Note before you post a BUG

Domains and Applications within the scope of the program


Qualifying Vulnerabilities

  • Injection attacks
  • Cross-Site Scripting (XSS)
  • Remote Code Execution (RCE)
  • Cross-Site Request Forgery (CSRF)
  • Broken Authentication
  • Authorization Flaws / Privilege Escalation
  • Directory Traversal
  • Sensitive Information leaks or disclosure

Non Qualifying Vulnerabilities

  • Self XSS
  • Username or email address enumeration
  • Content spoofing / Text injection
  • XSS vulnerabilities on sandbox domains
  • Unvalidated / Open Redirects
  • Clickjacking on unauthenticated pages or on cases with no state-changing action
  • Login/Logout/Unauthenticated CSRF
  • Missing cookie flags on non sensitive cookies
  • Missing security headers which do not lead directly to a vulnerability
  • Reports from automated tools or scans
  • Vulnerabilities affecting users of outdated or unsupported browsers or platforms
  • Attacks requiring physical access to a user device
  • Social engineering
  • Low impact descriptive error pages and information disclosures without any sensitive information
  • Invalid or missing SPF/DMARC records
  • Password and account policies, such as reset link expiration or password complexity
  • HTML Injection
  • Wordpress XML-RPC exposure
  • Missing rate limitations on endpoints (without any security concerns)

* Note : You can still file these vulnerabilities which have high exploitability with valid PoC and be eligible for Points / Hall of Fame Spot based on the discretion of our Bounty Panel.

Note of thanks

We would like to truly thank the people listed in the Hall of Fame for their participation in the program and for making a responsible disclosure of the vulnerabilities.

Hall Of Fame for