Railway Bug Bounty

Introduction

We recognize the important role that security researchers and our user community play in helping to keep Railway and our users secure.

If you have discovered a site or product vulnerability, you may be eligible for a monetary award in accordance with the terms and conditions of our Bug Bounty Program.

Please submit your bug reports to bugbounty@railway.app

Rewards

We strive to reward valid reports within 30 days of acceptance, often sooner. Bounty rewards will be calculated according to CVSS 3.1 as applicable. The official CVSS 3.1 reference used by our program is: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator. At our discretion as Program owners, some report types will not receive rewards based on CVSS 3.1 score. These reports will receive either a fixed amount reward or the reward will be determined on a case-by-case basis. You can find the details in our official document.

Rules

Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted in compliance of this policy, we will make it known that your actions were conducted in compliance with this policy. Railway reserves all legal rights in the event of noncompliance with this policy.

Eligibility

  • Be at least 16 years of age. If you are at least 16 years old, but are considered a minor in your place of residence, you must get your parent's or legal guardian's permission prior to participating in the program.
  • Not be employed by Railway or any of its affiliates or an immediate family member of a person employed by Railway or any of its affiliates.
  • Not be a resident of, or make Submissions from, a country against which the United States has issued export sanctions or other trade restrictions and not otherwise be an embargoed or restricted person.
  • Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to the Program.

The DOs

  • Do abide by the Program Terms.
  • Do respect privacy & make a good faith effort not to access, process or destroy personal data.
  • Do be patient & make a good faith effort to provide clarifications to any questions we may have about your report.
  • Do be respectful when interacting with our team, and our team will do the same.
  • Do perform testing only using accounts that are your own personal/test accounts.
  • Do exercise caution when testing to avoid negative impact to customers and the services they depend on.
  • Do stop whenever unsure. If you think you may cause, or have caused, damage with testing a vulnerability, report your initial finding(s) and request authorization to continue testing.

The DO NOTs

  • Do not leave any system in a more vulnerable state than you found it.
  • Do not brute force credentials or guess credentials to gain access to systems.
  • Do not participate in denial of service attacks.
  • Do not upload shells or create a backdoor of any kind.
  • Do not publicly disclose a vulnerability without our explicit review and consent.
  • Do not engage in any form of social engineering of Railway employees, customers, affiliates or partners.
  • Do not engage or target any Railway employee, customer, or partner during your testing.
  • Do not attempt to extract, download, or otherwise exfiltrate data that may have Personal Identifiable Information or other sensitive data other than your own.
  • Do not change passwords of any account that is not yours or that you do not have explicit permission to change. If ever prompted to change a password of an account you did not register yourself or an account that was not provided to you, stop and report the finding immediately.
  • Do not do anything that would be considered a privacy violation, cause destruction of data, or interrupt or degrade our service.
  • Do not interact with accounts you do not own.

Out of Scope

  • Physical or social engineering attempts (this includes phishing attacks against Railway employees)
  • Ability to send push notifications/SMS messages/emails without the ability to change content
  • Ability to take over social media pages (Twitter, Facebook, LinkedIn, etc)
  • Negligible security impact
  • Unchained open redirects
  • Reports that state that software is out of date/vulnerable without a proof-of-concept
  • Highly speculative reports about theoretical damage
  • Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue
  • Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
  • SSL/TLS scan reports (this means output from sites such as SSL Labs)
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability
  • CSV injection
  • Best practices concerns
  • Protocol mismatch
  • Rate limiting
  • Dangling IPs
  • Vulnerabilities that cannot be used to exploit other users or Railway -- e.g. self-xss or having a user paste JavaScript into the browser console
  • Missing cookie flags on non-authentication cookies
  • Reports that affect only outdated user agents or - we only consider exploits in the latest browser versions for Safari, FireFox, Chrome, Edge, IE
  • Issues that require physical access to a victim's computer/device
  • Path disclosure
  • Banner grabbing issues (figuring out what web server we use, etc.)
  • If a site is abiding by the privacy policy, there is no vulnerability.
  • Enumeration/account oracles
  • Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating a Railway account exists
  • Distributed denial of service attacks (DDOS)

Details

Once you are ready to make a submission, please make sure you read our Bug Bounty Program Policy in full and then email us at bugbounty@railway.app.