Our Commitment
DriveStrike is committed to ensuring the security of our customers’ data and welcomes security researchers to responsibly report any vulnerabilities found in our systems. We value the contribution of independent researchers and offer monetary rewards for eligible reports based on severity.
Safe Harbor
DriveStrike will not pursue civil or criminal action against researchers who discover and report security vulnerabilities in good faith and in compliance with this policy. We consider good-faith research to include:
- Making a genuine effort to avoid privacy violations, service disruption, and data destruction during testing
- Reporting vulnerabilities promptly and providing us reasonable time to remediate before any public disclosure
- Not accessing, modifying, or exfiltrating data beyond what is necessary to demonstrate the vulnerability
- Not conducting social engineering, phishing, or physical attacks against DriveStrike employees or infrastructure
Eligibility
To be eligible for a reward, you must:
- Be the first to report the specific vulnerability
- Not be a current or former DriveStrike or Spearstone employee or contractor
- Not reside in a country subject to U.S. OFAC sanctions
- Be of legal age in your jurisdiction
How to Report
Submit all reports to security@drivestrike.com. Please include:
- A detailed description of the vulnerability
- Step-by-step reproduction instructions
- Your assessment of the potential impact
- Any supporting screenshots, videos, or proof-of-concept code
We will acknowledge your report within 72 hours and provide a triage decision within 10 business days.
Program Scope
In scope:
- drivestrike.com and all subdomains
- app.drivestrike.com (the DriveStrike web application and dashboard)
- DriveStrike iOS and Android mobile applications
- DriveStrike Windows, Mac, and Linux device agents
- The DriveStrike API
Out of scope:
- Social engineering or phishing attacks targeting DriveStrike employees
- Physical attacks against DriveStrike offices or infrastructure
- Denial of service (DoS/DDoS) attacks
- Vulnerabilities in third-party services or libraries outside DriveStrike’s control
- Automated scanner findings without demonstrated real-world impact
- Spam, email deliverability, or SPF/DKIM configuration issues
- Rate limiting on non-sensitive endpoints
Severity and Compensation
Rewards are based on the confirmed severity and impact of the vulnerability. Final payout amounts are at DriveStrike’s discretion based on report quality and real-world risk.
| Level | Description | Payout Range |
|---|---|---|
| Critical (L4) | Unauthorized access to customer accounts, privilege escalation, remote code execution, or the ability to issue unauthorized commands to customer-managed devices | $500 – $5,000 |
| High (L3) | Unauthorized exposure of customer data, including device location or management metadata | $250 – $500 |
| Medium (L2) | Unauthorized modification of device management settings, account configuration, or customer data | $100 – $200 |
| Low (L1) | Creates a customer nuisance or perception of poor security | $25 – $100 |
Exceptional reports demonstrating significant real-world impact may receive discretionary awards above the published ranges at DriveStrike’s discretion.
Disclosure Policy
We ask that you allow us 90 days from the date of your initial report to investigate and remediate the vulnerability before any public disclosure. If a fix requires additional time, we will communicate with you and work toward a mutually agreed disclosure date.
Duplicate Reports
Only the first researcher to report a unique, previously unknown vulnerability is eligible for a reward. If your report duplicates a known issue currently under investigation, we will notify you and you will not be eligible for a reward for that finding.