Bug bounty
program.
Security is a team effort. Help us protect our mobile app users by responsibly disclosing vulnerabilities, and we'll recognise your contribution.
What's in
scope.
Our bug bounty covers the BeMoreKinky iOS and Android apps, including their backend APIs.
iOS App
BeMoreKinky for iOS
Android App
BeMoreKinky for Android
In Scope
Authentication and authorisation bypass in the mobile apps
Insecure local data storage (keychain/keystore misuse, unencrypted databases, cleartext caches)
Encryption or cryptographic implementation flaws (e.g. weak key generation, broken E2EE)
Data leakage through logs, clipboard, screenshots, or app backgrounding
API vulnerabilities reachable from the mobile client (IDOR, privilege escalation, injection)
Deep link or URL scheme hijacking
Certificate pinning bypass that exposes user data
Partner data exposure (viewing another user's preferences or activity without consent)
Out of Scope
The marketing website (bemorekinky.com)
Denial of service (DoS/DDoS) attacks
Social engineering or phishing of staff or users
Physical attacks against offices or infrastructure
Automated scanning or brute-force without prior agreement
Vulnerabilities in third-party SDKs or services we don't control
Rooted/jailbroken device-only exploits with no real-world impact
Reports from automated tools without manual validation
How to
report.
Follow these steps to submit a vulnerability report. The more detail you provide, the faster we can respond.
Discover
Find a vulnerability within our scope. Test only against accounts you own or have explicit permission to use.
Document
Write a clear report including steps to reproduce, affected components, and potential impact. Include screenshots or proof-of-concept code where possible.
Submit
Email your report to security@bemorekinky.com. We'll acknowledge receipt within 48 hours and keep you updated on our progress.
Rules of
engagement.
To keep everyone safe, we ask researchers to follow these guidelines.
What We Ask
Give us reasonable time to fix the issue before any public disclosure (minimum 90 days)
Do not access, modify, or delete data belonging to other users
Do not degrade or disrupt our services or infrastructure
Only test against accounts you own or control
Do not use the vulnerability for any purpose beyond demonstrating the issue
What We Promise
Safe harbour: We will not pursue legal action against researchers acting in good faith
Acknowledgement: Within 48 hours of receiving your report
Transparency: We'll keep you informed as we investigate and remediate
Recognition: With your permission, we'll credit you in our Hall of Fame
No retaliation: Your account will never be penalised for good-faith research
What makes a
good report.
The best reports help us understand and reproduce the issue quickly.
Description
A clear summary of the vulnerability and which component is affected.
Steps to Reproduce
Detailed, step-by-step instructions so we can replicate the issue.
Impact
What could an attacker achieve? What data or functionality is at risk?
Evidence
Screenshots, HTTP requests/responses, proof-of-concept code, or video recordings.
Suggested Fix (Optional)
If you have ideas on how to remediate the issue, we'd love to hear them.
Found
something?
Send your report to our security team. We take every submission seriously and respond within 48 hours.