Skip to content
cubitrace
Security disclosure

Found something? Tell us. We pay.

[email protected] — we acknowledge within 24 hours and fix on a published SLA. PGP available below.

In scope

  • • www.cubitrace.com, app.cubitrace.com, api.cubitrace.com
  • • docs.cubitrace.com
  • • Customer-server agents, CLI binaries, OpenAPI surfaces
  • • Edge configuration (Caddy ruleset)

Out of scope

  • • Customer sites (theirs, not ours)
  • • Best-practice issues without exploitable impact
  • • Volumetric DoS
  • • Social engineering of staff

Bounty range

  • • Critical (e.g., cross-tenant data access): €5,000 – €15,000
  • • High (e.g., privilege escalation): €1,500 – €5,000
  • • Medium (e.g., stored XSS in dashboard): €500 – €1,500
  • • Low: €100 – €500

Reporting

Email [email protected] with a clear writeup, reproduction steps, and impact assessment. Include any PoC code as an attachment.

PGP

Fingerprint: 9F0F 4F9E 6F18 4A11 9C5B 8B3B C8C7 F7B2 11B4 5A12. Full key on /.well-known/security.asc.

Public hall of fame

We list every accepted report (with researcher consent) at /security/hall-of-fame.