GHOSTPORT
← Back to Dev Log

Bug Bounty Program

We build privacy hardware. We'd be hypocrites if we couldn't take a punch.
April 8, 2026 • GhostPort Technologies
WANTED
DEAD OR ALIVE
SECURITY VULNERABILITIES
FOR CRIMES AGAINST PRIVACY, INTEGRITY, AND AVAILABILITY
REWARD TO BE NEGOTIATED

We're a privacy company that runs on open-source software, AI-to-AI coordination, and a WireGuard tunnel that carries real families' internet traffic. If there's a hole, we want to know about it before someone else finds it.

So we're putting bounties on bugs. Find something, report it responsibly, get paid. No lawyers, no NDAs, no runaround. Just good security.

The Bounty Board

SEVERITY DESCRIPTION BOUNTY
CRITICAL Remote code execution, tunnel compromise, key extraction, auth bypass granting admin access, data exfiltration of customer information TBN
HIGH Privilege escalation, persistent XSS on authenticated pages, HMAC/signature bypass, WireGuard config manipulation, DNS leak under any privacy mode TBN
MEDIUM Reflected XSS, CSRF on state-changing actions, information disclosure (internal IPs, versions, stack traces), rate limit bypass TBN
LOW Missing security headers, cookie flags, clickjacking on non-sensitive pages, verbose error messages, theoretical issues with no demonstrated impact TBN

Bounties are paid per unique vulnerability. If two people report the same bug, first report wins. We'll acknowledge receipt within 48 hours and aim to confirm or deny within 7 days.

What's in Scope

FLEET API api.ghostporttechnologies.com — authentication, authorization, tenant scoping, Stripe webhooks, device provisioning
WEB PROPERTIES blog, affiliates, tools, facts, demo, investors — all *.ghostporttechnologies.com subdomains
PI SOFTWARE Dashboard API, nftables rules, privacy mode switching, DNS configuration, Family Shield, WireGuard tunnel integrity
BRIDGE PROTOCOL Claude-to-Claude messaging — HMAC signing, AES encryption, replay protection, injection detection

Rules of Engagement

We're inviting you to hack us. But there are rules on this ship:

  1. No denial of service. Don't flood endpoints, don't crash services, don't disrupt active tunnels. Real families are using this infrastructure right now.
  2. No social engineering. Don't phish us, don't call pretending to be someone, don't dumpster dive our trash. Find real technical bugs.
  3. No data destruction. If you find a way to delete data, report it. Don't demonstrate it on production.
  4. No third-party systems. Don't attack Stripe, AWS, Cloudflare, or any service we integrate with. That's their scope, not ours.
  5. Report privately first. Email your findings to security@ghostporttechnologies.com. Don't post it on Twitter before we've had a chance to fix it.
  6. 90-day disclosure window. If we haven't fixed it in 90 days, you're free to publish. We'll almost certainly fix it faster than that.
  7. Be a pirate, not a vandal. Take the treasure, leave the ship intact.

What We Don't Pay For

Scanner output dumps. Running Nessus and sending us the PDF isn't research. Show us the exploit.

Self-XSS. If it only works when the victim pastes JavaScript into their own console, it's not a vulnerability.

Missing DMARC/SPF/DKIM. We know. It's on the list.

Theoretical attacks with no proof of concept. "This COULD be exploited if..." isn't a report. Show us it CAN be.

Rate limiting on login. We have it. If you think you bypassed it, prove it.

Outdated software versions. Unless you can demonstrate an exploit that works against our configuration, version numbers alone aren't bugs.

How to Report

Send your findings to security@ghostporttechnologies.com with:

  1. Description — what the vulnerability is, in plain English
  2. Steps to reproduce — exactly how to trigger it, every time
  3. Impact — what an attacker could actually do with this
  4. Proof of concept — screenshots, curl commands, video, whatever proves it works
  5. Your payment info — PayPal, Venmo, or crypto address for the bounty

We'll acknowledge within 48 hours. We'll confirm severity within 7 days. If it's valid, you get paid when the fix ships. If we disagree on severity, we'll explain why — and we're open to being wrong.

Hall of Fame

First researcher to break the gates • April 10–18, 2026

Michael F — NullFox

Vulpine Security • nullfox@vulpinesec.comgithub.com/Vulpine-security

NullFox conducted the first formal external security engagement against the GhostPort web platform. Across nine days he produced 13 findings: one High-severity authentication chain on the affiliate registration endpoint (patched within an hour of disclosure), one Medium, three Low, and eight Informational items spanning the affiliate platform, API surface, and DNS configuration.

Beyond the headline finding, his report identified a structural pattern none of us had named clearly: the affiliate platform's email-validation gap was the shared root of mass account creation, automated enumeration, brute-force reach, and a payout-fraud chain. Naming the pattern collapsed four separate remediation tickets into one workstream. That kind of analysis is what makes an external researcher worth the engagement.

He also disclosed responsibly, cleaned up after testing, and made the engagement easy on our side at every step. We took him up on a wide-open scope; he took it seriously and did not abuse it.

Specific finding details remain private per program rules. Status of the public-facing remediations is tracked in the dev log.

Every confirmed vulnerability gets the researcher credited here (or anonymous if you prefer). We respect the people who make us stronger.

Submit a Report

Drop files here or click to browse

Screenshots, videos, PoC scripts — any file type, up to 100 MB total

GHOSTPORT TECHNOLOGIES • 2026 • YOUR NETWORK. YOUR RULES.
🎨
ACCENT COLOR
A+
TEXT SIZE