Being pro-active rather than re-active to emerging security issues is a
fundamental belief at Volusion. Every day new security issues and attack
vectors are created. Volusion strives to keep abreast on the latest state-of-
the-art security developments by working with security researchers and
companies. We appreciate the community's efforts in creating a more secure
world.
Out of scope:
- Volusion.com
- All Volusion.com subdomains
- All other web-stores built by Volusion
- Volusion demo stores
- Mail.VolusionPenTest1.com
Targets
In scope
Target name | Type
---|---
<https://www.VolusionPenTest1.com>
| Other
www.VolusionPenTest1.com is a sample web-store built using the Volusion
platform and it's the target for this bounty.
Special focus on:
- OWASP Top 10 and other critical web application vulnerabilities
- Business logic, authorization and authentication flaws (e.g. obtaining administrative access to the store)
- Unauthorized file upload
Additional information and Payment option information:
- Highly intrusive scans and DoS/DDoS attacks are not allowed
- Orders can be placed with a properly formatted "fake" credit card number (even when the site responds with a Gateway error)
- No purchases will actually be processed
- Federal Tax ID can be any number
The following finding types are specifically excluded from the bounty:
- Descriptive error messages (e.g. application errors), 403 Forbidden errors or other HTTP non-200 codes/pages
- Disclosure of known public files or directories (e.g. robots.txt)
- Missing HTTP headers (such as X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, etc.)
- Presence of application or web browser 'autocomplete' or 'save password'
- No email verification (when registering or emailing a friend)
- Email flooding (e.g. on password reset)
- Email enumeration
- Weak password policy
- Cross-site request forgery
- Clickjacking
- Missing SPF
Please read and follow the rules in the Standard Disclosure Terms.
Program rules
This program follows Bugcrowd’s standard disclosure
terms.
This program does not offer financial or point-based rewards for P5 —
Informational findings. Learn more about Bugcrowd’s VRT.
This bounty requires explicit permission to disclose the results of a
submission.