we sent a 6-digit code to .

enter the 6-digit code from your authenticator app.

the emotional interface_
[ home / about / pricing / bug bounty / support / privacy policy / portal ]
[ overview / bounties / scope / rules / hall of fame / report ]

// security & bug bounty

this program is not yet open. moood is currently in alpha testing. we are not accepting security reports, crediting findings, or acknowledging any testing conducted prior to the official launch of this program. any unauthorized testing of our systems before the program is live is not appreciated and will not be recognized. the information below outlines what the program will look like when it launches. please check back when we announce the program is live.

we believe security is a community effort. moood invites researchers to responsibly disclose vulnerabilities in exchange for recognition and financial rewards that grow as we grow.

we're a startup. we can't compete with big tech bounties yet — but we promise transparency, respect, and retroactive rewards for those who help us early.

// bounty tiers

payouts scale with our revenue. select a stage to see reward ranges.

monthly revenue: $0 – $1,000
this is our current stage
> retroactive promise.
researchers who submit valid findings during earlier revenue stages will receive a retroactive bonus equal to the difference between what they were originally rewarded and the current-tier rate for their finding's severity. early trust is rewarded.
how severity is determined

we use CVSS v3.1 scoring as a baseline. the final severity classification is determined by the actual impact to moood users and infrastructure, not just the theoretical score.

critical (9.0–10.0): remote code execution, authentication bypass, full database access, blind relay de-anonymization, payment system compromise.

high (7.0–8.9): privilege escalation, stored XSS with session theft, IDOR on sensitive mood data, blind token forgery.

medium (4.0–6.9): CSRF, reflected XSS, information disclosure of non-sensitive data, rate limiting bypass.

low (0.1–3.9): missing security headers, verbose error messages, minor misconfigurations.

// scope

review what's in bounds before testing. out-of-scope reports may still be acknowledged but won't qualify for rewards.

> in scope

  • app.moood.tech (web application)
  • moood.tech (marketing site)
  • API endpoints
  • authentication & session management
  • blind relay architecture
  • mood data access controls
  • cloud functions
  • mobile apps (iOS & Android)

x out of scope

  • third-party services (Firebase, Cloudflare)
  • denial of service (DoS/DDoS)
  • social engineering or phishing
  • physical security
  • automated scanning without approval
  • attacks against employees or users
  • staging/dev environments

// rules of engagement

don't access other users' data. use your own test accounts. if you accidentally access another user's data, stop immediately and report it.
no destructive testing. don't degrade service availability or corrupt data. describe destructive PoCs theoretically.
report promptly. submit findings as soon as you have a reproducible proof of concept. don't sit on vulnerabilities.
90-day disclosure window. give us 90 days to fix the issue before public disclosure. we'll keep you updated on progress.
one report per root cause. multiple instances of the same vulnerability = one report. duplicates of known issues won't qualify.
clear reproduction steps. include the full URL, parameters, payloads, screenshots, and tools used. easier to reproduce = faster to fix.
safe-harbor.txt 
# safe harbor policy

we consider security research conducted in accordance
with this policy to be:

   authorized
   lawful
   helpful
   protected

we will not pursue civil or criminal action against
researchers who discover and report vulnerabilities
in good faith and in compliance with this policy.

if you are uncertain whether your research is
consistent with this policy, reach out first.
we're happy to clarify.

// hall of fame

every researcher with a valid finding earns their place here — these individuals helped make moood safer for everyone.

> be the first_ no vulnerabilities reported yet. find one, report it responsibly, and earn your spot here.

// report a vulnerability

to report a security vulnerability, please open a support ticket. include as much detail as possible — full URL, parameters, payloads, screenshots, and tools used.

how to report
open a support ticket
response
within 48hrs
disclosure
90-day coordinated

select "other" as the category and include "security" in the subject line so we can prioritise your report.