Banner object (1)

Hack and Take the Cash !

800 bounties in database
  Back Link to program      
07/07/2017
ICQ logo
Thanks
Gift
Hall of Fame
Reward

Reward

50 $ 

In Scope

Scope Type Scope Name
android_application com.icq.mobile.client
ios_application com.icq.icqfree
undefined https://github.com/mailru/icqdesktop __
web_application web.icq.com
web_application agent.mail.ru
web_application icq.com
web_application files.icq.com
web_application wapi.icq.com
web_application store.icq.com
web_application search.icq.com
web_application api.icq.net
web_application bos.icq.net
web_application rapi.icq.net
web_application botapi.icq.net

Out of Scope

Scope Type Scope Name
android_application ru.mail
ios_application ru.mail.agent
undefined https://github.com/mailru/icqdesktop
undefined Please, search for security issues in ICQ desktop application.
web_application webagent.mail.ru

ICQ

At ICQ, we take security seriously and our bug bounty program is one of the major parts of this. We will be glad to see you among bug hunters. You can send us reports in ???????? English or ???????? Russian.

???? What security issues best to look for

Critical application security flaws from OWASP Top 10 __such as: Injections, Broken Authentication, Sensitive Data Exposure (e.g. private chat metadata), Broken Access Control (e.g. access to user chats and calls). Happy hacking!

The following reports are not accepted for now

  1. Bruteforce attacks
  2. HTTPS configuration issues on the web sites
  3. Cookies without Secure/HTTPOnly flags
  4. Clickjacking issues without security impact demonstrated, self-XSS, same site scripting, software version disclosure, CSRF without security impact, etc.
  5. XSS/CSRF for *.icq.net
  6. Login / logout CSRF
  7. BCPs, missing SPF, DMARC, etc.

The following reports are accepted, but not eligible for bounty

  1. Insecure data storage in client applications
  2. Open redirects
  3. Non-critical CSRF attacks (for example, setting language)
  4. Text-only / image/ video web content injection without interface spoofing

Limitations

We will not pay a reward (and we will be really upset) if we detect:

  • Physical tampering with icq.com data centers or offices
  • Social engineering directed at the company's employees
  • Breaking into the company's infrastructure and using the information obtained to report vulnerabilities

Please use your own accounts to conduct your research. Do not try to gain access to others' accounts or any confidential information.

Vulnerability disclosure

Vulnerability must be disclosed only with accordance with HackerOne disclosure policy.
Request for vulnerability disclosure must be filed via HackerOne report interface.
No vulnerability disclosure, including partial is allowed before vulnerability is disclosed on HackerOne.
If any sensitive information including (but not limited to) infrastructure and implementation details, internal documentation procedures and interfaces, source code, user and employees data accidentally obtained during vulnerability research or demonstration must not be disclosed. Intentional access to this information is strongly prohibited.

FireBounty © 2015-2019

Legal notices