Xvideos looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.
While we are doing our best to keep Xvideos services as safe as possible, we know that some bugs can slip through our scrutiny.
If you believe you've found a security issue in the services listed in our scope, we will work with you to resolve it promptly and ensure you are fairly rewarded for your discovery.
The scope of this program is limited to security vulnerabilities found on the Xvideos, Xvideos Red, Xnxx, and Xnxx Gold [as well as in the Xvideos and Xnxx Mobile application]. Vulnerabilities reported on other properties or applications are currently not eligible for monetary reward. High impact vulnerabilities outside of this scope might be considered on a case by case basis.
If you want to report a bug, without security or privacy issue, please fill the form here https://info.xvideos.com/contact
https://www.xvideos.com
https://www.xvideos.red
https://www.xnxx.com
https://www.xnxx.gold
https://www.xvideos.net/app/
Please note that cams.xvideos.com and cams.xnxx.com are not in the domain list, and not eligible for monetary reward. Please report bugs and security issues for cams domains here https://www.vsmedia.com/bugs/
Xvideos may provide rewards to eligible reporters of qualifying vulnerabilities. Rewards amounts vary depending upon the severity of the vulnerability reported.
Xvideos keeps the right to decide if the minimum severity threshold is met and whether the scope of the reported bug is actually already covered by a previously reported vulnerability. Rewards are granted entirely at the discretion of Xvideos. To qualify for a reward under this program, you should respect all the below criteria.
We are happy to work with everyone who submits valid reports which help us improve the security of Xvideos and Xnxx.
However, only those that meet the following eligibility requirements may receive a monetary reward:
You need to be the first person to report an unknown issue
Any vulnerability found must be reported no later than 24 hours after discovery.
You are not allowed to disclose details about the vulnerability anywhere else.
You must avoid tests that could cause degradation or interruption of our service.
You must not leak, manipulate, or destroy any user data.
You are only allowed to test against accounts you own yourself.
The use of automated tools or scripted testing is not allowed
You must not be a former or current Xvideos employee.
Send a clear textual description of the report along with steps to reproduce the vulnerability, include attachments such as screenshots or proof of concept code as necessary.
Disclose the vulnerability report exclusively through HackerOne.
A good bug report should include the following information at a minimum:
List the URL and any affected parameters
Describe the browser, OS, and/or app version
Describe the perceived impact. How could the bug potentially be exploited?
We intend to respond and resolve reported issues as quickly as possible. This means that you will receive progress updates from us at least every five working days.
Note that posting details or conversations about the report or posting details that reflect negatively on the program and the Xvideos / Xnxx brand, will result in immediate disqualification from the program.
Please note that these are examples, and the list is non-exhaustive.
Vulnerabilities with a real security impact. Examples :
Easy (zero to one click) user account takeover
Backend interface takeover
Server takeover (or potential takeover)
Etc ...
Network or simple Denial of Service attacks.
Physical attacks against offices and data centers.
Social engineering of our service desk, employees or contractors.
Compromise of a Xvideos user's or employee's account.
Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.
This type of issues can be accepted if they lead to a serious data leak.
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Account enumeration
Missing HTTP Headers
SSL/TLS best practices
Denial of Service and brute forcing attacks
Physical attacks against offices and data centers
Social engineering of our service desk, employees or contractors
Compromise of a Xvideos users or employees accounts
Use of a tool that generates a significant volume of traffic
Any hypothetical flaw or best practices without exploitable POC
Session timeout
Session Hijacking (cookie reuse)
Click-jacking
DKIM/SPF/DMARC issues
Information leakage, data cached in search engines or the web archive
Software version disclosure
HttpOnly, SameSite and Secure cookie flags
Downloading video
Confirmation Email (anything related with)
Scope Type | Scope Name |
---|---|
web_application | https://www.xvideos.com |
web_application | https://www.xvideos.red |
web_application | https://www.xnxx.com |
web_application | https://gold.xnxx.com |
web_application | https://www.xvideos.net/app/ |
This program have been found on Hackerone on 2021-08-18.
FireBounty © 2015-2024