Skip to application
Traceix Traceix
Invite-only security research program

Traceix Bug Bounty Program

Traceix operates an invite-only bug bounty program for responsible security researchers. Participation is limited to researchers who apply for access and receive written approval from PCEF before testing. Uninvited testing, scanner-only submissions, speculative vulnerability claims, payment demands, duplicate reports, and reports involving out-of-scope assets are not eligible for bounty review. Anything reported outside of this process is not eligible for bounty payment or response.

Approval is required before testing. Submitting an application does not authorize testing. Researchers must wait for written approval and any program-specific instructions before performing security research against Traceix or PCEF-operated systems. Reports submitted outside this invite-only process are not eligible for bounties or responses.
Program status
Invite Only

Researchers must apply and receive authorization before testing.

Eligible severity
High / Critical

Bounty consideration is limited to validated, high-impact vulnerabilities.

Scope
Limited Assets

Only explicitly listed assets are in scope.

Apply for Access View Wall of Fame

Invite-only participation #

The Traceix bug bounty program is not open for public, unsupervised testing. Researchers must apply for access and receive written approval from PCEF before performing any testing. PCEF may approve, deny, limit, pause, or revoke participation at its discretion.

Approval may depend on researcher background, prior report quality, program capacity, operational risk, budget, and whether the proposed testing aligns with the current security priorities of Traceix and PCEF.

Apply for invite-only access

Use the application form below to request access to the Traceix bug bounty program.

Open Access Application Form

In-scope assets #

Bounty review is limited to vulnerabilities affecting the assets listed below. Any domain, subdomain, API, repository, server, vendor, infrastructure provider, or third-party service not listed here is out of scope unless PCEF provides prior written authorization.

In scope

Only the following assets are in scope for authorized researchers:

  • *.traceix.com
  • ai.perkinsfund.org

Authorized reports must identify the exact affected hostname, URL, endpoint, or service.

Out of scope

Everything else is out of scope unless PCEF gives prior written authorization.

  • Any domain, subdomain, API, server, repository, or service not explicitly listed as in scope
  • Other PCEF properties not explicitly named above
  • Third-party infrastructure, vendors, hosting providers, CDNs, analytics tools, payment processors, or email providers
  • Employee, contractor, donor, volunteer, or partner accounts outside approved testing conditions
  • Social engineering, phishing, spam, physical attacks, or employee targeting
  • Denial-of-service testing or destructive testing without prior written approval
  • Repositories, internal tools, administrative systems, or cloud infrastructure unless explicitly authorized by PCEF

Eligible vulnerability types #

Bounty consideration is limited to validated high-impact vulnerabilities affecting in-scope assets. Reports must include enough evidence for PCEF to understand the affected asset, security impact, exploitability, and reproduction path.

Generally eligible

  • Remote code execution
  • Authentication bypass or account takeover
  • Privilege escalation across users, roles, tenants, or administrative boundaries
  • Unauthorized access to sensitive user, organizational, or system data
  • SQL, NoSQL, command, or template injection with meaningful security impact
  • Server-side request forgery reaching sensitive internal services
  • Stored cross-site scripting with account, session, administrative, or data-access impact
  • Critical business logic flaws with direct security impact

Usually not eligible

  • Automated scanner output without verified exploitability
  • Missing security headers without a demonstrated exploit chain
  • Clickjacking or tabnabbing without sensitive action impact
  • Self-XSS, logout CSRF, or social-engineering-only findings
  • Rate-limit observations without account, data, abuse, or availability impact
  • Public information exposure where the information is intentionally published
  • Reports involving third-party systems outside Traceix or PCEF control
  • Best-practice recommendations without a practical security impact

Submissions we do not review #

PCEF may close, ignore, or decline submissions without response if they are clearly ineligible, unsafe, incomplete, duplicative, or outside the invite-only program process. Reports marked as duplicate or out of scope will be closed without further communication from the team. Anything reported outside of this process is not eligible for bounty payment or response.

  • Reports submitted by researchers who were not approved for the invite-only program
  • Reports based on testing performed before written authorization was granted
  • Reports submitted outside the approved application, authorization, and reporting process
  • Duplicate reports or previously known issues
  • Reports involving assets outside the listed scope
  • Automated scanner output without a verified exploit path and demonstrated impact
  • Generic vulnerability claims without an affected in-scope asset
  • Payment requests, bounty negotiation, or threats before validation
  • Mass-submitted reports, AI-generated reports, copied templates, or low-effort findings
  • Social engineering, spam, phishing, physical attacks, or employee targeting
  • Any report requiring unsafe testing, data exfiltration, denial of service, persistence, malware, or destructive activity

Safe testing rules #

Do not access, modify, delete, exfiltrate, or publicly disclose data that is not yours. Do not run destructive tests, persistence, malware, spam, phishing, credential attacks, or denial-of-service activity. Provide enough evidence for validation without harming users, systems, or infrastructure.

Authorized researchers must follow any testing limits, communication instructions, disclosure requirements, and asset-specific rules provided by PCEF. If a test could affect availability, privacy, data integrity, users, or third-party systems, stop and request written guidance before continuing.

Bounty consideration #

Discretionary awards

Bounties are discretionary and are not guaranteed. Award decisions may depend on severity, exploitability, affected asset, novelty, report quality, remediation value, program budget, and whether the researcher followed the invite-only process.

Payment after validation

Payment method, eligibility, payout amount, and any required payment details are handled only after PCEF validates an eligible report. Do not include wallet, banking, payout information, or payment demands in an access application or initial report.

Apply for access #

Researchers who want to participate in the Traceix invite-only bug bounty program may apply using the form below. Submitting the form does not authorize testing. PCEF will review applications and may contact approved researchers with next steps.

Bug bounty access application

Apply here: https://forms.gle/QTUjAPgtqoZkcRRP9

Open Application Form