How Bug Bounty Reports Work
Understand the full lifecycle of a FireFighter report from submission to payout.
Find a vulnerability
Security research can be conducted on any publicly accessible Fireball surface — the website, API, FireStation, and open-source repositories are all in scope. Out-of-scope systems are listed in the program brief.
Submit your report
Use the structured submission form to describe the vulnerability, reproduction steps, impact assessment, and suggested fix. Attach screenshots, HTTP captures, or proof-of-concept code as appropriate.
Triage and validation
The Fireball security team acknowledges reports within 48 hours. Validation typically takes 5–10 business days depending on complexity. You will receive status updates throughout the process.
Payout
Valid reports receive a cash reward within 30 days of validation. Payout amounts are published in the reward table and scale with CVSS severity score. Critical vulnerabilities earn the highest tier.
