FireBounty
Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
22/03/2018
Volusion V1 logo
Thanks
Gift
Hall of Fame
Reward

Reward

25 $ 

Volusion V1

Being pro-active rather than re-active to emerging security issues is a fundamental belief at Volusion. Every day new security issues and attack vectors are created. Volusion strives to keep abreast on the latest state-of- the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.

Out of scope:

  • Volusion.com
  • All Volusion.com subdomains
  • All other web-stores built by Volusion
  • Volusion demo stores
  • Mail.VolusionPenTest1.com

Targets

In scope

Target name | Type
---|---
<https://www.VolusionPenTest1.com> | Other

www.VolusionPenTest1.com is a sample web-store built using the Volusion platform and it's the target for this bounty.

Special focus on:

  • OWASP Top 10 and other critical web application vulnerabilities
  • Business logic, authorization and authentication flaws (e.g. obtaining administrative access to the store)
  • Unauthorized file upload

Additional information and Payment option information:

  • Highly intrusive scans and DoS/DDoS attacks are not allowed
  • Orders can be placed with a properly formatted "fake" credit card number (even when the site responds with a Gateway error)
  • No purchases will actually be processed
  • Federal Tax ID can be any number

The following finding types are specifically excluded from the bounty:

  • Descriptive error messages (e.g. application errors), 403 Forbidden errors or other HTTP non-200 codes/pages
  • Disclosure of known public files or directories (e.g. robots.txt)
  • Missing HTTP headers (such as X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, etc.)
  • Presence of application or web browser 'autocomplete' or 'save password'
  • No email verification (when registering or emailing a friend)
  • Email flooding (e.g. on password reset)
  • Email enumeration
  • Weak password policy
  • Cross-site request forgery
  • Clickjacking
  • Missing SPF

Please read and follow the rules in the Standard Disclosure Terms.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.

FireBounty © 2015-2019

Legal notices