Your First Plan is on Us!
Get 100% of your first residential proxy purchase back as wallet balance, up to $900.
Residential Proxies
Over 60 million real residential IPs from genuine users across 190+ countries.
Thordata Security Vulnerability Reward Program
Thordata invites security researchers worldwide to responsibly help identify security vulnerabilities in our products. Verified and valid vulnerability reports may be eligible for cash rewards and official acknowledgment from Thordata.
Program scope
In scope
Thordata website and dashboard:
https://www.thordata.com and its pages (e.g. https://dashboard.thordata.com)
Any services, systems, or infrastructure not explicitly listed above—including internal or related services—are out of scope and are not authorized for security testing.
If you believe a system not listed above may be valuable to test, please contact us before any testing for confirmation.
Qualifying vulnerabilities
The following vulnerability types are in scope for rewards, including but not limited to:
- Cross-Site Scripting (XSS): reflected, stored, and DOM-based
- Cross-Site Request Forgery (CSRF / XSRF)
- Authentication or authorization flaws (e.g., authentication bypass, session management issues, IDOR, privilege escalation)
- Remote Code Execution (RCE) on production servers
- Any design or implementation flaw that may result in the leakage, modification, or unauthorized access to customer data or account information
Out of scope
Prohibited testing activities:
- Any form of Denial of Service (DoS / DDoS) or destructive testing
- Automated scanning, fuzzing, or stress testing tools that generate excessive or abnormal traffic
- Testing, accessing, or impacting real customer or third-party user accounts (only self-owned or explicitly authorized test accounts are permitted)
Vulnerabilities not eligible for rewards:
- UI / UX issues without security impact
- Issues that have been clearly reported and confirmed (rewards granted to the first valid reporter only)
- Theoretical or non-exploitable issues with no real security impact
- Vulnerabilities that exist only in previously fixed or deprecated versions
- Functional bugs unrelated to data security, access control, or system integrity
Authorization & safe harbor
Thordata considers security research activities, when conducted in good faith, in compliance with this program, and without harm to users or business operations, to be authorized.
To the extent permitted by applicable law:
- Thordata will not initiate legal action against researchers for activities conducted in accordance with this program
- Such activities will not be considered unlawful circumvention of Thordata’s technical protection measures
- Such activities will not be considered a violation of Thordata’s Terms of Service or Acceptable Use Policy
Researchers should comply with applicable laws and regulations. Testing must be conducted only with authorized accounts, without accessing, downloading, or disseminating real user data. Stop and report immediately upon discovering vulnerabilities or sensitive data, and ensure testing frequency does not impact system stability.
If a third-party dispute arises from compliant research activities, Thordata will reasonably assist in clarifying that the research was conducted under this program.
Reward rules
Thordata offers tiered cash rewards based on the severity, exploitability, and real-world impact of reported vulnerabilities. Final reward amounts are determined by the Thordata Security Team.
Low Severity
$100 – $300
- Web-based Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF) or clickjacking
- Minor security misconfigurations on production servers
- Reports of misused or abused Thordata accounts
Medium Severity
$300 – $1,000
- Remote Code Execution affecting SDK users
- Extraction of customer data from production services
- Access control issues exposing personally identifiable information
- Unauthorized access to or control of another customer’s account
High Severity
$1,000 – $2,000
- Remote Code Execution (RCE) in production environments
- Significant authentication bypass in production systems
Reward rules & payment terms
- 1.Rewards are paid in USD and via PayPal. Payments are subject to applicable local laws and regulations, and tax obligations are the responsibility of the recipient;
- 2.Please include valid payment methods in your report;
- 3.Rewards must be claimed within 2 months; unclaimed rewards will expire;
- 4.Final reward amounts may be adjusted based on actual impact (severe cases may exceed tier limits; low-impact cases may receive reduced rewards);
- 5.Each vulnerability is rewarded once only; duplicate or split submissions are not eligible for additional rewards;
- 6.The following are not eligible for rewards: DoS attacks, abuse of high-traffic testing tools, compromise of real customer accounts, optimization or non-security-related bugs.
Reporting & disclosure
Please submit vulnerability reports to: security@thordata.com
Reports should include:
- Vulnerability summary
- Detailed reproduction steps
- Actual security impact
- Remediation suggestions (optional)
- Relevant screenshots, videos, files, or links to uploaded materials
Do not publicly disclose or share vulnerability details until at least 60 days after the vulnerability is confirmed or fully remediated by Thordata.
We typically acknowledge receipt within 3–5 business days and will remain in communication throughout evaluation and remediation.
If you have any questions about this program or whether a research activity is in scope, please contact us at security@thordata.com before testing.
We also welcome suggestions for improving this program.