> For the complete documentation index, see [llms.txt](https://docs.ghostfive.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.ghostfive.com/ecosystem/bug-bounty.md).

# Bug Bounty

## Bug Bounty

**We highly value your participation in our bug bounty program, as it plays a vital role in strengthening our security measures. Your dedication to identifying and addressing potential vulnerabilities in our systems is greatly appreciated.**

**Outlined below are the scope and guidelines for our bug bounty program, which encompass both our mobile application, browser extension and web services.**

## Assets

**Our assets are divided into two categories: Ghost client-side applications and Ghost infrastructure and services.**

* **Ghostfive.com**
* **Ghostfive.com**
* **Ghostfive.dev**
* **Any asset confirmed to be owned by Ghost**

## Primary Focus

**The following types are of particular interest to our security team:**

**Vulnerabilities with the potential to steal user funds**\
**Vulnerabilities associated with the leakage of confidential information**\
**Access to Ghost pipelines, processes or build environments**

**Rewards**\
**Critical ($12,500 → $20,000)**

**Examples - Wallet**

**XSS (within the context of the Wallet)**\
**Origin Spoofing (affecting transaction simulation)**\
**Examples - Server-Side**

**Remote Code Execution (within Ghost infrastructure)**\
**SQL Injection (with access to PII)**\
**High ($5,000 → $12,500)**

## **Examples - Wallet**

**PII/Sensitive Data Leakage to Third Parties**\
**Examples - Server-Side**

**SQL Injection (no PII access - only public data and no escalation path)**\
**Medium ($1,500 → $5,000)**

## **Examples - Wallet**

**From**\
**Examples - Server-Side**

**Reflected XSS**\
**Low-Impact IDORs**\
**Low ($50 → $1,500)**

## **Examples - Wallet**

**User interface issues that impact security, such as mislabeled security or privacy features**\
**Examples - Server-Side**

**Hosting malicious JavaScript on a non-essential subdomain (e.g., via XSS or subdomain takeover)**\
**Exceptional Circumstances**

**Ghost is offering a $50,000 bounty for vulnerabilities that demonstrate:**

**Remote extraction of a user’s private key without user interaction, or**\
**Ability to inject malicious code into the build process without being detected**\
**Note: The final determination of whether a vulnerability meets the exceptional criteria is at the sole discretion of the Ghost security team.**
