Banner object (1)

Hack and Take the Cash !

722 bounties in database
07/07/2017
ICQ logo

Reward

50 $ 

ICQ

At ICQ, we take security seriously and our bug bounty program is one of the major parts of this. We will be glad to see you among bug hunters. You can send us reports in ???????? English or ???????? Russian.

???? What security issues best to look for

Critical application security flaws from OWASP Top 10 __such as: Injections, Broken Authentication, Sensitive Data Exposure (e.g. private chat metadata), Broken Access Control (e.g. access to user chats and calls). Happy hacking!

The following reports are not accepted for now

  1. Bruteforce attacks
  2. HTTPS configuration issues on the web sites
  3. Cookies without Secure/HTTPOnly flags
  4. Clickjacking issues without security impact demonstrated, self-XSS, same site scripting, software version disclosure, CSRF without security impact, etc.
  5. XSS/CSRF for *.icq.net
  6. Login / logout CSRF
  7. BCPs, missing SPF, DMARC, etc.

The following reports are accepted, but not eligible for bounty

  1. Insecure data storage in client applications
  2. Open redirects
  3. Non-critical CSRF attacks (for example, setting language)
  4. Text-only / image/ video web content injection without interface spoofing

Limitations

We will not pay a reward (and we will be really upset) if we detect:

  • Physical tampering with icq.com data centers or offices
  • Social engineering directed at the company's employees
  • Breaking into the company's infrastructure and using the information obtained to report vulnerabilities

Please use your own accounts to conduct your research. Do not try to gain access to others ' accounts or any confidential information.

Vulnerability disclosure

Vulnerability must be disclosed only with accordance with HackerOne disclosure policy.
Request for vulnerability disclosure must be filed via HackerOne report interface.
No vulnerability disclosure, including partial is allowed before vulnerability is disclosed on HackerOne.
If any sensitive information including (but not limited to) infrastructure and implementation details, internal documentation procedures and interfaces, source code, user and employees data accidentally obtained during vulnerability research or demonstration must not be disclosed. Intentional access to this information is strongly prohibited.

Thanks
Gift
Hall of Fame
Reward


List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2019