SkinID · Bug bounty

Reward tiers Preview, not active

When the program launches, severity will be judged by us using FIRST CVSS 3.1, with bonus weight for findings that bypass the chip's hardware root of trust or break the zero-knowledge model. Payouts in CHF, EUR, or USD by bank transfer.

Critical CVSS 9.0 to 10.0

Remote code execution on the server, full vault decryption without the chip, full operator-panel takeover, multi-user credential extraction. Anything that breaks the zero-knowledge property.

CHF 5,000up to 10,000

High CVSS 7.0 to 8.9

Single-user account takeover, operator privilege escalation (support to senior or senior to super), bypass of multi-operator approval gate, persistent XSS in operator panel, SQL injection producing data exposure.

CHF 1,500up to 3,000

Medium CVSS 4.0 to 6.9

CSRF on state-changing endpoints, reflected XSS in any panel, authenticated SSRF, sensitive info disclosure via error messages, rate-limit bypass producing realistic spray attacks.

CHF 500up to 1,000

Low CVSS 0.1 to 3.9

Self-XSS, missing security headers on minor pages, low-impact information disclosure, missing best-practice but no concrete attack path.

CHF 100up to 250

First researcher to report a duplicate gets the bounty. We may pay above the listed range for exceptional findings. Bonuses for clean reproductions, responsible coordination, and follow-up help on the fix.

Scope

In scope

skinid.ch and any subdomain
The SkinID iOS, iPadOS, macOS, Android applications
The SkinID Safari Web Extension and our published Chrome / Firefox extensions
The SkinID Mac and Windows USB bridges
The cryptographic protocols (chip auth, vault key derivation, recovery key sharing)
Authentication, session, and audit-trail integrity (including the tamper-evident audit log hash chain)
Supply-chain attacks affecting our published artifacts

Out of scope

Self-exploitation: attacks that require compromising your own account and yield no privilege
DoS via volumetric attack against skinid.ch (rate-limited; do not flood)
Reports based purely on automated scanner output without manual verification
Social engineering of SkinID staff, customers, or piercer studios
Physical attacks on the chip after implantation (body autonomy)
Vulnerabilities in third-party services we link to (browsers, OSes, etc.)
Theoretical findings without a concrete attack path

Safe harbour

We commit to not pursue legal action against you for good-faith security research within the scope above. You agree to:

Avoid privacy violations, destruction of data, and interruption of service
Use only test accounts you create yourself, not real customer accounts
Give us reasonable time (30 days minimum, 90 days default) to fix before public disclosure
Not exfiltrate more data than is needed to demonstrate the issue

In exchange you get: legal safe harbour, a bounty, public recognition (unless you prefer anonymity), and our commitment to ship the fix fast and tell you when it lands in production.

How to report

Email support@skinid.ch with: a clear description, reproduction steps, your suggested severity (we'll re-judge), and proof-of-concept code if relevant.

Today (program in preview): reports are still very welcome. They are treated as good-faith disclosure under our existing security policy. We acknowledge, assess, fix, and name you publicly in our hall of fame (with your permission). We do not pay cash bounties yet. The program officially launches when this banner comes down.

Our machine-readable contact info follows RFC 9116: /.well-known/security.txt.

Acknowledgement within 48 hours. Initial assessment within 5 business days. Once the program is live, resolution and payment will land typically within 30 days for high-severity issues, longer if the fix requires a coordinated client release.

Hall of fame

Researchers who have helped us improve SkinID (with their consent to be named):

No public reports yet. Be the first.

"Security is not a checkbox. It's an ongoing conversation between us and the people brave enough to break what we built."