Banner object (1)

5283 policies in database
  Back Link to program      
Boozt Fashion logo
Hall of Fame


125 $ 

Boozt Fashion

Boozt Fashion invites you to test and help secure our primary publicly facing assets - focusing on our web and mobile applications. We appreciate your efforts and hard work in making the internet (and Boozt Fashion) more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!


For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward range

Last updated 13 Feb 2020 00:33:23 UTC

Technical severity | Reward range
p1 Critical | $2,500 - $3,000
p2 Severe | $2,000 - $2,500
p3 Moderate | $500 - $750
p4 Low | $125 - $300

P5 submissions do not receive any rewards for this program.


In scope

Target name | Type
* | Website Testing
* | Website Testing
Boozt iOS App | iOS
Boozt Android App | Android

Boozt uses a few third-party providers and services that we cannot authorize security testing against and as such these would be considered as Out of Scope.

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Boozt Fashion not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to before submitting.

Access and Credentials:

Please test using your own account for sign up.
For checkout and purchase related testing: You can use your own credit/debit card for checkout and once completed cancel your test order.

Focus Areas:

  • Vulnerabilities that could expose private user data or in any other way affect user or Boozt data security. Very good and severe vulnerability examples are SQL injection, server-side code execution, XSS, LFI/RFI.


**These are vulnerabilities that we are aware of and are accepted risk or

are already on the roadmap to being fixed (out of scope):**

- **Missing CSRF tokens on forms, any reports on CSRF issues regarding

adding/remove cart items, favorites, recent items, etc, and login/logout CSRF issues (We are reviewing this internally and addressing all known cases. Any submission of these will be marked as Not Applicable).**

  • Contact form and Messenger contact under Customer Support
  • Sessions not being invalidated when a best practice says so
  • Sessions being hijacked because of HTTP
  • Reports from automated tools or scans
  • Rate limitations (e.g. reset password, login, etc). Also includes BruteForce / DDoS reports.
  • Phishing
  • Clickjacking (or any other security issue achieved through using Clickjacking)
  • Non-secure FTP connections
  • Missing HTTP security headers
  • Full-Path Disclosure
  • Non-usage of HTTPS on specific parts of the site (we have a plan for the fixes in the roadmap already) - this includes links to other sites/domains
  • HTTPS Caching issues
  • Reports of insecure SSL/TLS ciphers
  • BREACH, CRIME reports
  • Version number information disclosure
  • User enumeration
  • HTTP Public-Key-Pins (HPKP)
  • Reports of insecure crossdomain.xml configuration
  • Social engineering of Boozt staff
  • Issues on services not under Boozt control
  • Spam techniques, including SPF and DKIM issues
  • Code Obfuscation in Mobile Apps
  • Issues relating to Password Policy
  • Best practices concerns (evidence of a security issue required)
  • Race conditions that don't compromise the security of Boozt or our customers

Jailbroken/rooted devices

Vulnerabilities affecting Mobile Apps on jailbroken or rooted devices will be considered out of scope unless they expose sensitive data other than user is currently or was previously using the device.

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name

Boozt Android App


Boozt iOS App





This program have been found on Bugcrowd on 2019-12-13.

FireBounty © 2015-2020

Legal notices