Cal Coast Bug Bounty Program | Security Researcher Rewards

Why We Run This

Restoration companies handle sensitive customer data: home addresses, insurance policies, signatures on legal documents, photos of homes during vulnerable moments. We believe every customer deserves an honest partner who actively hardens their infrastructure. A bug bounty program means we engage the security community instead of hoping nobody notices.

Reward Tiers

Critical

$500

RCE, full account takeover, data breach with PII exposure

High

$250

SSRF, stored XSS with sensitive data, auth bypass

Medium

$100

Reflected XSS, CSRF on sensitive actions, subdomain takeover

Low

$25

Information disclosure, security header misconfig with impact

Rewards paid via Stripe or PayPal within 30 days of confirmed and patched issue. Hall of Fame credit available for all valid reports.

Scope

In scope:

calcoastwaterdamage.com and all subdomains
moldhelpsd.com and all subdomains
Any Cal Coast-controlled Vercel serverless functions (api/chat, api/mcp, api/airtable)
Published machine-readable data feeds (/api/*.json, /data/*.json)
Our did:web identity infrastructure (.well-known/did.json)

Out of scope:

Third-party services we use (Formspree, Google Analytics, Anthropic API, Vercel platform, Calendly, GoDaddy hosting) - report directly to those vendors
Social engineering or phishing attacks without technical exploit
Physical security of our office
Issues requiring stolen credentials or physical device access
Issues only exploitable on extremely outdated browsers

Submission Process

Email josiah@gowithcalcoast.com with subject "SECURITY REPORT". Include:

Vulnerability description and where it lives
Reproduction steps
Impact assessment (what could an attacker do?)
Suggested remediation (optional but appreciated)
Your handle for Hall of Fame credit
Payment method (Stripe email or PayPal email)

Our Response Timeline

Within 24 hours: Acknowledge receipt
Within 7 days: Initial triage and severity assignment
Within 30 days: Fix deployed or detailed timeline communicated
Within 45 days of fix: Reward paid

Safe Harbor

Research conducted in good faith consistent with this policy is authorized. We will not pursue civil action or report security researchers to law enforcement provided you:

Do not access, modify, or destroy customer data beyond what's needed to demonstrate the vulnerability
Do not perform attacks that degrade service for real users (no DDoS, no resource exhaustion)
Report the issue promptly and do not disclose publicly until we've had reasonable time to fix
Do not extort us or threaten public disclosure for higher payment

Hall of Fame

Researchers who submit valid reports are credited publicly at /.well-known/hall-of-fame.txt (with your permission). LinkedIn endorsements and professional reference letters available on request.

Why We Pay Small Amounts

We're a regional restoration company, not a tech giant. We pay what we can sustainably. Most reporters tell us they appreciate that a local San Diego business engages the security community at all. We hope to grow these rewards over time.

Questions

Reach out via josiah@gowithcalcoast.com or call 619-320-2700.