Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
04/11/2015
Binary.com logo
Thanks
Gift
Hall of Fame
Reward

Reward

100 $ 

Binary.com

No technology is perfect, and Binary.com believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Bounty Program

To show our appreciation of responsible security researchers, Binary.com offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion. As a general ball- park:

Low risk – $100 to $200
This may include Self XSS , Security policies , Best practices etc.

Medium risk - $200 to$400
Reflected or Stored Cross Site Scripting , Cross-Site Request Forgery , logical bugs with potential exploitation etc.

High risk - $400 and above
Authentication Bypass, SQL Injection, XXE , Remote Code Execution etc.

Bounties will only be paid if we make a code/system change in response to the report and to the very first reporter. Sometime if the report quality is of high standard and the security issue is impressive we may even give out bounties for duplicate reports.

Exclusions

While researching, we'd like to ask you to refrain from:

  • Denial of service
  • Spamming
  • Social engineering (including phishing) of Binary.com staff or contractors
  • Any physical attempts against Binary.com property or data centers

NOTE:-
It is strictly forbidden to use fully automated scanners on our live environments. You are allowed to use reverse proxy tools like burp suit/zap proxy etc. but just for manual testing. DO NOT automate the tools on our servers. We can clearly make out if the reports are copy pasted from automated scanners . This would certainly result into direct BAN.

Scope

*.binary.com

We have few sub-domains which are 3rd party integrations . So bugs on them with very low impact might get rejected .
But we have also paid on behalf of our third party integrations for extremely good security issues and worked along with our third party owners to get it fixed.

Out-of-scope

• Presence/absence of SPF/DMARC records.
• Clickjacking on static pages.
• CSRF on forms that are available to anonymous users (e.g. the contact form)
• Login and logout CSRF issues
• Use of a known-vulnerable library (without evidence of exploitability)
• Vulnerabilities affecting users of outdated browsers and platforms
• Attacks requiring physical access to a user's device
• Reports from automated tools or scanners (please refrain from doing this, You will be banned for this)
• Presence of autocomplete attribute on web forms
• Missing cookie flags on non-sensitive cookies
• Disclosure of known public files or directories, (e.g. robots.txt)
• Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept, and not just a report from a scanner)
• Social engineering of Binary employees or contractors
• Any physical attempts against Binary property or data centers

HOWEVER, listed in the out-of-scope list, if you really feel that a bug will leave an impact on our platform, please come up with a convincing and working POC. If that convinces us to change our code (EVEN IF IT’S A MINOR BUG) we will reward you with a bounty. Even if we do not change our code, we will mark it as INFORMATIVE rather than NOT APPLICABLE to avoid discouragement with negative hackerone points .

Open-Source code

Please note that
Binary.com's front-end code is open-sourced at
https://github.com/binary-com/binary-static/ __,
developers.binary.com is open-sourced at
https://github.com/binary-com/websockets __,

and other Binary.com-related code is open-sourced at
https://github.com/binary-com/ __

  • Please feel free to report any vulnerabilities found in these codes by submitting a pull-request in github. HIGHER bounties will be awarded to reports that include a pull-request with a suggested fix.

Thank you for helping keep Binary.com and our users safe!

Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this in your report.
  • DO NOT try to over exploit the bug and access internal data for further vulnerabilities. We will determine the severity and reward accordingly.

In Scope

Scope Type Scope Name
web_application

*.binary.com

Out of Scope

Scope Type Scope Name
web_application

js.binary.com

web_application

record.binary.com

web_application

media.binary.com

web_application

xml.binary.com

web_application

login.binary.com

web_application

admin.binary.com


This program have been found on Hackerone on 2015-11-04.

FireBounty © 2015-2019

Legal notices