Security researchers must not:

• Test any system other than the systems set forth in the ‘Scope’ section above.
• Disclose vulnerability information except as set forth in the ‘Reporting a Vulnerability’ and ‘Disclosure’ sections below
• engage in physical testing of facilities or resources,
• engage in social engineering,
• send unsolicited electronic mail to Perfios users, including “phishing” messages.
• execute or attempt to execute “Denial of Service” or “Resource Exhaustion” attacks,
• introduce malicious software,
• test in a manner which could degrade the operation of Perfios systems or intentionally impair, disrupt, or disable Perfios systems,
• test third-party applications, websites, or services that integrate with or link to or from Perfios  systems, Perfios data, or render Perfios data inaccessible, or
• use an exploit to exfiltrate data, establish command line access, establish a persistent presence on Perfios systems, or “pivot” to other Perfios systems.

Security researchers may:

• View or store Perfios nonpublic data only to the extent necessary to document the presence of a potential vulnerability.

Security researchers must:

• cease testing and notify us immediately upon discovery of a vulnerability,
• cease testing and notify us immediately upon discovery of an exposure of nonpublic data, and
• Purge any stored Perfios nonpublic data upon reporting a vulnerability.

• Age: Participants must be 18 years of age or older at the time of entry.
• Affiliation: Individuals affiliated with Perfios, including employees, contractors, and their immediate families, are not eligible to participate.
• Country of Residence: We accept submissions globally.
• Compliance: Researchers must be in full compliance with all terms and conditions of the Perfios Bounty Initiative.

Denial of Service (DoS) & Rate-Limiting

• Resource-exhaustion attacks (API flood, large/mass uploads, oversized payloads)
• Rate-limiting bypass on non-sensitive endpoints, brute-force against non-critical functions, automated stress tools (LOIC, JMeter)

Tool/Scanner-Generated or Informational Findings

• Automated-only reports without PoC or demonstrable impact (e.g., outdated-library alerts)
• Informational/low-risk issues: version disclosures, missing security headers (X-Frame-Options, X-Content-Type-Options), stack traces, debug messages, deprecated HTML/CSS/JS

Authentication & Session Management – Low-Impact

• Missing HttpOnly/Secure/SameSite flags on non-sensitive cookies
• Logout-CSRF or minor logout-flow quirks
• No account-lockout on brute-force against non-critical endpoints

Client-Side/UI/UX Only

• Typos, broken links, layout or alignment bugs
• Client-side validation bypasses with no server-side impact

Test Accounts & Social Engineering

• Attacks requiring social engineering, phishing, physical/insider access
• Use of test/demo/default credentials not provisioned by the program

Other Generic Exclusions

• Clickjacking on non-sensitive pages
• DNS/SPF/DMARC misconfigurations without a viable exploit
• Email-spoofing absent actionable domain-level impact
• Open ports/services with no proven risk
• Missing or overly broad Content-Security-Policy not leading to XSS
• Physical security attacks against offices, data centers, or any physical assets
• Third-party platforms/components not under our direct control
• Unconfirmed reports: lacking a clear PoC or detailed reproduction steps

Carefully review and understand the rules and scope of the bug bounty program. Each program has specific guidelines, eligibility criteria, and a defined scope of systems, applications, or services that are in-scope for testing. Focus your efforts on these areas to ensure your findings are eligible for rewards.

When reporting a vulnerability, commit to providing clear and comprehensive details to help the organization reproduce and validate your findings. Include step-by-step instructions, proof-of-concept code if applicable, and any other relevant information that can assist the organization's security team in understanding and verifying the issue.

Engage in professional communication with the organization's security team. Be responsive to any requests for clarification, additional information, or coordination during the vulnerability verification process. Maintain open and respectful communication throughout the entire process, understanding that both parties are working together to improve security.

Always adhere to responsible disclosure practices. When you discover a vulnerability, avoid exploiting it for malicious purposes or sharing it with unauthorized parties. Instead, immediately report the vulnerability to the program organizers following the reporting process outlined in the program guidelines. This allows the organization to address the issue before potential harm can occur.

Researchers participating in our programs are expected to adhere to specific Safe Harbor provisions. They are assured Legal Protection; by complying with all program terms, they're granted a legal safe harbor, ensuring they won't face lawsuits or legal actions for their reported findings. Participants also commit to Responsible Disclosure, providing ample time to address and rectify vulnerabilities and doesn't disclose any findings publically what so ever. Testing should be confined only to systems they have explicit authorization to assess. Furthermore, during the assessment, data access should be minimized, focusing only on what's necessary to validate a vulnerability, and retaining no user data beyond what is absolutely required.