Bug Bounty

As a part of CAST AI’s commitment to providing secure products, we reward contributors who share with us the reports of any bugs affecting security. Send your report by email to [email protected].



List of endpoints


What it does: This endpoint is the entry point to our API. What to look for: We are generally interested in application logic bugs, privilege escalation, RCE.

What it runs on: API is written in Golang.


What it does: This subdomain lets you access a client-side interface that calls the API (api.cast.ai).

What it runs on: web app is written in React.

To qualify for a bounty you must

  • Be the first to report a specific vulnerability
  • Not seek or leverage the vulnerability for additional or external bounties or rewards
  • Provide a clear report, which includes a working exploit:
    • A detailed description of the issues being reported.
    • Any suggestions on how to improve.
    • Enough information for CAST AI to be able to reasonably reproduce the issue.


CAST AI Bug Bounty Program payments are granted solely at the exclusive discretion of CAST AI. You are responsible for the payment of all applicable taxes if any.

We appreciate people testing our security, but CAST AI customers must not be affected by any research or tests. Under any circumstance, do not:

  • Violate any laws.
  • Access or change accounts of other CAST AI customers;
  • Damage or change our systems;
  • Compromise the availability of our services (e.g. Denial of Service);
  • Run scanning tools or test the Cloud Providers infrastructure;
  • Use any social engineering techniques to access our systems or reach to CAST AI employees;
  • Test our partners;
  • Reveal any private data to third parties or to the public.
We’ve received lots of submissions and paid thousands for your help since the beginning of our Bug Bounty program. We’d like to thank everyone for such an incredible response!
At the moment, we are looking  for a deeper bugs around our product, platform which takes time and effort to understand and find vulnerabilities.
The following elements are out of scope:
  • cast.ai – WordPress;
  • login.cast.ai – all registration, password resets, social & email login, email validation, session handling on logout;
  • Partial console.cast.ai – login, headers, XSS, and public JS files.