Amnic’s Responsible Disclosure Policy

Data security is a top priority for Amnic, and Amnic believes that working with skilled security researchers can identify weaknesses in any technology. If you believe you’ve found a security vulnerability in Amnic’s service, please email us. We will revert to the report within one week.

Targets in scope.

Amnic Application hosted at and any other subdomains or services associated with the Amnic Application.

Out of Scope Targets.

  • All the sandbox and staging environments are out of scope.

  • All external services/software which are not managed or controlled by Amnic are considered out of scope.

  • We do not accept reports for vulnerabilities solely affecting our marketing website (, which contains no sensitive data.


Prerequisites to qualify for reward:

  • Be the first researcher to responsibly disclose the bug. Duplicate submissions are not eligible for any reward.

  • Your report must be in scope.

  • You must demonstrate a vulnerability with proof/evidence.

At Amnic, we value the security of our systems and applications and appreciate any reports of vulnerabilities. However, it is important to note that we have the sole authority to assess and decide on the validity and impact of any reported vulnerabilities. While we welcome all reports, deciding whether to take action or dismiss a report is final.


For reporters who report a valid security issue, we send Amnic Swag as a thank you!

Qualifying vulnerabilities (in-scope)

  • Remote Code Execution, Code Injection, OS Command Injection

  • SQL Injection (Inband SQLi; Blind SQLi)

  • SSRF (unrestricted); Content-Restricted SSRF; Error-based SSRF (true/false); Blind SSRF

  • Authorization Bypass, Account Takeover

  • Cross-Site Scripting (XSS)

  • Cross-Site Request Forgery (on sensitive actions)

  • Broken Authentication / Authorization

  • Broken Session flaws

  • Business Logical flaws

  • Open Redirects (which allow stealing secrets/tokens)

Out-of-scope vulnerabilities

Some of the reported issues, which carry low impact, may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues which typically do not earn any rewards:

  • Clickjacking

  • Bugs requiring exceedingly unlikely user interaction (e.g Social engineering)

  • Any kind of spoofing attacks or any attacks that leads to phishing (e.g. Email spoofing, Capturing login credentials with fake login page)

  • Denial-of-service attacks or vulnerabilities that leads to DOS/DDOS

  • Login - Logout cross-site request forgery

  • Self XSS

  • Presence of server/software banner or version information

  • Stack traces and Error messages which do not reveal any sensitive data

  • Third-party API key disclosures without any impact or which are supposed to be open/public.

  • OPTIONS / TRACE HTTP methods enabled

  • Missing HTTP Security Headers (e.g. Strict-Transport-Security - HSTS)

  • Missing Cookie Flags (e.g. HttpOnly, secure etc)

  • Host Header Injection

  • Broken Links (e.g. 404 Not Found page))

  • Known public files or directories disclosure (e.g. robots.txt, css/images etc))

  • Browser ‘autocomplete’ enabledd

  • HTML / Text Injectionn

  • Certificates/TLS/SSL related issues (e.g. BREACH, POODLE)

  • Missing email best practices such as Invalid, incomplete, or missing SPF/DKIM/DMARC records.

  • Weak CAPTCHA or CAPTCHA bypass (e.g. using browser addons)))

  • Brute force on “Login with password” pagee

  • Account lockout not enforced

  • Any kind of vulnerabilities that requires installation of software like web browser add-ons, etc in victim's machine

  • Rate limit mechanism bypass

  • Open redirects unless an additional security impact can be demonstrated.

  • Vulnerabilities only affecting users of outdated or unpatched browsers or operating systems.