Bug Bounty Program

Scope

Our bug bounty program covers the following domains and applications:

• willed.com.au
• app.willed.com.au
• API and Firebase-backed workflows reachable from those applications

Rewards

We offer rewards based on the severity and impact of the reported vulnerabilities:

Critical

$1,000 – $5,000

High

$500 – $1,000

Medium

$100 – $500

Low

$50 – $100

Submission guidelines

Prepare a detailed report of the vulnerability you’ve discovered. Send your report via email to security@willed.com.au with the subject line ‘Bug Bounty Submission’. In your email, include:

• A clear description of the vulnerability
• Detailed steps to reproduce the issue
• Any relevant screenshots or proof of concept
• Only the minimum evidence needed to demonstrate impact
• Your contact information for follow-up communication

Rules of engagement

Do not attempt to access or modify user data. Avoid denial-of-service attacks. Do not use automated scanning tools without permission. Stop testing and report promptly if you encounter personal information, authentication bypasses, or access to another user’s account. Keep findings confidential until we have investigated and remediated them.

Legal

We will not initiate legal action or make a complaint to law enforcement for security research conducted in good faith, within the scope of this program, and in accordance with these rules. Safe harbour does not apply to activity that harms availability, accesses, modifies, deletes, or exfiltrates personal information beyond the minimum needed to demonstrate impact, targets third-party systems, uses social engineering or physical attacks, or continues after we ask you to stop.

Contact

For any questions or concerns, please contact our security team at security@willed.com.au.

Acknowledgements

We appreciate the efforts of all security researchers who contribute to making our platform more secure.