High-impact vulnerabilities only

Traceix Bug Bounty Program

PCEF welcomes responsible security reports for Traceix. Because we are a small nonprofit with a limited security budget, bounty consideration is limited to validated high-tier vulnerabilities such as remote code execution, authentication bypass, privilege escalation, sensitive user disclosure, or equivalent high-impact findings.

No speculative, automated, or solicitation-only reports. Do not submit generic scanner output, AI-generated reports, “I found a bug” claims without evidence, requests for payment before validation, SEO/security service pitches, or duplicate low-impact findings. These submissions are not eligible for review, bounty payment, or response.

Max payout

~$5,000

Upper limit, not a guarantee. Final payout depends on validation, impact, exploitability, report quality, and available budget.

Eligible severity

High / Critical

Use the form’s CVSS-style severity estimate to help triage the initial contact.

Disclosure

Initial Triage

Initial triage may take up to 48 hours. PCEF may decline submissions that are out of scope, low impact, unsafe, incomplete, automated, or not eligible for bounty review.

Submit eligible report View Wall of Fame

Scope and eligible vulnerabilities #

Bounty review is limited to high-impact vulnerabilities affecting explicitly in-scope Traceix or PCEF-operated systems. Reports involving assets outside the listed scope are not eligible for bounty review, even if the issue is technically valid.

In scope

Only the following assets are in scope for this bug bounty program:

*.traceix.com
ai.perkinsfund.org

The wildcard scope includes Traceix subdomains only. Submit the exact affected URL, endpoint, or hostname in the form.

Out of scope

Everything else is out of scope unless PCEF gives prior written authorization.

Any domain, subdomain, API, server, repository, or third-party service not listed as in scope
Other PCEF properties not explicitly named above
Third-party infrastructure, vendors, hosting providers, CDNs, analytics tools, or payment processors
Social engineering, phishing, spam, physical attacks, or employee targeting
Denial-of-service testing or destructive testing without prior written approval

Generally eligible vulnerability types

Remote code execution (RCE)
Authentication bypass or account takeover
Privilege escalation across users, roles, or tenants
Sensitive user disclosure or unauthorized access to private data
SQL/NoSQL injection with meaningful data access or modification
Server-side request forgery (SSRF) reaching sensitive internal services
Stored XSS with account/session impact or administrative reach
Critical business logic flaws with direct security impact
High-impact supply-chain, API, or token validation weaknesses

Usually not eligible

Low-impact scanner output without verified exploitability
Missing security headers without a demonstrated exploit chain
Clickjacking or tabnabbing without sensitive action impact
Self-XSS, logout CSRF, or social-engineering-only issues
Rate-limit observations without account, data, or availability impact
Public information exposure that is intentionally published
Denial-of-service testing performed without prior written approval
Reports involving third-party systems outside Traceix/PCEF control

Submissions we do not review #

PCEF may close or ignore submissions without response if they are clearly ineligible.

Automated scanner output without a verified exploit path and demonstrated impact
Generic vulnerability claims without an affected in-scope asset
Payment requests, bounty negotiation, or threats before validation
Mass-submitted reports, AI-generated reports, or copied templates
Reports for assets outside the listed scope
Low-impact best-practice findings such as missing headers, SPF/DKIM/DMARC observations, TLS preferences, or verbose errors unless tied to a high-impact exploit chain
Social engineering, spam, phishing, physical attacks, or employee targeting
Any report requiring unsafe testing, data exfiltration, denial of service, persistence, or malware

Safe testing rules #

Do not access, modify, delete, exfiltrate, or publicly disclose data that is not yours. Do not run destructive tests, persistence, malware, spam, phishing, or denial-of-service activity. Provide enough evidence for initial validation without harming users or infrastructure.

By submitting this initial contact form, you agree to responsible disclosure and to give PCEF a reasonable opportunity to validate, remediate, and coordinate any disclosure timeline.

Payouts and payment options #

Budget note

PCEF is a small nonprofit. Bounties are discretionary and constrained by available budget. The maximum payout is approximately $5,000 USD, and many validated reports may receive less depending on severity, exploitability, novelty, and report quality.

Payment handled after validation

After validation, eligible researchers may request either a standard payout or a payout in $THRT. Payment method, eligibility, payout amount, and any required payment details are handled only after PCEF validates the report. Do not include wallet, banking, payout information, or payment demands in the initial report.

Submit initial bug bounty contact #

This form is for concise, evidence-backed initial reports only. Submissions must include the affected asset, security impact, and enough technical detail for PCEF to determine whether the issue is likely high or critical. Vague claims, automated scanner output, payment demands, and reports without verifiable impact are not eligible.

Name or alias *

Contact email address *

Organization / team (optional)

Wall of Fame display name (optional)

Bug type *

CVSS v3.1 base score estimator *

Estimate severity using CVSS-style base metrics. This produces a numeric 0.0–10.0 score, qualitative tier, and vector string.

Estimated score

—

Complete all metrics

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

CVSS vector

CVSS:3.1/AV:?/AC:?/PR:?/UI:?/S:?/C:?/I:?/A:?

This is a researcher-provided estimate. PCEF may recalculate severity during validation.

Affected asset / URL / endpoint *

Date discovered (optional)

Short bug summary *

Bug information / technical details *

Evidence summary *

Basic reproduction notes *

Impact summary *

Previously disclosed? (optional)

Preferred payout method if validated (optional)

Do not include wallet, banking, or payout details here. PCEF will request details only after validation.

This form is only for initial contact and triage. If the issue appears eligible, we will follow up by email for full reproduction details, sensitive evidence, payment preference, payout information, and coordinated disclosure preferences.

Additional notes

I confirm this report was produced through safe testing, does not include unauthorized data, and will not be publicly disclosed before PCEF has had a reasonable opportunity to validate and remediate it. I confirm this is not an automated scanner-only report, mass submission, bounty solicitation, service pitch, or payment request without a validated vulnerability.

Reports are sent to PCEF via EmailJS. You can also email bounties@perkinsfund.org if the form fails.