Skip to Content

Hive Bug Bounty Program

At The Guild, we are committed to the security of our services and our users’ data. The Hive platform bug bounty program is designed to reward security researchers who find and responsibly disclose vulnerabilities in our platform.

We value the work of the security community and believe that a collaborative approach is key to maintaining a secure environment. If you believe you’ve discovered a potential security issue, we encourage you to report it to us.

Scope

This policy applies to security vulnerabilities found in the main platform application, hosted at the following domains:

  • graphql-hive.com
  • *.graphql-hive.com

Any other domains, subdomains, or services owned by The Guild are out of scope for this program.

Out of Scope Assets & Vulnerabilities

The following are strictly out of scope and not eligible for a bounty:

  • Any testing on third-party services or applications that integrate with Hive.
  • Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks.
  • Spam, phishing, or social engineering attacks against our employees, users, or infrastructure.
  • Physical attacks against The Guild’s employees, offices, or data centers.
  • Reports from automated scanners without a valid, reproducible proof-of-concept (PoC).
  • Missing “best practice” configurations (e.g., missing SPF/DKIM/DMARC records, non-critical TLS/SSL issues).
  • Software version disclosures.
  • Clickjacking on pages without sensitive actions.
  • Self-XSS (vulnerabilities that require a user to perform an unlikely action, like pasting malicious code into their own console).
  • Missing HttpOnly or Secure flags on non-sensitive cookies.

Rules of Engagement

To be eligible for a bounty, you must adhere to the following rules:

  1. Do No Harm: You must make a good-faith effort to avoid privacy violations, data destruction, and service interruption.
  2. Respect Privacy: Do not access, modify, or exfiltrate any data that does not belong to you. Stop testing and report immediately if you gain access to any non-public data.
  3. One User: All testing must be performed on your own account(s). Do not attempt to access or interact with other users’ accounts or data.
  4. Report Promptly: Share any discovered vulnerability with us promptly and exclusively.
  5. No Public Disclosure: Do not disclose the vulnerability publicly until we have had a reasonable amount of time to investigate and remediate the issue.

Bounties

We offer monetary bounties for qualifying vulnerabilities based on their severity. The final severity and reward amount are determined at the sole discretion of The Guild’s security team.

  • Critical: $800
  • High: $600
  • Medium: $200
  • Low: $100

Important: The Guild reserves the exclusive right to determine the final severity of any reported issue and the corresponding bounty amount. We may also award smaller bounties or swag for low-impact issues or findings that, while not critical, help us improve our security posture.

How to Report

Please send your findings via email to: security@the-guild.dev

To help us triage your report as quickly as possible, a good report should include:

  • Title: A clear and concise title (e.g., “Stored XSS on Organization Dashboard”).
  • Vulnerability Type: The class of vulnerability (e.g., XSS, IDOR, SQLi).
  • Affected Asset: The full URL or endpoint that is vulnerable.
  • Steps to Reproduce: Detailed, step-by-step instructions so our team can replicate the issue.
  • Proof-of-Concept (PoC): This can include screenshots, code snippets, or a video.
  • Potential Impact: A brief explanation of what an attacker could do with this vulnerability.

Safe Harbor

We consider security research conducted under this policy to be authorized and in good faith. We will not pursue civil or legal action against researchers who comply with all rules of this program.

Thanks!

We appreciate the help and support of our community members who contribute to making Hive a safer platform:

Thank you for helping us keep Hive secure!

Last updated on