I have found a vulnerability on your site and I would like to report it.
We do reward valid reports depending on the severity/impact of the issue found.
Please read the details of our bug bounty program below:
The following kinds of findings are specifically non-rewardable within this program:
- Self XSS
- HTTP 404 codes/pages or other HTTP non-200 codes/pages
- Fingerprinting/banner disclosure on common/public services
- Disclosure of known public files or directories, (e.g. robots.txt)
- Clickjacking and issues only exploitable through clickjacking
- CSRF on forms that are available to anonymous users
- Logout Cross-Site Request Forgery (logout CSRF)
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Lack of Secure and HTTPOnly cookie flags
- Weak Captcha/Captcha Bypass
- Login or Forgot Password page brute force and account lockout not enforced
- OPTIONS HTTP method enabled
- HTTPS Mixed Content Scripts
- Username / email enumeration
- via Login Page error message
- via Forgot Password error message
- Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers)
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
- Misconfigured or lack of SPF records
- Out of date software versions
- Vulnerabilities in third-party components
- Bugs that require phishing.
- Lack of server-side session handling.
The program covers any exploitable vulnerability that can compromise the integrity of our user data, crash applications, or disclose sensitive information (for example remote code execution, SQL injection, Cross-Site Scripting, Cross-Site Request Forgery, information disclosure of sensitive data, authentication theft, or bypass).
Make sure your submission report includes the proof of concept and replication information.
Submissions that include just the output of automated tools will be marked as invalid. You must clearly outline the attack vectors and reproduction steps to accomplish the compromise.
We encourage you to send your submissions in an encrypted format to email@example.com. We prefer PGP and you can import our public key attached to this e-mail.
Make sure your report includes:
- A clear and relevant title
- Affected product/service
- Vulnerability details and impact
- Reproduction steps / Proof of Concept
In general, we don't give cash or swag rewards for bug bounty submissions, but we might make exceptions based on the severity and quality of the report.