Please read the details of our bug bounty program below and send according the submission process.
The following findings are specifically non-rewardable within this program:
-
via Login Page error message
-
via Forgot Password error message
-
Strict-Transport-Security
-
X-Frame-Options
-
X-XSS-Protection
-
X-Content-Type-Options
-
Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
-
Content-Security-Policy-Report-Only
-
Self XSS
-
HTTP 404 codes/pages or other HTTP non-200 codes/pages
-
Fingerprinting/banner disclosure on common/public services
-
Disclosure of known public files or directories, (e.g. robots.txt)
-
Clickjacking and issues only exploitable through clickjacking
-
CSRF on forms that are available to anonymous users
-
Logout Cross-Site Request Forgery (logout CSRF)
-
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
-
Lack of Secure and HTTPOnly cookie flags
-
Weak Captcha/Captcha Bypass
-
Login or Forgot Password page brute force and account lockout not enforced
-
OPTIONS HTTP method enabled
-
HTTPS Mixed Content Scripts
-
Username / email enumeration
-
Missing HTTP security headers, e.g.:
-
Misconfigured or lack of SPF/DKIM records
-
Out of date software versions
-
Vulnerabilities in third-party components
-
Bugs that require phishing
-
Lack of server-side session handling
-
User spamming through Forgot Password feature
Qualification Criteria
The program covers any exploitable vulnerability that can compromise the integrity of our customer’s data, can crash applications, or that discloses sensitive information (for example remote code execution, SQL injection, Cross-Site Scripting, Cross-Site Request Forgery, information disclosure of sensitive data, authentication theft, or bypass).
Make sure your submission report includes the proof of concept and replicationinformation.
Non-qualifying vulnerabilities
Submissions that include just the output of automated tools will be marked as invalid. You must clearly outline the attack vectors and reproduction steps needed to accomplish the compromise.
Submission process
Please send your reports directly to the Bitrise Security Team (security@bitrise.io). Do not submit as a support ticket! This will ensure your report reaches us directly and we can respond sooner.
We encourage you to send your submissions in an encrypted format (we prefer PGP). Our public key can be downloaded from here: Bitrise Security (94BE527F) – Public.asc
If you found multiple vulnerabilities, please send them in separate emails.
Make sure your report includes:
-
A clear and relevant title
-
Affected product/service
-
Vulnerability details and impact
-
Reproduction steps / Proof of Concept
Rewards
Typically we don't give cash or swag rewards for bug bounty submissions, but we might make an exception based on the severity and quality of the report.