Program Scope

These are the starting severities for each boundary. If you have questions, Ask us.

App	Exfiltrates data from external systems	Modifies data in external systems without authorization	Executes arbitrary code on external systems
	Read $1k-$5k	Write $2.5k-$7.5k	Execute $5k-$10k
In-Scope Products
Amazon
Kiro

Cursor
Cursor

Google
Google Antigravity

Microsoft
CoPilot

OpenAI
Atlas

Perplexity
Comet Browser

Windsurf
Windsurf

Eligibility Criteria

Submissions must demonstrate that an app can be manipulated into taking unauthorized actions against external systems. Causing the model to produce harmful text alone does not qualify.

Read - Agent reads data it should not access (e.g. exfiltrating files, credentials, or private data from a connected tool)
Write - Agent modifies or deletes external data without authorization (e.g. sending emails, committing code, creating calendar events)
Execute - Agent runs arbitrary code or system commands on external infrastructure (e.g. shell commands via a code execution tool)

Attack Vectors

Direct

Attacker directly interacts with the app through its normal interface to manipulate it into taking unauthorized actions.
Injection

Attacker injects malicious instructions into content the agent processes - documents, web pages, emails, code, or tool outputs - causing unintended actions.
Social Engineering

Attacker crafts inputs that manipulate the agent into deceiving users, impersonating trusted parties, or taking actions on the user's behalf without consent.

Out of Scope

Reports where no external system action occurs (e.g. model produces harmful output but nothing external is affected)
Arbitrary model swaps - the app must be using a recognized in-scope model
Apps not listed in the table above
Theoretical vulnerabilities without a working proof of concept

Payouts may vary based on the underlying model. Final amounts are determined during triage.