Security

Bug Bounty Programme

Help us keep Ava | Supernova secure. Report vulnerabilities responsibly and earn token credits as a reward.

How It Works

01

Find

Discover a security vulnerability in any of our in-scope systems.

02

Report

Send a detailed report to security@ava-supernova.com with reproduction steps.

03

Earn

Receive token credits based on severity, plus public acknowledgement.

Scope

In Scope

  • VS Code extension (ava-supernova)
  • Web platform (ava-supernova.com)
  • Companion app (companion.ava-supernova.com)
  • API routes (/api/*)
  • Authentication and session management
  • Data storage and encryption
  • Third-party integrations (provider proxying)

Out of Scope

  • Social engineering or phishing attacks
  • Denial of service (DoS/DDoS)
  • Physical security
  • Attacks against users (not our infrastructure)
  • Issues in third-party services we depend on
  • Automated scanning tool output without verification
  • Missing best practices without demonstrated impact

Rewards

Rewards are paid in Ava token credits, credited directly to your platform account. All validated findings also receive public acknowledgement in our Hall of Fame.

Critical

50M tokens
Remote code executionAuthentication bypassFull data breach / exfiltrationPrivilege escalation to admin

High

25M tokens
SQL injectionStored XSS with data accessAPI key exposureInsecure direct object references (IDOR)

Medium

10M tokens
Reflected XSSCSRF on sensitive actionsInformation disclosure (non-credential)Missing rate limiting on sensitive endpoints

Low

3M tokens
Open redirectVerbose error messages exposing internalsMissing security headersClickjacking on non-sensitive pages

Reporting Guidelines

What to include

  • Clear description of the vulnerability
  • Step-by-step reproduction instructions
  • Proof of concept (screenshots, code, or video)
  • Impact assessment
  • Suggested fix (optional, appreciated)

Rules of engagement

  • Do not access, modify, or delete other users' data
  • Do not perform destructive actions
  • Do not publicly disclose before we have addressed the issue
  • Test against your own accounts only
  • One report per vulnerability

Our Commitment

Acknowledgement

Within 48 hours

We will confirm receipt of your report.

Triage

Within 5 days

We will assess severity and inform you of our findings.

Critical Fix

Within 7 days

Critical vulnerabilities will be patched and deployed.

Reward

Within 14 days

Token credits will be applied to your account after validation.

Hall of Fame

No entries yet. Be the first to responsibly disclose a vulnerability and earn your place here.

Back to Home