Skip to main content
Range runs a bug bounty program that rewards security researchers who help protect our platform and customers. Submit vulnerabilities in any Range product or infrastructure to security@range.org.

Rewards

Rewards are paid at the discretion of the Range security team based on severity, exploitability, and real-world impact.
SeverityReward (up to)
Critical$10,000
High$5,000
Medium$1,000
Low$250
Final amounts, including whether a finding qualifies, are determined by the Range team.

Scope

In scope

  • range.org and all *.range.org subdomains
  • Range platform, APIs (Risk, Data, Faraday), and dashboards
  • Authentication and authorization flows
  • Remote code execution, SQL injection, SSRF, and server-side template injection
  • Broken access control, IDOR, and privilege escalation
  • Authentication bypass and account takeover
  • Sensitive data exposure and information disclosure
  • Stored or reflected XSS with demonstrable impact

Out of scope

  • Social engineering, phishing, or physical attacks
  • Denial of service (DoS/DDoS) and volumetric testing
  • Issues in third-party services we do not control
  • Reports from automated scanners without a working proof of concept
  • Best-practice recommendations without a demonstrable vulnerability
  • Missing security headers (CSP, HSTS, X-Frame-Options) without a demonstrated exploit
  • SPF, DKIM, or DMARC configuration issues
  • Self-XSS, clickjacking on pages without sensitive actions, and CSRF on logout or non-state-changing endpoints
  • Rate limiting or brute-force concerns without a clear impact path
  • Username or email enumeration
  • Vulnerabilities in outdated browsers or already-patched dependencies without a working proof of concept
  • Issues already known to the team or previously reported

How to report

Email security@range.org with:
  • A clear description of the issue
  • Steps to reproduce, including a proof of concept
  • Potential impact
  • Any suggested remediation
Do not publicly disclose the vulnerability before our team has investigated and remediated it. Do not open a public GitHub issue. Range acknowledges reports within 2 business days.

Disclosure timeline

Researchers may publicly disclose findings 90 days after the initial report, or sooner with written approval from the Range security team. We will work with you to coordinate disclosure once a fix is in place.

Eligibility and testing rules

  • Only the first reporter of a unique, valid finding is eligible for a reward
  • Range employees, contractors, and their immediate family members are not eligible
  • Use only your own test accounts; do not access, modify, or exfiltrate other users’ data
  • Do not run automated scanners at high volume against production systems
  • You must comply with all applicable laws and sanctions regulations

Safe harbor

Range will not pursue legal action against researchers who:
  • Make a good-faith effort to comply with this policy
  • Avoid privacy violations, data destruction, and service disruption
  • Allow reasonable time for remediation before any public disclosure

Contact Support

Reach out to our team for technical support, integration help, or partnership inquiries.

Report a vulnerability

Email security@range.org with reproduction steps and impact details.
Last modified on April 28, 2026