Note before you post a BUG

Domains and Applications within the scope of the program


Qualifying Vulnerabilities

  • Injection attacks
  • Cross-Site Scripting (XSS)
  • Remote Code Execution (RCE)
  • Cross-Site Request Forgery (CSRF)
  • Broken Authentication
  • Authorization Flaws / Privilege Escalation
  • Directory Traversal
  • Sensitive Information leaks or disclosure

Non Qualifying Vulnerabilities

  • Self XSS
  • Username or email address enumeration
  • Email bombing
  • Content spoofing / Text injection
  • XSS vulnerabilities on sandbox domains
  • Unvalidated / Open Redirects
  • Clickjacking on unauthenticated pages or on cases with no state-changing action
  • Login/Logout/Unauthenticated CSRF
  • Missing cookie flags on non sensitive cookies
  • Missing security headers which do not lead directly to a vulnerability
  • Reports from automated tools or scans
  • Vulnerabilities affecting users of outdated or unsupported browsers or platforms
  • Attacks requiring physical access to a user device
  • Social engineering
  • Low impact descriptive error pages and information disclosures without any sensitive information
  • Invalid or missing SPF/DMARC records
  • Password and account policies, such as reset link expiration or password complexity
  • HTML Injection
  • Wordpress XML-RPC exposure
  • Missing rate limitations on endpoints (without any security concerns)
  • Bypassing pricing/paid features restrictions

Note of thanks

We would like to truly thank the people listed in the Hall of Fame for their participation in the program and for making a responsible disclosure of the vulnerabilities.

Hall Of Fame for