Activeloop Bug Bounty Program

Overview

We deeply value the contributions made by the security research community toward making our platform safer and more secure for everyone. This bug bounty program is designed to encourage responsible vulnerability disclosure and to reward security researchers for their efforts in helping us protect our environment and our users.

Scope

Our bug bounty program targets the following subdomains/services. Any issues discovered on these services should be reported immediately.

chat.activeloop.ai

activeloop.ai

In-Scope

We specifically invite reports on:

• Privilege escalation from a lower-privileged user to an admin or higher role
• Remote Code Execution (RCE) vulnerabilities
• Unauthorized access to or extraction of sensitive data (e.g., user data, internal system data)
• SSRF (Server-Side Request Forgery)
• SQL Injection (SQLi)
• XXE (XML External Entity) injection
• Critical user authentication bypass issues
• Other vulnerabilities that could cause significant business or user harm

Out-of-Scope

While we appreciate all research efforts, the following are considered out-of-scope:

• Reports of known vulnerabilities in third-party services, libraries, or frameworks not controlled by Activeloop
• Best practice suggestions or “informational” vulnerabilities that do not have a security impact
• Reports from automated tools or scanners
• Missing security headers which do not lead to direct exploitability
• Denial of Service (DoS/DDoS)
• Social engineering or phishing attempts against Activeloop employees
• Physical security issues
• Any physical testing, attempts to gain direct physical access to Activeloop’s offices or data centers
• Clickjacking and Tabnabbing
• Email security

Reporting Requirements

When you discover a security vulnerability, your report should include:

Clear Title: A concise title that summarizes the issue

Issue Description: A detailed explanation of the vulnerability, including what it impacts, the potential harm, and how it might be exploited.

Reproduction Steps: Step-by-step instructions (with screenshots, if applicable) to reproduce the vulnerability reliably.

Severity Assessment: A brief rationale for why you believe it has the severity you assign.

Privacy & Disclosure Policy

We kindly request all researchers to refrain from publicly disclosing any details of vulnerabilities found in our platform before we have confirmed that the vulnerability is resolved. To inform us about the vulnerabilities contact us at [email protected] and [email protected]

We aim to acknowledge, triage, and resolve reported vulnerabilities promptly. Our typical SLA timeline is:

• Within 5 business days of receiving the report.
• Within 10 business days of acknowledging the report, we will provide our assessment of severity and scope.

These timeframes are targets, not guarantees. Some issues may require more extensive updates depending on complexity.

Safe Harbor Provision: We will not take legal action against researchers who conduct responsible testing within the scope of this program and follow the rules outlined here.

Reward Determination

We determine bounty amounts by assessing multiple factors, such as the potential impact of the vulnerability, its ease of exploitation, and the overall quality and clarity of the report. Please note that if a vulnerability is deemed very low-risk or does not meet our criticality criteria, we may not award a bounty. If you have any questions about severity or eligibility, please reach out to us with preliminary details. We operate on a “first come, first served” basis—if multiple researchers report the same or closely related vulnerabilities, only the first valid report is eligible for a bounty. If a reported vulnerability is already known to us or has been previously reported, we will not issue a reward.

Thank you for helping us keep Activeloop safe! We appreciate your contributions and vigilance.