Last Updated: March 2026  ·  This policy applies to vitcher.com, operated by Vitcher LLC.

If you have found a security vulnerability on vitcher.com, please contact us immediately. We review all legitimate reports and work to resolve issues as quickly as possible. Before submitting a report, please read this page in full — including our fundamentals, bounty program, reward guidelines, and non-reportable issues.

Fundamentals

If you follow the principles below when reporting a security issue to vitcher.com, we will not initiate legal action or enforcement investigations against you in response to your report.

We ask that you:

  1. Give us reasonable time to investigate and fix the issue before disclosing it publicly or sharing it with others.
  2. Not access or interact with private accounts without the account owner's explicit consent.
  3. Make a good-faith effort to avoid privacy violations, service disruptions, or data destruction.
  4. Not exploit the vulnerability for any reason, including to demonstrate additional risks or access sensitive data.
  5. Comply with all applicable laws and regulations throughout your research.

Bounty Program

We recognize and reward security researchers who help protect our platform by responsibly disclosing vulnerabilities. Bounties are awarded at Vitcher LLC's sole discretion, based on risk level, impact, and report quality.

To potentially qualify for a bounty, you must:

  1. Follow all fundamentals listed above.
  2. Report a valid security bug that poses a genuine risk to user privacy or site security.
  3. Submit your report directly to Contact@vitcher.com — please do not contact employees individually.
  4. Disclose any accidental privacy violations or service disruptions caused during your research.
  5. Understand that all valid reports are investigated, but response time and priority are based on severity and risk.
  6. Agree that Vitcher LLC reserves the right to publish submitted reports.

Rewards by Severity

Rewards are based on the impact and severity of the vulnerability. Please include detailed, reproducible steps in your report. Issues that cannot be reproduced are not eligible for a bounty. The first valid report of any given issue receives the bounty — duplicate reports do not. Multiple bugs caused by the same underlying issue are treated as a single report.

🔴 Critical Severity

  • Remote Code Execution
  • Remote Shell or Command Execution
  • Vertical Authentication Bypass
  • SQL Injection leaking targeted data
  • Full account takeover
Reward: up to $200

🟠 High Severity

  • Lateral authentication bypass
  • Disclosure of sensitive internal data
  • Stored XSS affecting other users
  • Local file inclusion
  • Insecure handling of authentication cookies
Reward: up to $100

🟡 Medium Severity

  • Logic or business process flaws
  • Insecure direct object references
Reward: up to $50

⚪ Low Severity

  • Open redirects
  • Reflected XSS
  • Low-sensitivity information leaks
Reward: Recognition only

Non-Reportable Issues

The following are outside the scope of our bounty program and will not be considered for rewards:

  • Clickjacking on pages without sensitive actions
  • Missing HTTP security headers that do not directly lead to a vulnerability
  • Descriptive error messages or stack traces with no sensitive data
  • Rate limiting issues that do not expose user data or account access
  • Vulnerabilities in third-party services or plugins outside our direct control
  • Reports generated by automated scanners without manual verification
  • Social engineering or phishing attacks targeting our staff or customers
  • Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
  • Issues already known to us or previously reported by another researcher

Contact Information

To report a security issue or ask questions about this program, please reach out:

📍 Address: 604-606 IA-175, Ida Grove, IA 51445, USA

Phone: +1 (712) 217-4726

Email: Contact@vitcher.com

🕐 Business Hours: Monday – Friday: 9:00 AM – 6:00 PM CT  |  Saturday – Sunday: Closed