Report Security Issue

Vulnerability Disclosure & Bug Bounty Policy

At Homex.land, we are committed to the security of our customers and our services. We encourage security researchers to help us keep our community safe by responsibly identifying and reporting potential vulnerabilities.

We will review all legitimate reports and do our best to resolve any issues quickly.

1. Safe Harbor

To encourage responsible reporting, we will not take legal action or initiate a law enforcement investigation against you in response to your report, provided you comply with the following principles:

  • You give us a reasonable amount of time to review and repair the issue you report before making any information about it public.

  • You do not access, modify, or exfiltrate private or company data. If you gain access to any non-public data, you must stop testing and report it immediately.

  • You make a good faith effort to avoid privacy violations, degradation of our services, and destruction of data.

  • You do not exploit a security issue you discover for any reason, including for personal gain or to demonstrate additional risk.

  • You do not violate any other applicable laws or regulations.

2. How to Report a Vulnerability

If you believe you have found a security vulnerability on Homex.land, please submit your report to us by email at Support@Homex.land.

To help us validate and fix the issue faster, your report should include:

  • A detailed description of the vulnerability.

  • Clear, step-by-step instructions to reproduce the issue.

  • A proof-of-concept (e.g., screenshots, code snippets, or a video).

We investigate and respond to all valid reports. Due to the volume of submissions, we prioritize them based on risk and impact, so it may take some time before you receive a reply.

3. Bounty Program & Rewards

We offer monetary bounties for security reports that help us protect our users. Rewards are at our discretion and are based on the vulnerability's impact, severity, and the quality of the report.

Program Rules:

  • You must adhere to our Safe Harbor principles (see above).

  • When duplicate reports are submitted, we award a bounty to the first report that we can fully reproduce.

  • Multiple vulnerabilities caused by a single underlying issue will be awarded one bounty.

  • We reserve the right to publish reports after they have been resolved.

Reward Tiers:
Reward amounts are based on severity. The amounts listed are the maximum we will pay for each level.

  • Critical Severity Vulnerabilities (Up to $200 AUD)

    • Definition: Vulnerabilities that could allow for remote code execution, financial theft, or privilege escalation from an unprivileged account to an administrator.

    • Examples: Remote Code Execution (RCE), SQL Injection, full access to other user accounts.

  • High Severity Vulnerabilities (Up to $100 AUD)

    • Definition: Vulnerabilities that seriously affect the platform's security or disclose sensitive data.

    • Examples: Stored Cross-Site Scripting (XSS), Insecure Direct Object References (IDOR) leading to significant data exposure, disclosure of sensitive company information.

  • Medium Severity Vulnerabilities (Up to $50 AUD)

    • Definition: Vulnerabilities that affect multiple users but may require some user interaction to trigger.

    • Examples: Common logic flaws, reflected Cross-Site Scripting (XSS).

  • Low Severity Vulnerabilities (Discretionary / No Reward)

    • Definition: Issues that affect single users and require significant prerequisites to trigger.

    • Examples: Open redirects, low-sensitivity information leaks.

4. Out-of-Scope Vulnerabilities

The following issues are considered out of scope for our bounty program:

  • Denial of Service (DoS or DDoS) attacks.

  • Social engineering or phishing attacks targeting our employees or customers.

  • Physical attacks against our property or data centers.

  • Reports from automated vulnerability scanners without a proof-of-concept.

  • Missing security headers (e.g., CSP, HSTS) that do not lead to a direct, exploitable vulnerability.

  • Self-XSS that cannot be used to attack other users.

5. Contact Information

For all security-related inquiries, please contact us at: