At Microkeeper, we take security seriously, and we know that staying secure is a collective effort. That’s why we’ve launched our Security Vulnerability Bounty Program, designed to reward ethical hackers and security researchers who help us identify and fix potential weaknesses in our platform.
Whether you’re a penetration tester, a developer, or just someone with a sharp eye for bugs, this program is your opportunity to contribute to a safer experience for every Microkeeper user, and get rewarded for it.
How it works: Severity levels and Rewards
We assess each reported vulnerability based on its severity and potential impact. Here’s how we break it down:
Note: All reward amounts listed above are in AUD (Australian Dollars).
What we're looking for
We’re especially interested in vulnerabilities related to:
- Authentication and Authorisation: login, session, handling, password management, and privilege escalation flaws.
- Data exposure: any unintended access to personal, payroll, or organisational data.
- API Security: broken authentication, data leakage, or permission misconfigurations in public/private APIs.
- Code injection attacks: cross-site scripting (XSS), SQL injection, or similar issues that allow untrusted input.
- Remote code execution (RCE): vulnerabilities that could let an attacker run code on our systems.
What's out of scope
We love security research, but the following types of vulnerabilities fall outside this program:
- Denial of service (DoS/DDoS) attacks.
- Vulnerabilities requiring social engineering (e.g. phishing)
- Issues in third-party platforms not operated by Microkeeper.
- Bugs in outdated or unsupported versions of Microkeeper.
- Anything involving unpatched legacy systems no longer in production.
How to report a security bug
If you’ve found a bug, please let us know! Here’s how:
- Submit a ticket via our contact us page.
- Include a clear description of the issue, the steps to reproduce it, and which system or service is affected.
- Attach any relevant evidence, logs, screenshots, or payloads are helpful.
- Be sure to include your contact details in case we need to follow up.
- If your report is valid and meets our criteria, we’ll be in touch with details about your reward.
Program rules
To ensure fairness and transparency, please take note of the following rules:
- Reports must affect the Microkeeper platform or products to be eligible.
- Only the first valid report of a given issue will receive a reward.
- Submissions must be sent via our official reporting channels.
- You must include clear steps to reproduce the issue.
- The final reward amount is determined by our security team based on impact, clarity, and accuracy.
- Microkeeper reserves the right to adjust rewards or eligibility at its discretion.
Helping us stay secure
Microkeeper is committed to providing a secure platform for all users, and that includes collaborating with the broader security community. We’re incredibly grateful to researchers and ethical hackers who help us uncover and resolve vulnerabilities before they can be exploited.
If you think you’ve found something, don’t hesitate to get in touch.
Thanks for helping keep Microkeeper secure.