ProxySmart maintains an open channel for qualified security researchers. This page documents the technical review programme, responsible disclosure process, and the terms under which we engage with the research community.
ProxySmart treats rigorous, good-faith research as a contribution — whether the subject is a vulnerability in our code, a design decision open to challenge, or a claim about what our platform does and does not do.
We commit to engaging researchers directly, responding promptly, acknowledging contributions publicly where welcomed, and providing access to the artefacts needed to verify technical claims under structured, mutual terms. This page sets out how that works in practice.
For researchers who want to verify technical claims about ProxySmart's architecture — including what the platform does and does not include — we provide access to the relevant artefacts under a mutual non-disclosure arrangement.
Under signed NDA, qualified researchers receive access to:
The following remain proprietary and are not included:
For security vulnerabilities — including bugs, misconfigurations, and unintended behaviours — ProxySmart operates a coordinated disclosure process aligned with recognised industry standards.
Compensation for security researchers who identify vulnerabilities in ProxySmart's code and deployed infrastructure.
Rewards will be scaled by severity, validated under a published rubric, and settled through the programme's payment rails to avoid cross-border remittance friction for individual researchers.
Scope — security findings only. The bounty programme applies exclusively to verifiable security issues: vulnerabilities, misconfigurations, authentication bypasses, data exposure, and other defects with demonstrable security impact. General commentary, architectural critique, policy analysis, and independent research output remain welcome through the Technical Review Programme above, but are not eligible for bounty compensation.
In the interim, valid security findings reported through the responsible disclosure process are eligible for acknowledgement, direct engagement with our engineering team, and discretionary compensation assessed case by case. Researchers who report qualifying issues now will be invited to the structured programme at launch.
Public acknowledgement of researchers whose findings have led to corrections, improvements, or meaningful engagement with ProxySmart.
This section will list researchers chronologically as engagements complete. If you have submitted a report and would like to be credited here, please indicate this in your correspondence.
Independent security researchers, academic institutions, infrastructure intelligence firms, and analysts conducting good-faith technical assessment. Affiliation with a recognised research group, relevant publication history, or a professional reference are helpful but not strictly required. The NDA structure is designed to work for individual researchers as well as organisations.
Yes. Publication rights are agreed as part of the NDA and are not unreasonably restricted. The standard arrangement permits publication of findings, methodology, and conclusions after a short pre-publication review window, which exists solely to correct factual errors — not to suppress unfavourable conclusions. If a researcher disagrees with our position after review, we encourage publishing the disagreement and our response side by side.
We encourage independent verification. Where a published report has characterised the platform's capabilities, a qualified researcher can conduct an independent review and confirm, qualify, or contradict those claims against the actual codebase and documentation. ProxySmart's detailed response to recent third-party research is available here, alongside an architectural diagram that lays out the platform's functional boundaries.
The device driver layer, which is proprietary and handles low-level integration with specific hardware modems, is outside the review scope. It is also not relevant to verifying the platform's architectural claims — the absence of SMS origination, voice primitives, USSD handling, and SIM-box interconnect functionality can be fully verified through the application, server binaries, and architecture documentation that are made available.
Lawful, properly scoped requests from competent authorities are handled through formal channels, reviewed by legal counsel, and responded to in accordance with applicable jurisdictions. ProxySmart does not provide ad-hoc access outside of such processes. Researchers reporting findings with potential law-enforcement relevance are asked to flag this in their initial contact.
We welcome these as well, through the same contact point. Non-security feedback is not governed by the disclosure process described above, but a named contact will respond within the same timeframe and engage substantively. Criticism of design decisions, abuse-surface analysis, and policy feedback have all led to concrete changes in the past.
Yes. Anonymous reports are accepted and triaged on technical merit alone. We cannot acknowledge the researcher publicly, offer bounty compensation, or engage in follow-up dialogue without an identifiable correspondent — but the issue itself will still be investigated and fixed.
A single channel handles all research correspondence — technical review requests, vulnerability reports, policy questions, and engagement with recent published research.