Banner object (1)

Hack and Take the Cash !

800 bounties in database
  Back Link to program      
26/02/2017 logo
Hall of Fame


50 $ 

In Scope

Scope Type Scope Name
android_application com.souq.seller
ios_application com-%D8%B3%D9%88%D9%82-%D9%83%D9%88%D9%85/id675000850 __

Out of Scope

Scope Type Scope Name

Souq looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe. Please take the time to review our Security Page below before submitting vulnerabilities. Thank you for working with us to keep Souq and our users safe!

1 Rewards

  • will provide rewards to eligible reporters of qualifying vulnerabilities ONLY as described in this program.
  • Minimum reward is $50 USD.
  • Maximum reward is $1,500 USD.
  • Range of rewards vary depending upon the impact of the vulnerability reported in subject to
  • Rewards are issued at end of month after being processed in bulk
  • We don’t pay for Duplicates, Informative, Spam or NA

2 Targets in Scope

Please see our structured scope section at the bottom of the Policy Page for assets that are in scope. We are only rewarding vulnerabilities on these assets.

3 Qualifying Vulnerability Types

The following vulnerabilities ONLY are eligible. Any other vulnerability (even critical) is accepted as "Informative".

  1. Injection (SQL and Commands)
  2. Remote Code Execution
  3. Bulk customer sensitive information leaks (not individual leaks)
  4. Bypassing authentication and authorization for Souq API access to gain/modify customer data/orders
  5. Leaked encryption keys or bypassing encryption mechanisms
  6. XSS (Stored ONLY)
  7. CSRF affecting orders and/or customer data ONLY

4 Qualified Report Format

4.1 Mandatory Format

All Security Reports shall follow the following format. Failure to include all of this information will result in an invalid submission:

  1. Title: [Vulnerability Type] at [Target vulnerable URL or App]
  2. Steps: How to reproduce (Step-by-Step). Generic and vague description will be discarded. Don’t forget to mention what browser version is used to reproduce. Reported vulnerabilities should be reproducible under the latest versions of the browsers (1 week old)
  3. Describe the perceived impact.
  4. Screenshots and videos must be submitted as an evidence of successful exploitation.
  5. How to mitigate the impact.

5 What are the Program Rules? is pleased to work with the entire community and acknowledge all efforts to help us secure our platform. Hence, we appreciate your conformance to the following rules:

  • Do not intentionally harm the experience or usefulness of the site.
  • Do not attempt to view, modify, or damage data belonging to site users and customers.
  • Do not make any information public until the issue has been resolved.
  • Do not attempt any type of denial-of-service- like attack against the site.
  • Do not attempt to hide your real-world identity.
  • Do not perform any research or testing against the site in violation of law.
  • Do not take a copy of any vulnerabilities or entire sensitive information or source-code in the site.
  • Do not publicly disclose the vulnerability prior to our resolution and make it publicly disclosed on site.

6 Who is Eligible to Subscribe to this Program?

All hackerone members are welcomed to the program, except the following users:

  1. Residents of any countries/regions that are under United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria.
  2. Current employees of or a subsidiary, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee.
  3. A contingent staff member or vendor employee currently working with and/or involved in any part of the administration and execution of this program.

FireBounty © 2015-2019

Legal notices