Blog GhostlyX Bug Bounty Program: Earn a Lifetime Scale Plan for Finding Security Vulnerabilities

GhostlyX Bug Bounty Program: Earn a Lifetime Scale Plan for Finding Security Vulnerabilities

James King · Co-Founder, GhostlyX · 29 Apr 2026

Security is not an afterthought at GhostlyX. Our entire product is built on the premise that you should not have to choose between useful analytics and respecting your visitors. That same philosophy extends to how we handle the security of our platform.

Today we are launching a formal bug bounty program. If you find a security vulnerability in GhostlyX, we want to hear about it, and we want to make it genuinely worth your time.

What the program covers

The bug bounty program applies to the GhostlyX web application, the public REST API, the JavaScript tracking script, and our authentication systems. These are the surfaces that matter most: the places where a vulnerability could affect customer data, account security, or platform integrity.

Out of scope includes social engineering, denial of service attacks, physical attacks, vulnerabilities in third-party services we use (such as Stripe or our infrastructure providers), and raw automated scanner output without a demonstrated, exploitable impact.

The full scope, including specific targets and out-of-scope categories, is documented on the bug bounty page.

How rewards are structured

Rewards are tiered by the severity and impact of the finding. We use the CVSS framework as a starting point, though final severity classification is always at GhostlyX's discretion based on the real-world impact of the issue.

Critical and high severity findings earn a lifetime GhostlyX Scale plan, completely free, with no expiry. That means full access to session replay, heatmaps, unlimited sites, funnels, A/B testing, the AI analyst, and every feature we ship in the future. On top of that, you receive exclusive GhostlyX swag and a personal thank-you from the team.

To give that some context: the Scale plan is normally $69 per month. A lifetime plan is not a promotional credit or a fixed-term discount. It is permanent access, forever, as a genuine thank-you for helping keep our customers safe.

Medium severity findings earn GhostlyX branded merchandise and a limited-edition sticker pack, plus a place in our security hall of fame.

Low severity and informational reports earn public acknowledgement in the security hall of fame and a personal thank-you from the team.

Every valid, in-scope report is acknowledged and appreciated, regardless of severity.

What qualifies as critical

Critical vulnerabilities are those with a direct, material impact on customer data, account security, or platform integrity. Specific examples include:

  • Remote code execution on GhostlyX infrastructure
  • SQL injection that exposes customer data
  • Authentication bypass that gives access to any account without credentials
  • Mass customer data exposure
  • Privilege escalation to administrative access

High severity vulnerabilities include stored XSS affecting multiple users, IDOR (insecure direct object reference) exposing another user's private analytics data, payment flow manipulation, and account takeover requiring minimal user interaction.

If you are unsure whether what you have found qualifies, report it anyway. We review everything and will let you know how we have classified it.

How to submit a report

Send your report to support@ghostlyx.com with the subject line "Bug Bounty Report". Include:

  • A clear description of the vulnerability
  • Step-by-step reproduction instructions
  • An assessment of the potential impact
  • Any supporting screenshots, videos, or proof-of-concept code

We aim to acknowledge all reports within 48 hours. We will keep you updated as we investigate and remediate, and we will notify you when your reward is ready.

Please do not disclose the vulnerability publicly or to third parties before we have had an opportunity to investigate and remediate. We are happy to support coordinated disclosure and will work with you on timing.

Rules of engagement

Researchers who follow these rules are protected from legal action under our responsible disclosure policy.

The core rules are: do not access customer data beyond what is necessary to demonstrate the vulnerability, do not degrade availability or performance for other users, test only on accounts you own, and submit reports privately before any public disclosure.

The full rules of engagement are on the bug bounty page.

security.txt

We have also published a security.txt file at /.well-known/security.txt, following the RFC 9116 standard. This gives security researchers a machine-readable way to find our contact details and disclosure policy without having to hunt around the site.

If you are a security researcher, tools like browser extensions and automated scanners will pick this up automatically.

Why we are doing this

Privacy-first analytics only means something if the platform itself is secure. Our customers trust us with their site data, their visitor counts, their conversion funnels, and their business metrics. That trust depends on us taking security seriously at every layer.

A bug bounty program is one of the most practical things we can do to honour that trust. It invites the security community to look at what we have built with fresh eyes, and it ensures that anyone who finds something has a clear, rewarding path to tell us about it.

We are grateful to everyone who takes the time to look. Security is a community effort, and this program is our way of participating in that community properly.

If you have found something, or you have questions about the program, reach out at support@ghostlyx.com or read the full details on the bug bounty page.

Explore GhostlyX

Key features

Real-time dashboard Privacy by design Lightweight script Custom event goals Conversion funnels Uptime monitoring
See all features

Comparisons

Switching from another tool?

GhostlyX vs Google Analytics GhostlyX vs Plausible GhostlyX vs Fathom GhostlyX vs Matomo GhostlyX vs PostHog GhostlyX vs Hotjar GhostlyX vs Mixpanel View all comparisons ›
Back to Blog