RevU Vulnerability Disclosure Policy
RevU recognizes the importance of the security community in keeping our systems safe. This policy provides clear guidelines for conducting vulnerability discovery activities and outlines our Safe Harbor commitment to those who act in good faith. We welcome security researchers to test our systems and share feedback to help us improve.
In Scope
Vulnerability Types:
We are interested in vulnerabilities that have a real security impact, including but not limited to:
Authentication and authorization bypasses
Insecure Direct Object References (IDOR)
SQL Injection, Remote Code Execution, and Server-Side Request Forgery
Cross-Site Scripting (XSS) — excluding self-XSS
Sensitive data exposure or leakage
Privilege escalation
Domains:
Out of Scope
Third-party software: RevU integrates with several tools to manage our operations. Vulnerabilities found in these services should be reported directly to their respective providers. This includes but is not limited to the following examples:
Customer Support & Analytics: Intercom, Amplitude
Development & Infrastructure: GitHub, DigitalOcean, etc
Communication: Slack, Google Workspace.
Partner Companies (Publishers & Advertisers): RevU’s product acts as a connector between publishers (websites and apps with users that opt-in to use RevU) and advertisers (the brands that provide offers to users). While you may encounter third-party sites through our redirects, vulnerabilities in our publisher or advertisers’ systems are strictly out of scope. If a bug exists on a site reachable via a RevU link but is not part of our codebase, it does not qualify for this program.
Prohibited Attacks and Testing Methods:
Disruptive Attacks: Denial of Service (DoS/DDoS), any automated tool sending more than 30 requests per second, or any resource exhaustion.
Social & Physical: Any phishing, email spoofing, self-XSS, or physical attacks against RevU facilities, property, or employees.
Non-Critical Best Practice Issues: Reports that reflect industry best practices but pose no demonstrable security risk will not qualify. Examples include missing HTTP headers with no exploitable impact, or theoretical vulnerabilities with no practical attack path.
Guidelines for Responsible Disclosure and Legal Protection
Do not exploit a vulnerability for any purpose other than your own research.
Securely delete all data retrieved during your research once it is no longer required for the report.
Do not alter any data on our systems that you gain access to as a result of your investigation.
Do not disclose the vulnerability publicly until we have had a reasonable amount of time to resolve it.
Do not violate any other applicable laws or regulations.
If you conduct your research in good faith and comply with these guidelines, RevU will not initiate legal action against you related to your research activities.
Rewards
As a token of appreciation for your responsible disclosure, we may offer monetary rewards up to $15,000 and/or acknowledgments, subject to the severity and impact of the reported vulnerability. Rewards are offered at RevU's sole discretion. There is no guaranteed payout, and not all valid reports will receive compensation.
How to Submit
If you discover a vulnerability, please report it to us promptly via security@revu.co. To help us triage your report quickly, please include:
A clear, descriptive title.
Step-by-step instructions to reproduce the issue.
Any supporting documentation, screenshots, or Proof of Concept (PoC) code.
Your contact information for follow-up.
Our security team aims to acknowledge receipt of your report within 3 business days. We will investigate the issue and provide regular updates on our progress. Once the vulnerability is resolved, we will notify you and, depending on the impact, discuss the possibility of public acknowledgment/rewards for your contribution.
RevU reserves the right to modify reward criteria at any time without prior notice. Individuals residing in countries subject to US sanction regulations are not eligible for monetary rewards.
