NovaNote Bug Bounty Program

Welcome to the NovaNote Bug Bounty Program

We take the security of our users seriously and appreciate the efforts of security researchers. Report bugs or vulnerabilities in NovaNote to help us improve our service.

Bounty Details

The maximum reward for qualifying vulnerabilities is $20,000.

Submit all bug reports to [email protected]
Rewards will be issued based on the severity and impact of the vulnerability.
Only legitimate bugs are eligible for rewards.

Qualifications for Bug Bounties

Authentication Issues: Bypass of authentication mechanisms, weak password enforcement, lack of multifactor authentication.
Authorization Flaws: Privilege escalation vulnerabilities, improper access control allowing users to access restricted resources.
Data Exposure: Leaking of sensitive data such as personally identifiable information (PII), financial data, or proprietary business information.
Code Injection: Vulnerabilities such as SQL injection, cross-site scripting (XSS), or command injection.
Misconfigurations: Cloud service misconfigurations (e.g., in AWS) that expose sensitive data or systems.
Mobile App Security: Vulnerabilities specific to iOS apps, such as insecure storage of sensitive data or improper API communication.

Potential Probe Points

Below are key areas where researchers may focus their efforts to identify vulnerabilities:

AWS Architecture:
- EC2 Instance Misconfigurations
- Improper S3 Bucket Permissions
- Weak IAM Policies or Overly Broad Permissions
- Unsecured APIs or Lambda Functions
iOS App:
- Data stored insecurely in the app (e.g., keychain misuse, local storage vulnerabilities)
- Insecure communication between the app and backend services
- Jailbreak detection bypass or reverse engineering
Backend Services:
- Improper input validation leading to injection attacks
- Weak session management or token handling
- API rate limiting bypass