Bug bounty program


Get rewarded for reporting security concerns

Bug bounty and security program overview

We take security very seriously at Achievable. If you believe you've found a security issue on Achievable, please let us know as soon as possible. We will investigate all legitimate reports and fix any issues.

We have given out rewards for reported issues on a case-by-case basis. Rewards vary depending on the security of the issue and are typically within $50 to $500 USD.

We encourage all valid reports. However, if you are simply going to run a minimal-effort scanner (e.g. Burp Suite or ZAP), please do not. We receive countless inelegible, non-exploitable "issues" from these scanners and will not reply; you will just be wasting your time and ours. Thank you.

Please also note that our access token system intentionally supports authenticating across multiple devices at the same time. If a user has signed into multiple devices, and then signs out of one device, the others should remain signed in. The persistence of access tokens is necessary to support this use case, and any request made using a valid access token from any device should succeed.

How to submit an issue report

Submit your issue report via email to security@achievable.me, including clear and concise reproduction instructions.

Your report will be investigated by a member of our security team as soon as reasonably possible. We may contact you to request additional information. If your report is determined to be a valid issue and you are the first reporter, we will assign a reward based on the severity and send payment via PayPal.

Rewards will ONLY be made via PayPal.

Issue eligibility

We encourage you to ethically disclose vulnerabilities to us so we have the opportunity to address any issues and coordinate disclosure after a fix has been deployed. All reports regarding Achievable's security are welcomed, provided that the issue is exploitable by an adversary. Please check the lists below for a list of common eligible examples, as well as common non-exploitable "issues" which do not qualify for a reward.

Eligible examples:

  • Cross-site scripting
  • Cross-site request forgery in a privileged context
  • Server-side code execution
  • Authentication or authorization flaws
  • Stored injection vulnerabilities
  • Directory traversal
  • Information disclosure
  • Significant infrastructure misconfiguration

Ineligible examples:

  • Content spoofing or text injection
  • Self-cross-site scripting (self-XSS)
  • Minimal-risk open redirects
  • Minimal-risk XSRF such as sign out
  • Minimal-risk clickjacking or UI redressing
  • Missing HTTP request headers
  • Missing cookie flags on non-sensitive cookies
  • Link expirations such as password reset
  • Persisted authentication after password change
  • Password complexity, re-use, or related policies
  • Email verification or account recovery policies
  • Non-bulk username or email enumeration
  • Unauthenticated access to cached content
  • GraphQL or API endpoint enumeration
  • Policies on rate-limiting or throttling
  • DoS or DDoS attacks
  • Invalid or missing SPF/DKIM/DMARC configuration
  • SSL/TLS configuration best practices
  • Host or software version disclosure
  • Methods to bypass content metering
  • Cross-site tracing (XST)
  • Existence of EXIF data
  • WordPress configuration (blog.achievable.me)
  • Discourse configuration (talk.achievable.me)
Terms and conditions

We promote ethical disclosure and ask that:

  • You give us a reasonable amount of time to investigate and fix any issues before publicly disclosing any information
  • You make a good faith effort to avoid disruption to others, not conducting activities that lead to data deletion, data manipulation, or the degradation of our services
  • You do not exploit any issue you discover
  • You do not violate any laws or regulations

Thank you!

Achievable security team