Bug bounty
Help us protect a billion people
We pay for high-quality reports that make the platform safer. The brackets below scale once we exit early access; until then we top up with platform credits and Earn-Layer payouts on top of cash.
Rewards
| Severity | Range | Examples |
|---|---|---|
| Critical | £2,000 - £8,000 | Account takeover, RCE, mass PII exfiltration, payment forgery, CSAM bypass |
| High | £500 - £2,000 | RLS bypass, IDOR on private data, privilege escalation, persistent XSS |
| Medium | £100 - £500 | CSRF on sensitive action, stored XSS in user-only views, rate-limit bypass |
| Low | £25 - £100 | Reflected XSS in low-traffic surfaces, missing security headers, leaking metadata |
In scope
- https://app.futureassistants.example/*
- https://api.futureassistants.example/*
- Mobile / desktop PWA installs
- Mini-app SDK iframe sandbox
- Inworld avatar binding + automation execution paths
Out of scope
- Self-XSS requiring victim to paste payload
- Denial-of-service / volumetric attacks
- Social engineering of staff or other users
- Physical attacks against our offices
- Findings in third-party services (report directly to vendor)
Safe harbour
If you make a good-faith effort to comply with this policy during your security research, we will not initiate or support legal action against you. We will work with you to understand and resolve the issue quickly and provide written confirmation of safe harbour for your specific report.
How to report
- Email security@futureassistants.example (PGP key fingerprint:
8B5A 90E6 ... pinned on /security). - Include reproduction steps, impact, and a video or PoC if useful.
- Wait for our acknowledgement (≤ 48h) before disclosing.
- We aim to fix critical issues within 14 days; you can request CVE assignment.