QUITTR

QUITTR Bug Bounty Program Live

Max Reward
$5,000
In-Scope Targets
5
Avg. Response
< 24hrs
Resolved
0
Brief
Active Bounties
Scope
Rewards
Rules
Hall of Fame

Program Overview

QUITTR invites security researchers to help identify and responsibly disclose vulnerabilities in our platform. We are committed to working with the security community to keep our users safe.

QUITTR is a recovery app used by over 1 million people. The personal nature of our users' data, including recovery progress, streaks, and journal entries, makes security a top priority. We take every report seriously.

Valid, well-documented reports are rewarded based on severity and impact.

Highlights

  • Rewards from $50 to $5,000 based on severity
  • Safe harbor for good-faith research
  • Web, API, and mobile apps all in scope
  • Initial response within 24 hours
  • Coordinated disclosure supported
  • Program launched April 16, 2026 with no end date

Focus Areas

We are especially interested in:

  • Authentication and authorization bypasses
  • User data exposure or privacy violations
  • Payment or subscription manipulation
  • Server-side request forgery (SSRF)
  • Remote code execution (RCE)
  • SQL injection and NoSQL injection
  • Cross-site scripting (XSS) with demonstrated impact
  • Insecure direct object references (IDOR)

Active Bounties

These are specific areas we are actively looking for help with. Higher payouts may apply for these targets.

Paywall Conversion Rate Drop-Off High Priority
Over the last month we've observed a ~30% drop-off in our paywall conversion rate. We suspect a bug or exploit is allowing users to bypass the paywall and access premium features without a valid subscription. We're looking for researchers who can reproduce the bypass, identify the root cause, and provide a detailed write-up of how it works across any platform (iOS, Android, or web).
Up to $5,000 Posted Apr 16, 2026 Target: iOS, Android, Web

In Scope

Target Type Severity
*.quittrapp.com Website P1 – P4
api.quittrapp.com API P1 – P4
QUITTR iOS App iOS P1 – P4
QUITTR Android App Android P1 – P4
join.quittrapp.com Website P1 – P4

Out of Scope

  • Third-party services (Stripe, Firebase, RevenueCat). Report to those vendors directly
  • Social engineering (phishing, vishing, pretexting)
  • Denial of Service (DoS / DDoS)
  • Physical attacks against infrastructure
  • Vulnerabilities requiring physical device access
  • Automated scanner output without manual validation
  • Missing security headers without exploitable impact
  • SPF / DKIM / DMARC issues
  • Clickjacking on non-sensitive pages
  • Rate limiting on non-auth endpoints
  • Username/email enumeration via login or password reset
  • Content injection without demonstrated impact

Reward Range

Rewards are based on severity (CVSS-aligned). Final amounts depend on report quality, exploit complexity, and real-world impact.

P1 — Critical $2,500 – $5,000
P2 — High $1,000 – $2,500
P3 — Medium $250 – $1,000
P4 — Low $50 – $250

Bonus Multipliers

  • User data exposure: vulnerabilities exposing personal recovery data, journal entries, or account info may receive up to 2x the base reward
  • Payment bypass: issues affecting payment/subscription logic may receive up to 1.5x
  • Exploit chain: well-documented chains with real-world impact may receive additional bonus

Payment

  • Paid within 14 days of validation
  • PayPal or bank transfer
  • First valid report takes priority. Duplicates are not rewarded
Coordinated disclosure required. Do not publicly disclose any vulnerability until we confirm a fix is deployed. We aim to resolve critical issues within 7 days.

Rules of Engagement

  • Only test against accounts you own or have explicit permission to test
  • Do not access, modify, or delete other users' data
  • Stop and report immediately if you encounter real user data
  • No automated scanning on production without prior approval
  • No attacks that could degrade service (DoS, resource exhaustion)
  • Include reproduction steps, screenshots, and/or proof-of-concept
  • Allow reasonable time for remediation before disclosure
  • One vulnerability per report. Chains may be submitted together

Safe Harbor

If you follow the rules above, we commit to:

  • Not pursuing legal action against good-faith researchers
  • Working with you to understand and validate your report
  • Timely updates on remediation
  • Public credit in our Hall of Fame (if you want it)

How to Submit

Email security@quittrapp.com with:

  • Description of the vulnerability and its impact
  • Step-by-step reproduction instructions
  • Affected target(s) and endpoint(s)
  • Screenshots, video, or working proof-of-concept
  • Your suggested severity (P1–P4)
  • Preferred payment method and contact info

Hall of Fame

Researchers who have made significant contributions to QUITTR's security. Thank you for helping us keep our users safe.

No entries yet

Be the first to report a valid vulnerability and earn your place here.

How It Works

  • Researchers with at least one validated report are eligible
  • You can choose to be listed by name, handle, or remain anonymous
  • Entries are ranked by total impact and number of valid reports
  • Top contributors may receive additional recognition and bonus rewards