up to $100

  • Stored Cross-Site Scripting (XSS)
  • Disclosure of sensitive internal data
  • Local File Inclusion (LFI)
  • Authentication or session handling flaws

Medium Severity – Up to $50

  • Business logic vulnerabilities
  • Insecure object references
  • Permission bypass issues

Low Severity – Recognition Only

  • Open redirects
  • Reflected XSS
  • Minor information disclosure

Non-Eligible Reports

The following issues are generally not eligible for rewards:

  • Spam or social engineering attacks
  • Denial of Service (DoS/DDoS) attacks
  • Reports without clear reproduction steps
  • Issues affecting outdated browsers or unsupported software
  • Self-XSS or clickjacking without real impact

Contact Information

  • Business Name: GardenExposed
  • Address: 15723 S Spring Valley Rd, Larkspur, CO 80118, USA
  • Phone: +1 (214) 856-6156
  • Email: contact@gardenexposed.com