Banner object (1)

Hack and Take the Cash !

846 bounties in database
  Back Link to program      
SendSafely logo
Hall of Fame


All pages and URLs hosted under are included within the scope of our bug bounty program, and you can register for a free account on our website. When performing your testing, we ask that you please abide by the following rules:

  • Do not use vulnerabilities to access, modify, harm, or otherwise alter any data that does not belong to you.
  • Do not exploit vulnerabilities except for purposes of demonstrating it to us.
  • Do not conduct network level or Denial of Service testing or traffic flooding attacks against our systems.

If you are unsure of exploitability, please contact us and one of our security engineers will work with you to verify it safely.

This program only awards points for submissions.


In scope

Target name | Type
<> | Other

Testing is limited to*
Out of scope:

  • All subdomains
  • All 3rd party systems (for example, but not limited to: Zendesk, Github, Stripe, Tumblr)

Signup for an account at:

    • This will create a fully functional account that is valid for 30 Days.
    • The account will still be valid after 30 days, but functionality will be limited
  • As part of the registration process you will receive and email and be asked to complete a profile. When completing the profile please use Last Name = Bugcrowd to indicate you are a Bugcrowd tester.

This is a production environment.

  • Do not conduct tests that will impact the performance of the environment
    • Aggressive Scanning
    • Aggressive Scripting
    • Network level Denial of Service (DoS/DDoS)
    • Brute Force Testing

The following finding types are specifically excluded from the bounty:

  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • CSRF on forms that are available to anonymous users (e.g. the contact form) and the Login/Logout URL.
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of HTTPOnly cookie flags.
  • Lack of Security Speedbump when leaving the site.
  • Login Brute Force (unless the CAPTCHA can be bypassed)
  • OPTIONS HTTP method enabled
  • Missing X-Content-Type-Options Header
  • Use of SHA-1 SSL Certificate and support for TLS 1.0
  • Findings from physical testing such as office access (e.g. open doors, tailgating)
  • Findings derived primarily from social engineering (e.g. phishing, vishing)
  • Findings from applications or systems not listed in the ‘Targets’ section
  • Functional bugs and/or spelling mistakes

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.

FireBounty © 2015-2019

Legal notices