Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
VHX logo
Hall of Fame


100 $ 


VHX's Responsible Bug Disclosure Policy

VHX engineers work hard to ensure that our site and users are 100% safe and sound. We greatly respect the work of security experts everywhere, and strive to stay up to date with the latest security techniques. But nobody's perfect. Should you encounter a security vulnerability in one of our products, we want to hear from you.

Before submitting a report, please review our guidelines below as to what constitutes a security vulnerability, and how we'd like you to go about finding them. Once you've filed a report, we promise to work expeditiously to evaluate and resolve any valid bugs.

Bounties are awarded based on merit at our discretion. After 3 medium or higher code based fixes, you can request to get a mention on our Bug Hall of Fame __.

Public Disclosure Process and Policy

  • VHX reserves the right to approve or deny any request for disclosure.
  • VHX has a multi-level internal approval process for all valid disclosure requests.
  • ONLY RESOLVED reports requested by the original reporter are eligible for disclosure (duplicate reports are not eligible).
  • All other reports (Informative, NA, Spam) are not eligible for disclosure of any kind, in or outside the HackerOne platform. Failure to comply with these rules may result in a program ban for all company properties (Vimeo, Livestream, VHX) .
  • Should a researcher break any disclosure or program policies, that researcher shall no longer be protected under Safe Harbor and will be subject to legal action at our discretion.

Scope Priorities and Disclaimer

Please read this section before submitting a report. We want to help reduce your chance of submitting an out-of-scope report that could hurt your Signal, as well as reduce noise in our inbox.


  • The VHX homepage at /
  • Any of VHX's apps
  • Any of our branded apps
    • [Branded iOS App]
    • [Branded Android App]
    • [Branded Roku App]
  • The VHX embedded player on
  • The VHX API on Our API docs __
  • Any of our hosted sites at *, except for (And only if the issue that would affect every site, not how a current customer configured it)


  • To be considered the original reporter of a vulnerability :
    • You must be able to prove that there is a vulnerability using your own account(s).
    • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
    • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
    • Please provide detailed reports with reproducible steps.
    • If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. Videos work best (No need to overlay music), Text with screenshots second, plain text last.
    • HackerOne and VHX must be able to reproduce it
    • It must go to “TRIAGED” state and be paid the post triage acceptance bounty reward of $100 (Reporting first without meeting the rest of the requirements or just having a lower ticket number does not qualify as being the original reporter. Please note we have an active security team that does scans, contracts out for pentests, developers fixing issues on their own, etc. While not in HackerOne they will count as being “first reporter”)
  • Don 't attempt to access other people's private data. Trial VHX accounts are free , as well as the privacy features, so setting up example cases with throwaway accounts should be easy
  • Don 't use automated tools or scanners. Reports will be close as N/A.
  • Don 't DDoS or otherwise attack us in a way that would disrupt service for our customers

Qualifying vulnerabilities

Please take the time to provide a clear proof of concept that shows how a particular vulnerability is exploitable. You must be able to reproduce the issue on request with your account(s). Use the following guidelines to categorize security issues.

Critical: most impactful, Remote code execution, SQLi, root access to any systems

High: Insecure direct object references, stored xss that can be used against logged in users, account authentication issues (bypass etc)

Medium: stored or reflected cross site scripting, other novel bugs that have a security impact to many users

Low: CSRF missing from non excluded functions, other security issues that impact only a small subset of users

Wont fix: information disclosure, see also other non qualifying vulnerabilities

We do appreciate reports containing CVSSv3 formatted scores ( __)

Reports from automated scanners will not be accepted.

We are primarily interested in exploits that could compromise user privacy or expose content in unintended ways that fit the rest of our rules and don't conflict with the non-qualifying vulnerabilities.

Non-qualifying vulnerabilities

  • User enumeration
  • Thumbnail / Description metadata leakage or similar
  • Anything on `*’ (Unless its is a VHX<>Vimeo Integration or chained issue)- Otherwise these reports belong over at
  • Anything on `*’ - these reports belong over at
  • Anything on "*" - these reports belong over at (Please email with a high level overview as this program is currently private)
  • Reports from automated tools or scans
  • Presence of autocomplete attribute on web forms
  • Missing rate limits, unless it can lead to account takeover
  • Missing cookie flags on non-sensitive cookies
  • Logout CSRF attacks
  • Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept -- and not just a report from a scanner)
  • Reports of insecure crossdomain.xml configuration (again, unless you have a working proof of concept -- and not just a report from a scanner)
  • Reports of window.openerredirects
  • Open SMTP redirects (just because it looks like you can use our servers doesn't mean its true-- unless you have a PoC)
  • Email related attacks including spoofing or any issues related to SPF, DKIM or DMARC
  • Missing security headers including (content security policy) which do not lead directly to a vulnerability
  • Clickjacking on static websites
  • Content spoofing / text injection
  • Use of a known-vulnerable library (without evidence of exploitability)
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Social engineering attacks including self-xss
  • Homoglyph Attack, we feel this is a browser issue
  • Missing HTTP security headers (unless you deliver a proof of concept that leverages their absence)
  • Self-XSS (XSS exploits that cannot maliciously affect users besides yourself)
  • Denial of service attacks, do not perform them
  • 3rd party sites used by VHX (Even if it looks like it’s local because of CDN magic)
  • Subdomain takeovers where someone has signed up for an account, forwarded to an external site that doesn't exist/can be compromised
  • Brute forcing
  • Re-reports due to improper verification
  • Issues where you would have to have access to the users X (Phone, email, 2FA token, etc)
  • Issues where the users X (Phone, email, etc) have been rooted, malwared, bot'd, etc.
  • Downloading or installing mobile versions from anywhere other than their associated official stores.
  • If you are or have been banned on any Vimeo (/vimeo, /vhx, /livestream) program
  • XSS through changing themes
  • Clickjacking reports for /login and /buy
  • RCE on sites that link or are redirected from *.VHX.TV and VHX.TV
  • Subdomain takeovers that involve just signing up for a *.VHX.TV account. They only apply when it doesn't forward to our application platform.
  • SPF record issues without RFC822 headers and proof that SPF returns anything but FAIL
  • At the current time we are re-evaluating all Themes, so they are currently out of scope


VHX will make a best effort to meet the following SLAs for hackers participating in our program:

  • Time to first response (from report submit) - 2 business days
  • Time to triage (from report submit) - 2 business days (unless more information is needed from the hacker)

We’ll try to keep you informed about our progress throughout the process. We welcome cases where you've retested and find it has been fixed, as another ticket may have been the source.


VHX is a HackerOne managed program. HackerOne currently has a 2 day commitment to initial triage. Once they do triage, they will pass it back to VHX. Items in Triage state alone will NOT be considered accepted by the program until final disposition is made by VHX, which will be denoted by a post triage acceptance bounty payout ($100). This initial payout will be deducted from the final bounty payout, if any. Tickets may be triaged by HackerOne, but later marked duplicate or other by VHX. Where developers have already begun remedying the problem before ticket submission, triage, or even post triage acceptance bounty award are deemed to be ineligible for triage. (The can be self closed or marked duplicate with no links as the tickets will be in our internal ticket system).


Past the initial post triage acceptance bounty award, an additional bounty/bonus/both, at our discretion, may be awarded at ticket completion. Only tickets that have been paid the post triage acceptance bounty award, have been picked up and worked by a developer and have been verified by the researcher are eligible to be put into a "RESOLVED" state signaling completion. Each ticket starts out at the bottom of a baseline range that takes into account initial perceived severity, as well as type. From there, it goes up (rarely down) given various factors (Including but not limited to: Actual final perceived severity, completeness of report, ease of working with the researcher, etc). All payouts are suggested by at least one person, approved by another.

Google Play Security Rewards Program

Certain vulnerabilities with a working proof of concept on some of our Android mobile app(s) may qualify for an additional bounty through the Google Play Security Rewards Program. To see which apps and vulnerabilities may qualify for a bounty, please refer to the Google Play Security Rewards Program’s Scope and Vulnerability Criteria.

Disclosure Policy

  • Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization at any time.
  • Follow HackerOne's disclosure guidelines __.

Safe Harbor

Thank you for helping Vimeo, Inc. and its subsidiaries (Of which VHX is one) (“Vimeo”). Vimeo provides this Safe Harbor Statement to encourage and facilitate research using HackerOne’s bug bounty program to help us identify bugs and vulnerabilities.

We authorize to access our owned-and-operated systems, services, and applications for the purpose of conducting research consistent with HackerOne’s then-current policies. We will not consider your good faith activities in this regard to violate applicable criminal or civil laws (even if those activities inadvertently exceed the scope of our authorization), such as the Digital Millennium Copyright Act or Computer Fraud and Abuse Act, and we will not commence legal action with respect to such activities.

If legal action is commenced against you as a result of your good faith activities, Vimeo will take steps to make it known to parties commencing such action that your activities were conducted in accordance with this Safe Harbor Statement.

To the extent that our applicable online terms of service are inconsistent with this Safe Harbor Statement, then this Safe Harbor Statement shall control.

Please note that this Safe Harbor Statement does not extend to systems, services, and applications that we do not control.

We encourage you to contact us if you have questions regarding the scope of this Safe Harbor Statement. You may do so through HackerOne or by emailing us at

**Thanks for helping us fight the good fight! *

In Scope

Scope Type Scope Name






Out of Scope

Scope Type Scope Name


This program leverage 6 scopes, in 2 scopes categories.

FireBounty © 2015-2019

Legal notices