Bug Bounty Program
If you want to let us know about a vulnerability, please submit a report via HackerOne.
The scope of the program
We offer rewards for reports that cover security vulnerabilities in our services, infrastructure and applications such as:
Your reward will depend on the vulnerability discovered as well as its security impact. See details below.
For a vulnerability that affects our entire platform
- Remote code execution (RCE)
- Gaining administrator access
- Injections with a significant impact
- Unrestricted access to local files or databases
- Server-side request forgery (SSRF)
- Critical information disclosure
For a vulnerability that doesn't require user interaction and affects many users
- Stored Cross-Site Scripting (XSS) with a significant impact
- An authentication bypass that allows change of user data or access to private data
- Insecure Direct Object References (IDOR)
- Subdomain takeover
For a vulnerability that requires user interaction or affects individual users
- Cross-Site Scripting (XSS), except self-XSS
- Cross-Site Request Forgery (CSRF)
- URL redirection
- User reputation manipulation
Note that reward amounts can be different. An actual reward may vary depending on the severity, genuineness and exploitation possibilities of bugs as well as the environment and other factors that affect security.
Vulnerabilities of auxiliary services such as Blog and vulnerabilities of non-production environments such as 'beta', 'staging', 'demo' etc. are rewarded only when they affect our service as a whole or may cause sensitive user data leakage.
- A bug report should include a detailed description of the discovered vulnerability and steps that need to be taken in order to reproduce it, or a working proof-of-concept. If you do not describe vulnerability details then it could take a long time to review the report and/or could result in a rejection of your report.
- Please only submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- Only the first person to report an unknown vulnerability will be rewarded. When duplicates occur, we will only award the first report if the vulnerability can be fully reproduced.
- You should not use automated tools and scanners to find vulnerabilities. Such reports will be ignored.
- You should not perform any attack that could damage our services or data including client data. DDoS, spam, and brute force attacks are not permitted.
- You should not involve other users without their explicit consent. Create private ideas, scripts and other content during your tests.
- You should not perform or try to perform non-technical attacks such as social engineering (e.g. phishing, vishing, smishing) or physical attacks against our employees, users or infrastructure in general.
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Please make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Out of scope vulnerabilities
The following issues are considered out of scope:
- Vulnerabilities in users' software or vulnerabilities that require full access to user's software, account/s, email, phone etc.
- Vulnerabilities or leaks in third-party services.
- Vulnerabilities or old versions of third party software/protocols, missed protection as well as a deviation from best practices that don't create a security threat.
- Vulnerabilities with no substantial security impact or exploitation possibility.
- Vulnerabilities that require the user to perform unusual actions.
- Disclosure of public or non-sensitive information.
- Homograph attacks.
- Vulnerabilities that require rooted, jailbroken or modified devices and applications.
- Any activity that could lead to the disruption of our service.
There are several examples of such vulnerabilities that are not rewarded:
- EXIF geolocation data not stripped.
- Clickjacking on pages with no sensitive actions.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions, logout CSRF.
- Weak ciphers or TLS configuration without a working Proof of Concept.
- Content spoofing or injection issues without showing an attack vector.
- Rate limiting or brute force issues on non-authentication endpoints.
- Missing HttpOnly or Secure flags on cookies.
- Software version disclosure. Banner identification issues. Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Public zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
- User existence. User, email or phone number enumeration.
- Lack of password complexity restrictions.
We would like to sincerely thank the researchers listed below for their contributions.
Jatinder Pal Singh