docs: update-rewards-for-disclosures.

dhruvilj1 · robertjdominguez · hasura-bot · commit 89db601cfde6 · 2024-04-09T22:27:03.000Z
PR-URL: hasura/graphql-engine-mono#10770 Co-authored-by: Rob Dominguez <24390149+robertjdominguez@users.noreply.github.com> GitOrigin-RevId: 73d7ff33ca66d3e57b391acbd0d506784249f354
diff --git a/docs/docs/policies/security-disclosure.mdx b/docs/docs/policies/security-disclosure.mdx
@@ -28,14 +28,22 @@ emails about security announcements.
 We’re extremely grateful for security researchers and users who report vulnerabilities to the Hasura community. All
 reports are thoroughly investigated by the Hasura team.
 
-To report a security issue, please email us at <security@hasura.io> with details, if possible attaching relevant
-information. The more details we have, the quicker will we be able to fix potential vulnerabilities.
-
-We do not currently have a bug bounty program, however, for valid high and critical severity issues we may, at our
-discretion, choose to award a bounty. Please see our guidance at the bottom of the page for types of vulnerabilities
-which are in and out of scope. Do not use social engineering and make a good faith effort to avoid privacy violations,
-destruction of data, and interruption or degradation of our service. If you should accidentally do any of these things,
-stop immediately and report the issue.
+To report a security issue, please email us at <security@hasura.io> with the vulnerability details, and attach the
+relevant information including screenshots/videos. The more details we have, the quicker will we be able to fix any
+potential vulnerabilities.
+
+Hasura does not provide monetary reward for vulnerability disclosures however, at our sole discretion, we may make
+exceptions to this policy for exceptional contributions.
+
+You may be eligible for a reward if it requires a severe code/configuration change from our side. The rewards can be
+both monetary or swag.
+
+Please reference our guidance at the bottom of the page for the types of vulnerabilities that are in and out-of-scope.
+
+Do not use social engineering techniques and make a good faith effort to avoid any privacy violations, destruction of
+data, and interruption or degradation of our service.
+
+If you should accidentally do any of these things, please stop immediately and report the issue.
 
 ### When should I report a vulnerability?
 
diff --git a/yarn.lock b/yarn.lock
@@ -0,0 +1,4 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
