Security reporting program

The IBA Group Security Reporting Program for tapXphone Software Terms and Conditions ("Terms'') governs your participation in the IBA Group Security Reporting Program ("Program"). These Terms are between you and IBA Group, a.s. ("IBA," "us," or "we"). By performing vulnerability research against IBA’s infrastructure, submitting any vulnerabilities to IBA, or otherwise participating in the Program in any manner, you accept these Terms.

Program Eligibility

  • Participants must be at least 18 years old.

  • IBA employees and contractors, as well as their family members, are strictly prohibited from participating in the Program, or sharing information with an external security researcher to bypass this prohibition.

Rules of Engagement

Your participation in our program is voluntary and subject to the following:

  • Your submission must include a working Proof of Concept to be considered for a reward.

  • Avoid harm to others’ data and privacy. Specifically:

    • If you encounter any personal data or sensitive information in the course of your research, stop and notify our team immediately so we can investigate. Please report to us what data was accessed and delete the data. Do not save, copy, download, transfer, disclose, or otherwise use this data. Continuing to access others’ data or otherwise failing to adhere to this requirement will disqualify you from participating in the Program.

    • If your research is designed to identify and demonstrate a vulnerability that could allow unauthorized access to personal data or sensitive information, make sure to take measures to minimize your access to or usage of such data to what is absolutely necessary to achieve those purposes (i.e., identification and demonstration of a vulnerability that could allow unauthorized access to personal data or sensitive information). For example, if you are injecting code into IBA’s environment to test whether you could exfiltrate data from a IBA database, limit the potential exfiltration to the first three rows and five columns of the table rather than the entire database.

    • If, even after taking measures to minimize access to personal data or sensitive information, you ultimately end up encountering such data in the course of your research, follow the mitigation measures described above.

  • Do not leverage the existence of a vulnerability or access to personal data or sensitive information to make threats or extortionate demands. Do not degrade, interrupt, or deny services to our users or take any actions that can affect the availability or integrity of IBA’s systems and data (e.g., modifying or deleting data). If you notice service degradation or interruption, stop your research and notify us immediately.

  • Do not incur loss of funds that are not your own.

  • By reporting a vulnerability, you grant IBA and its affiliates a perpetual, irrevocable, worldwide, royalty-free license to use, copy, adapt, develop, and create derivative work from, or share your submission for any purpose. You waive all claims, including breach of contract or implied-in-fact contract, arising out of your submission.

  • You will be responsible for any tax implications related to any bounty payment you receive, as determined by the laws of your jurisdiction.

  • Whether to provide a reward for your submission, the amount of the reward, and your eligibility to participate in the Program are entirely at our discretion.

  • We consider only the earliest, responsibly-disclosed submission of a vulnerability instance with enough actionable information to identify the issue for a reward. All other reports for a given issue will not be eligible for a reward under our Program.

  • Your research must not violate any applicable laws or regulations.

Submission Review Process

After a submission is sent to IBA in accordance with the Rules of Engagement described above, IBA engineers will review the submission and validate its eligibility for a reward. The review time could vary depending on the complexity and completeness of your submission, as well as on the number of submissions we receive.

As explained in the Rules of Engagement, IBA retains sole discretion in determining which submissions are qualified for a reward. If we receive multiple bug reports for the same issue from different parties, the bounty will be granted to the first eligible submission. If a duplicate report provides new information that was previously unknown to IBA, we may award a differential to the person submitting the duplicate report. IBA will also reopen and reward any report mistakenly closed as invalid if we later receive and reward the same bug reported by someone else. In these situations, we pay both researchers.

Ineligible Vulnerabilities

Below are some examples of issues that are out of scope for The IBA Group Security Reporting Program for tapXphone Software:

  • Vulnerabilities requiring a rooted, jailbroken, or otherwise modified device

  • Username enumeration on customer facing systems (i.e. using server responses to determine whether a given account exists)

  • Vulnerabilities requiring extensive user interaction

  • Exposure of non-sensitive data on the device

  • Vulnerabilities on third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)

  • Best practice reports without a valid exploit (e.g., use of "weak" TLS ciphers)

  • Leakage/disclosure of Google Services API keys without demonstrated impact

  • Decompile/reverse engineer an app

  • Phishing and social engineering attacks

  • Reports on non-eligible device versions or OS version

  • Use of deprecated/banned API

  • Sensitive info in logs in staging/test builds

Bug Submission Requirements

Required information. For all submissions, please include:

  • Full description of the vulnerability being reported, including the exploitability and impact

  • Evidence and explanation of all steps required to reproduce the submission, which may include:

  • Videos

  • Phots

  • Exploit code

  • Traffic logs

  • Web/API requests and responses

  • Email address or user ID of any test accounts

  • IP address used during testing

  • For RCE submissions, see below

Remote Code Execution (RCE) Submission Guidelines:

  • Source IP address

  • Timestamp, including time zone

  • Full server request and responses

  • Filenames of any uploaded files, which must include “bugbounty” and the timestamp

  • Callback IP and port, if applicable

  • Any data that was accessed, either deliberately or inadvertently

  • Allowed Actions:

  • Directly injecting benign commands via the web application or interface (e.g. whoami, hostname, ifconfig)

  • Uploading a file that outputs the result of a hard-coded benign command

  • Prohibited Actions:

  • Uploading files that allow arbitrary commands (i.e. a webshell)

  • Modifying any files or data, including permissions

  • Deleting any files or data

  • Interrupting normal operations (e.g. triggering a reboot)

  • Creating and maintaining a persistent connection to the server

  • Intentionally viewing any files or data beyond what is needed to prove the vulnerability

  • Failing to disclose any actions taken or applicable required information


By participating in this program, you agree not to publicly or privately disclose the contents of your submission, your findings, your communications with IBA related to your participation in the Program, or any facts you have learned about IBA in the course of your participation in the Program to any third party without IBA prior written approval. There are no exceptions.

Researcher Privacy

To protect your privacy, we will not, unless served with legal process or to address a violation of this policy:

  • Share your personally identifiable information with third parties

  • Share your research without your permission

  • Share your participation without your permission


IBA reserves the right to disqualify you from participating in the Program if you violate the Rules of Engagement or other rules specified in this program policy, including the rules about disclosure.

Changes to the Terms

We may change the Terms at any time. Participating in the Program after the changes become effective means you agree to the new Terms. If you don't agree to the Terms, you must not participate in the Program.


Feel free to submit any comments or questions about our program to

Last updated