Bug Bounty Program

Scope

• Domain: site.pro (only on main domain, no subdomains, like "tw.site.pro" and any other)
• Registration in bounty program required
• Report the vulnerability bug by creating a ticket (choose any available category)

Vulnerabilities

• Unauthorized access to project servers (vulnerabilities that leads to remote code execution RCE);
• XSS vulnerabilities on the assets with critical functionality (with proven script execution);
• Server-side vulnerability with information disclosure (for ex. memory leaks or insecure direct object references) of critical or highly confidential data;
• Authentication bypass or privilege escalation;
• Injection vulnerabilities;
• Any other vulnerability that can lead to loss of user privacy.

Issues considered out of scope:

• Disclosure of non-sensitive information (for ex. project version) and information that does not present significant risk;
• Reports of missed protection mechanism / best current practice (for ex. no CSRF token, framing/clickjacking protection, tabnabbing) without demonstration of real security impact for user or system;
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions;
• CSRF on self-hosted servers, unless proved to be present on public server;
• Self-XSS;
• Remaining EXIF data in images that are uploaded to the service;
• Attacks requiring MITM or physical access to a user's device;
• Content spoofing and text injection issues without showing an attack vector;
• Missing best practices in SSL/TLS configuration or in Content Security Policy;
• Missing HttpOnly or Secure flags on cookies;
• Missing DNSSEC on the domain;
• Missing best practices (eg. security headers, invalid, incomplete or missing SPF/DKIM/DMARC records, etc.);
• Missing rate-limit methods without demonstration of real security impact for user or system;
• Insecure password complexity requirements;
• Vulnerabilities related to 3rd-party software unless they lead to vulnerability in our scope;
• Vulnerabilities involving stolen credentials;
• Phishing and social engenering;
• Issues that require unlikely victim interaction not causing any harm to that victim;
• Providing publicly leaked sensitive user data without demonstration of a specific vulnerability, which causes leak of that data, and which is currently reproducible on the website;
• Related problems (with the same root) that were reported and confirmed previously;
• Publicly disclosed issues.
• Vulnerabilities assuming lost (stolen) access to one of OAuth methods or email that can be used on Site.pro for authentication.
• Vulnerabilities that engage Cookie Editor plugin in browser.

Program Rules

• If you think you have found a security vulnerability — please provide us detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received.
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Social engineering (phishing and etc.) is prohibited.
• Vulnerability must be original and previously unreported.
• Do not perform any attack that could harm the reliability or integrity of our services or data.
• Avoid scanning techniques that are likely to cause degradation of service to our customers (for ex. DDoS, spamming).
• Refrain from stealing and disclosure user's private information.

Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Amount of Reward

In determining the amount of payout, we will take into account the level of risk and impact of the vulnerability:

• Critical: 400—500 EUR. Server or database direct access. Full access to administrative resources.
• High: 200—300 EUR. Possibility to modify any data of other users.
• Medium: 100—200 EUR. Perform actions on other users behalf with no victim interaction. View critical user data like payments or contact details.
• Low: 10—100 EUR. Any other unlikely action from user perspective causing harm to that user and/or bringing benefit for the attacker.

You will receive the funds in your account within 10 working days after providing an invoice.
An invoice must contain the following "Bill to" information: