Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
11/04/2018
pixiv logo
Thanks
Gift
Hall of Fame
Reward

Reward

10000 ¥ 

pixiv

Rules

Only test for vulnerabilities on web application stipulated in scope section. Any vulnerabilities reported on web applications out-of-scope are not eligible for bounty rewards.

This is a production environment. Do not create account more than necessary to perform tests, and please delete your account as soon as you finished your tests.
Please note that you should only perform tests against pages you created, never other users pages.
To be eligible for a bounty reward under this program you must to follow the rules stipulated above.


Any vulnerability test against domains out-of-scope are explicitly prohibited.

Any violation of the Terms of the Service of the “BugBounty.jp”, and/or performance of DoS (Denial of Service)attack or equivalent act that can degrade the performance of our service are also explicitly prohibited.


In addition to items listed in "Not Eligible For Bounty" section, below are out of scope for our program.

  • Lack of security headers without an actual attack scenario
  • Phishing attack via registration email (e.g. making username a URL)
  • Tabnabbing
  • Disclosure of pixiv's numeric ID such as user ID and illustration ID (unless it compromises user privacy)
  • Lack of rate limit

We will pay a fixed amount of bounty determined by the severity category as described below.
Critical: 300,000 JPY
Example: Compromising important infrastructure or data (RCE, DB/Filesystem breach)

High: 100,000 JPY
Example: Access to user privilege with little or no restriction (Account takeover, Payment flaw, Unsandboxed stored XSS)

Medium: 50,000 JPY
Example: Limited access to user privilege (CSRF, XSS with restrictions)

Low: 20,000 JPY
Example: Limited disclosure of user data or other attacks with low overall risk (Minor information leakage, Open redirect, etc.)

Scope

Web application

Name

pixiv services

URL

  • https://www.pixiv.net/
  • https://factory.pixiv.net/
  • https://booth.pm/
  • https://chatstory.pixiv.net/
  • https://pay.pixiv.net/
  • https://comic.pixiv.net/
  • https://sensei.pixiv.net/
  • https://sketch.pixiv.net/

Domain

  • *.booth.pm
  • www.pixiv.net
  • accounts.pixiv.net
  • app-api.pixiv.net
  • bungei-api.pixiv.net
  • chatstory.pixiv-app.net
  • chatstory.pixiv.net
  • comic-api.pixiv.net
  • embed.pixiv.net
  • factory.pixiv.net
  • m.pixiv.net
  • oauth.secure.pixiv.net
  • payment.pixiv.net
  • pixiv.me
  • public-api.secure.pixiv.net
  • sensei.pixiv.net
  • ssl.pixiv.net
  • booth.pm

iOS application

Name

pixiv PAY

URL

  • https://itunes.apple.com/app/pixiv-pay/id1261274472

Android application

Name

pixiv PAY

URL

  • https://play.google.com/store/apps/details?id=jp.pxv.pay

Eligible For Bounty

  • Cleartext Transmission of Sensitive Information up to 20,000yen
  • Session Fixation up to 20,000yen
  • UI Redressing (Clickjacking) up to 20,000yen
  • Open Redirect up to 20,000yen
  • Remote Code Execution up to 300,000yen
  • SQL Injection up to 300,000yen
  • Command Injection up to 300,000yen
  • Authentication up to 100,000yen
  • Cross-Site Scripting up to 100,000yen
  • Privilege Escalation up to 100,000yen
  • XML External Entities (XXE) up to 50,000yen
  • Information Disclosure up to 50,000yen
  • Cross-Site Request Forgery (CSRF) up to 50,000yen
  • Server-Side Request Forgery (SSRF) up to 50,000yen
  • HTTP Response Splitting up to 20,000yen
  • Forced Browsing up to 20,000yen
  • Path Traversal up to 20,000yen

Not Eligible For Bounty

  • Vulnerabilities found through automated scans or tools
  • Hypothetical or theoretical vulnerabilities without actual verification code
  • Vulnerabilities with capability of Denial of Service attack
  • Vulnerabilities with capability of brute force against password or tokens
  • Password, email and account policies, such as email id verification, reset link expiration, password complexity
  • Login/Logout CSRF
  • Missing CSRF tokens
  • CSRF on forms that are available to anonymous users (e.g. contact form)
  • Missing security headers
  • Vulnerabilities found in domains out-of-scope
  • Vulnerabilities affecting outdated browsers or platforms
  • Presence of autocomplete attribute on web forms
  • Missing secure flags on non-sensitive cookies
  • Reports of insecure SSL/TLS ciphers
  • Vulnerabilities with capability of username/email enumeration
  • Descriptive error messages (e.g. Stack traces, application or server errors)
  • Banner disclosure on servers
  • Misconfiguration of SPF record, DMARC and DKIM

Notes

For eligibility details, please refer to the "Terms of Service Article 4" of this site.

FireBounty © 2015-2019

Legal notices