Bug Bounty Program

Scope

• Domains: site.pro (without any subdomains)
• Registration in bounty program required

Vulnerabilities

• Unauthorized access to project servers (vulnerabilities that leads to remote code execution RCE).
• XSS vulnerabilities on the assets with critical functionality (with proven script execution)
• Server-side vulnerability with information disclosure (for ex. memory leaks or insecure direct object references) of critical or highly confidential data.
• Authentication bypass or privilege escalation.
• Injection vulnerabilities
• Any other vulnerability that can lead to loss of user privacy.

Issues considered out of scope:

• Disclosure of non-sensitive information (for ex. project version) and information that does not present significant risk.
• Reports of missed protection mechanism / best current practice (for ex. no CSRF token, framing/clickjacking protection, tabnabbing) without demonstration of real security impact for user or system;
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions;
• CSRF on self-hosted servers, unless proved to be present on public server;
• Self-XSS
• Attacks requiring MITM or physical access to a user's device;
• Content spoofing and text injection issues without showing an attack vector;
• Missing best practices in SSL/TLS configuration or in Content Security Policy;
• Missing HttpOnly or Secure flags on cookies;
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.);
• Insecure password complexity requirements
• Vulnerabilities related to 3rd-party software unless they lead to vulnerability in our scope
• Vulnerabilities involving stolen credentials
• Phishing and social engenering
• Issues that require unlikely user interaction
• Publicly disclosed issues

Program Rules

• If you think you have found a security vulnerability - please provide us detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Social engineering (phishing and etc.) is prohibited.
• Vulnerability must be original and previously unreported.
• Do not perform any attack that could harm the reliability or integrity of our services or data.
• Avoid scanning techniques that are likely to cause degradation of service to our customers (for ex. DoS, spamming).
• Refrain from stealing and disclosure user's private information.

Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Amount of Reward

In determining the amount of payout, we will take into account the level of risk and impact of the vulnerability:

• Critical: 400—500 EUR (server or database direct access / full access to administrative resources)
• High: 200—300 EUR (possibility to modify any data of other users)
• Medium: 100—200 EUR (perform actions on other users behalf / view critical user data like payments or contact details)
• Low: 10—100 EUR (any other unlikely action from user perspective)

You will receive the funds in your account within 10 working days after providing an invoice.
An invoice must contain the following "Bill to" information: