Route4Me Bug Bounty Program – Rules, Guidelines & Financial Reward Tiers

Route4Me is committed to customer data and routing operations security. We support independent security researchers and reward the responsible discovery and disclosure of security vulnerabilities in our products and services. This page explains the scope of our bug bounty program, how to report a vulnerability, what you can expect from us, and the financial reward structure.

Learn about the scope of Route4Me

 

Table of Contents

 

Route4Me Bug Bounty Program Scope

The following Route4Me assets and platforms are part of the bug bounty program’s scope:

  • Web application: The main “route4me.com” Web Platform and all associated customer-facing web applications and subdomains.
  • APIs: The Route4Me REST APIs documented at “integrate.route4me.com“.
  • Official SDKs: Route4Me’s publicly published software development kits and sample code at “github.com/route4me“.
  • Mobile applications: Route4Me’s official iOS and Android applications published under the Route4Me developer accounts.

NOTE: If you’re unsure whether a target is in scope, please contact us at [email protected] before testing.

 

Vulnerabilities We Are Interested In

We are most interested in vulnerabilities that have a real impact on the confidentiality, integrity, and availability of customer data and the platform, including:

  • Remote code execution (RCE)
  • Injection flaws (SQL, command, template, and similar)
  • Authentication or authorization bypass
  • Insecure direct object references and broken access control
  • Server-side request forgery (SSRF)
  • Exposure of sensitive customer or account data
  • Account takeover
  • Stored or reflected cross-site scripting (XSS)
  • Cross-site request forgery (CSRF) with meaningful impact
  • Business logic flaws that bypass intended security controls
  • API key, token, or credential exposure

 

Out Of Scope Issues Not Eligible For Rewards

The following are not eligible for rewards. Reports limited to these issues will generally be closed as informational:

  • Denial-of-service (DoS/DDoS) attacks, volumetric testing, or any activity that degrades service for other users
  • Social engineering, phishing, or physical attacks against Route4Me staff, users, or facilities
  • Automated scanner output without a demonstrated, exploitable impact
  • Missing security headers, cookie flags, or best-practice recommendations with no demonstrated exploit
  • Reports of outdated software versions without a working proof of concept
  • Self-XSS, clickjacking on pages with no sensitive actions, and tabnabbing
  • Login/logout CSRF, and missing rate limiting without demonstrated impact
  • Email configuration issues (SPF, DKIM, DMARC) absent a concrete exploit
  • Vulnerabilities in third-party services, libraries, or integrations not operated by Route4Me
  • Issues requiring a rooted, jailbroken, or otherwise compromised device, or physical access to a device
  • Previously known or already-reported issues

 

Rules Of Engagement To Ensure Program Safety

To keep testing safe for everyone involved, you must:

  • Only test against accounts and data you own or are explicitly authorized to use.
    • NOTE: Create your own test account where possible.
  • Make every effort to avoid privacy violations, data destruction, and interruption or degradation of our services.
  • Stop testing and report immediately if you encounter any customer data, and do not access, store, share, or exfiltrate it.
  • Use only the minimum interaction necessary to demonstrate a vulnerability (a single proof-of-concept request, not bulk exploitation).
  • Not use automated tools or scripts in a way that generates excessive traffic or load.
  • Keep details of any discovered vulnerability confidential until Route4Me has confirmed remediation.

 

How To Submit A Report To Route4Me

Send your report to [email protected]. A high-quality report helps us validate and reward your finding faster. To ensure quick and effective reporting, please include:

  • A clear, descriptive title and summary of the issue.
  • The affected asset, URL, or API endpoint.
  • Step-by-step reproduction instructions.
  • A proof of concept (request/response samples, scripts, or screenshots).
  • Your assessment of the impact and severity.
  • Any accounts, IPs, or timestamps you used during testing.

 

Reward Tiers For Reported Vulnerabilities And In-Scope Issues

Rewards are determined by the severity and impact of the vulnerability, assessed using the Common Vulnerability Scoring System (CVSS) and the quality of the report. The ranges below are a guide; final amounts are at Route4Me’s discretion. Only the first reporter of a previously unknown, valid, in-scope issue is eligible for a reward.

Severity
Examples
Reward Range (USD)

Critical (P1)

RCE, full authentication bypass, large-scale customer data exposure

$3,000–$10,000

High (P2)

Account takeover, significant access-control bypass, SSRF to internal systems

$1,000–$3,000

Medium (P3)

Stored XSS, CSRF with meaningful impact, limited data exposure

$500–$1,000

Low (P4)

Reflected XSS, lower-impact logic flaws

$500–$100

Informational (P5)

Best-practice findings with no demonstrated exploit

Recognition only

 

Our Commitment To You – Response And Remediation Timeline

When you submit a valid report, you can expect the following response targets (measured in business days):

  • Acknowledgment of your report within 3 business days.
  • Triage and severity validation within 10 business days.
  • Regular status updates through to remediation.
  • Reward decisions are communicated once a report is validated and triaged.

We remediate confirmed vulnerabilities on a timeline appropriate to their severity and verify the fix before closing the report.

 

Safe Harbor – Legal Considerations For Security Research

Route4Me considers security research and vulnerability disclosure conducted in accordance with this policy to be authorized, beneficial, and welcome. When you make a good-faith effort to comply with this policy during your research, we will:

  • Not pursue or support legal action against you in connection with your research.
  • Work with you to understand and resolve the issue quickly.
  • Recognize your contribution if you are the first to report a valid, in-scope vulnerability.

Authorization under this safe harbor extends only to activity that stays within scope and respects the rules of engagement above. If legal action is initiated by a third party against you for activity that complied with this policy, we will make this authorization known. You are expected to comply with all applicable laws.

 

Coordinated Disclosure Policy For Reported Issues And Vulenrabilities

Route4Me follows a coordinated disclosure model. Please give us a reasonable opportunity to remediate a reported vulnerability before disclosing it publicly. We ask that you do not disclose any details of a finding to third parties or the public until we have confirmed that it has been resolved. We are happy to coordinate public disclosure with you once remediation is complete.

 

Eligibility Criteria For Route4Me’s Bug Bounty Program

To qualify for financial rewards and safe harbor protection under the Route4Me Bug Bounty Program, a researcher:

  • Must be the first person to report a previously unknown, valid, in-scope vulnerability.
  • Must not be a current or former Route4Me employee or contractor within the past 12 months, or an immediate family member.
  • Must not be subject to sanctions or in a sanctioned or embargoed jurisdiction. Rewards are paid in compliance with applicable law.
  • Must comply with this policy and all applicable laws throughout your research.

 

Contact Us To Learn More Or Submit A Report

For all security reports and questions about this program, contact [email protected].

We appreciate your help in keeping Route4Me and our customers safe.

Last Updated:

About author: Alex Yasko

Alex YaskoAlex Yasko is the Go-to-Market Product Manager and Information Architecture Manager at Route4Me. With thousands of hours of experience, Alex specializes in breaking down complex last-mile optimization and routing scenarios into simple, actionable instructions, helping last-mile businesses streamline their operations effortlessly.

Was this article helpful?
Still can't find what you're looking for? Contact us
Route4Me

About Route4Me

Route4Me has over 40,000 customers globally. Route4Me's Android and iPhone mobile apps have been downloaded over 2 million times since 2009. Extremely easy-to-use, Route4Me's apps create optimized routes, synchronize routes to mobile devices, enable communication with drivers and customers, offer turn-by-turn directions, delivery confirmation, and more. Behind the scenes, Route4Me's operational optimization platform combines high-performance algorithms with data science, machine learning, and big data to plan, optimize, and analyze routes of almost any size in real-time.