We'd be stupid not to run a responsible disclosure program.
If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible.
What you're allowed to do:
- Email your findings to security [@] bugbounty (d0t) me.
- Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
What you shouldn't do:
- Do not take advantage of the vulnerability or problem you have discovered.
- Do not reveal the problem to others until it has been resolved.
- Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.
- Do not use any automated scanning tools.
- Do not run any tests or attacks against our the server infrastucture. This includes, but is not limited to, the webserver. The website lies on a shared hosting service. We’re more interested in security issues in our websites.
We're mainly interested in vulnerabilities on bugbounty.me, but severe findings on *.bugbounty.me may qualify, too.
Out of scope
The following issues are out of scope, because they usually pose a small risk to our users. If you can prove us wrong by e.g. an account-takeover using an out of scope issue, we'll be happy to hear about it.
- Weak passwords/policy: This is a portal designed for hackers, so they should know how to create and use passwords.
- Issues that are not actively exploitable.
- SSL-related issues: Our webhosting provider manages the SSL setup. Issues arising on the webapplication level are in scope
- Cookie-Flags: We think our current configuration is ok.
- User enumeration: All users can be found on the hackers page. No need to enumerate them.
What we do
- We will respond to your report within 3 business days otherwise feel free to ping us via twitter.
- If you have followed the instructions above, we will not take any legal action against you in regard to the report.
- We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.
- We will keep you informed of the progress towards resolving the problem. If you think that we forgot about your issue, feel free to contact us again.
- If you’re the first to discover a specific issue, we’ll list your name and your twitter handle in our hall of fame.
- You understand that’s it up to our decision which bug qualifies for being listed in the hall of fame.
Hall of Fame
- Koutrouss Naddara - Missing SPF record