BX Technologies is a farm intelligence platform that helps farming enterprises turn fragmented data into actionable insights. We welcome responsible disclosure of vulnerabilities. Please act in good faith and avoid harming users, data, or service availability.
Ground Rules
- Disclosure window: Please allow up to 90 days for remediation before any public disclosure (unless specified by mutual agreement)
- No harm: Don’t exfiltrate, manipulate, or destroy data; avoid degradation/DoS, spam, or service disruption
- Good-faith only: No social engineering, phishing, physical security testing, or attacks on third-party providers
- Stop on sensitive data: If you encounter personal data, secrets, or payment information, stop testing and report immediately without retaining copies
- Respect rate limits: Keep traffic reasonable; coordinate if testing could affect availability
Safe Harbour
Good-faith research under this policy is authorised by BX Technologies. We won’t pursue legal action or law-enforcement investigation for activities that comply with this policy. If third parties raise legal issues, we will make our authorisation clear.
Scope
In Scope
bx.techand subdomains (*.bx.tech) owned by BX Technologies- Public-facing web apps and APIs that power BX features
Out of Scope
- Denial of Service, spam, brute force, or automated account enumeration
- Third-party services not owned/controlled by BX (unless explicitly listed as in scope)
- Low-impact issues without demonstrated exploitability (e.g., missing security headers, version banners), self-XSS, or attacks that only affect outdated browsers
Rewards
Rewards are discretionary, based on severity, impact, and report quality.
| Severity | Examples | Reward |
|---|---|---|
| Critical | RCE; full auth bypass; DB read/write; critical API takeover | $1,000 – $2,000 |
| High | Stored XSS (privileged panels); IDOR exposing sensitive data; SSRF to internal services; privilege escalation | $400 – $1,000 |
| Medium | Reflected XSS with realistic exploitation; CSRF on important actions; leakage of tokens/keys with impact | $150 – $400 |
| Low | Minor info disclosure; low-risk CSRF/clickjacking; best-practice gaps with limited impact | $50 – $150 |
| Out of Scope | DoS, spam, brute force, self-XSS, outdated-browser issues, non-exploitable header findings | No reward |
BX may cap monthly payouts and may pause rewards after a cap is reached. Rewards are guidelines, not guarantees. Note that all payouts would require an invoice and would be done by wire transfer.
How to Submit
Keep it concise but actionable. Please include a clear description, reproducible steps, affected URLs/endpoints, impact, and a simple PoC if possible. Send to [email protected]. We aim to acknowledge within 3 business days.
Legal
This policy does not create a contractual relationship or waiver beyond the safe-harbour statement. Rewards are at BX’s discretion and may change. By participating, you agree to this policy.
Last updated: 6th November 2025