<aside> 🛡️

Help us keep Birch secure and get rewarded for your findings.

</aside>

<aside> 📧

Report To

[email protected]

</aside>

<aside> ⏱️

Response Time

5 business days

</aside>

<aside> 💰

Rewards

$50 – $500

</aside>

1. Introduction

At Birch, we take security and privacy very seriously. We know that maintaining the trust of our B2B partners and customers is critical to our mission of automating marketing technology. If you believe you have found a security vulnerability that affects Birch, please report it to us.

Reports that fall within the scope of the Birch Bug Bounty Program are eligible for a reward. We appreciate your efforts in helping protect customer trust and making Birch more secure.

2. Scope

<aside> ✅

In Scope

• app.bir.ch — Primary web application
• bir.ch — Marketing website and public pages
• api.bir.ch — Public API endpoints </aside>

<aside> 🚫

Out of Scope

• Third-party services and integrations (Facebook, Google Ads, TikTok, etc.)
• Birch’s internal corporate infrastructure
• Any non-Birch owned domains or services
• Physical security or social engineering attacks </aside>

3. Rewards

We award bounties based on severity and business impact of the vulnerability.

<aside> 💵

How bounties are determined: Rewards are based on severity, report quality, and business impact, and may be adjusted at Birch’s sole discretion. Final amounts are not subject to negotiation.

</aside>

<aside> 🔴

Critical — $300–$500

Remote code execution, authentication bypass, full database access, significant data breach potential

</aside>

<aside> 🟠

High — $150–$300

Stored XSS with significant impact, privilege escalation, access to other users’ sensitive data

</aside>

<aside> 🟡

Medium — $75–$150

Reflected XSS, CSRF on sensitive actions, information disclosure of non-critical data

</aside>

<aside> ⚪

Low — $25–$75

Minor security issues with limited impact, requires unlikely user interaction

</aside>

Reward Factors

Increases reward:

• Clear, detailed proof-of-concept
• Novel attack vectors
• Demonstrated real-world business impact
• High-quality report with remediation suggestions

Decreases reward:

• Low-quality or incomplete reports
• Issues requiring significant user interaction
• Theoretical vulnerabilities without practical exploit

4. Rules of Engagement

<aside> ⛔

Do NOT (Strictly Prohibited):

• Access, modify, or delete data belonging to other users
• Attempt to brute-force credentials or access another user’s account, even with test payloads
• Perform denial of service (DoS/DDoS) attacks
• Send unsolicited messages to users (spam, phishing)
• Use social engineering against Birch employees or customers
• Access or exfiltrate excessive amounts of data to prove a vulnerability
• Publicly disclose vulnerabilities without our written consent
• Use automated scanners
• Test against production systems in ways that could degrade service </aside>

<aside> ✅

</aside>