Profile Photo
Incoming call
Security Programme

Bug Bounty
Programme

We take the security of SupervisorSync seriously. If you discover a vulnerability, we want to hear from you — and we reward responsible disclosure. Help us keep institutions safe.

Rewards

We offer rewards ranging from $50 to $5,000 for validated vulnerabilities, based on severity, impact, and quality of the report. Bounties are paid within 7 business days of resolution via bank transfer or your preferred method.

Eligibility
  • Security vulnerabilities in supervisorsync.com, the web app, or API endpoints
  • Previously unreported vulnerabilities not already on our engineering roadmap
  • Authentication and payment flows, admin / supervisor / student portals
  • File upload and resource management features
  • Role-based access control and privilege escalation vectors
  • Clear documentation of the vulnerability with reproducible steps and a proof of concept
Out of Scope
  • Third-party services (Payment Systems, email providers, hosting infrastructure, etc)
  • Social engineering or phishing attacks against our team
  • Denial of service (DoS / DDoS) attacks
  • Physical security or device access attacks
  • Basic domain hygiene and informational findings with no demonstrable impact
  • Vulnerabilities in third-party dependencies we do not control
Responsible Disclosure Policy

By participating in our bug bounty programme, you agree to the following:

  • Test only against your own accounts — never access, modify, or delete other users' data
  • Keep all vulnerability information confidential until we confirm resolution
  • Delete any data obtained through testing immediately after submission
  • Do not exploit vulnerabilities beyond what is necessary to verify the issue
  • Allow us reasonable time to triage and remediate before any public disclosure
  • Provide a clear, reproducible proof of concept with your report
Note on public disclosure: Removing any public disclosure of a vulnerability is a condition of payment. We have a zero-tolerance policy for reports that put our institutions at risk through premature exposure. We will not pursue legal action against researchers who follow these rules and act in good faith.
How the Process Works
01
Submit

Use the form or email hello@supervisorsync.com with full details and a PoC.

02
Triage

We acknowledge within 48 hours and classify severity within 5 business days.

03
Remediate

Our engineering team patches the issue and keeps you informed throughout.

04
Reward

Bounty paid within 7 business days of resolution.

🛡️ Report a Vulnerability
Submit your findings securely. Our security team reviews all submissions and responds within 5 business days.
Please enter your name.
Please enter a valid email address.
Please select a severity level.
Please describe the vulnerability.
Please provide steps to reproduce.

Report received 🎉

Thank you for helping keep SupervisorSync secure. Our team will review your submission and respond within 5 business days. If your finding is valid, we'll be in touch about your reward.

Safe Harbour: We will not pursue legal action against researchers who follow these rules and act in good faith.