We'd be stupid not to run a responsible disclosure program.

Guidelines

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible.

What you're allowed to do:

  • Email your findings to security [@] bugbounty (d0t) me.
  • Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.

What you shouldn't do:

  • Do not take advantage of the vulnerability or problem you have discovered.
  • Do not reveal the problem to others until it has been resolved.
  • Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.
  • Do not use any automated scanning tools.
  • Do not run any tests or attacks against our the server infrastucture. This includes, but is not limited to, the webserver. The website lies on a shared hosting service. We’re more interested in security issues in our websites.

Scope

We're mainly interested in vulnerabilities on bugbounty.me, but severe findings on *.bugbounty.me may qualify, too.

Out of scope

The following issues are out of scope, because they usually pose a small risk to our users. If you can prove us wrong by e.g. an account-takeover using an out of scope issue, we'll be happy to hear about it.

  • Weak passwords/policy: This is a portal designed for hackers, so they should know how to create and use passwords.
  • Issues that are not actively exploitable.
  • SSL-related issues: Our webhosting provider manages the SSL setup. Issues arising on the webapplication level are in scope
  • Cookie-Flags: We think our current configuration is ok.
  • User enumeration: All users can be found on the hackers page. No need to enumerate them.

What we do

  • We will respond to your report within 3 business days otherwise feel free to ping us via twitter.
  • If you have followed the instructions above, we will not take any legal action against you in regard to the report.
  • We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.
  • We will keep you informed of the progress towards resolving the problem. If you think that we forgot about your issue, feel free to contact us again.
  • If you’re the first to discover a specific issue, we’ll list your name and your twitter handle in our hall of fame.
  • You understand that’s it up to our decision which bug qualifies for being listed in the hall of fame.

Hall of Fame

  • Koutrouss Naddara - Missing SPF record