A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

#Policy
# - Only detailed reports with reproducible steps are accepted.
# - Reports from vulnerability scanners and other automated tools are not accepted.
# - Reports of vulnerabilities in software dependencies without demonstrating real impact are not accepted.
# - In case of duplication, the reward will be given only for the first report.
# - If fixing a vulnerability from a previous report eliminates the vulnerability in a new report, the reward will only be given for the original report.
# - Violation of confidentiality, data destruction, mass disruption, or deterioration of service quality is not allowed.
# - Activities are allowed only with your accounts or with explicit permission from the owner of another account.
# - Accessing and making changes to real customer accounts is prohibited. Use your own test accounts.
# - Social engineering attacks, including phishing, are not accepted.
# - Attacks related to physical access to the user's device are not accepted.
# - Any lateral movement and exploitation after initial access are prohibited. In case of severe system vulnerabilities (LFI, RCE, SQLi, SSRF etc), only basic tests must be performed (commands like id/whoami, printing common system files, DB names).
# - XSS without demonstrating real impact is considered Low severity. If you want to get more - show full chain of exploitation to an account takeover, financial impact etc

#SLA
#We will make every effort to adhere to the following SLA:
# - First response time (from report submission): up to 5 business days.
# - Time to report approval (from the initial response): up to 10 business days.
# - Time to payout approval (from the approval of the report): up to 15 business days.
# - Time to payout processing (from the approval of the payout): up to 5 business days.
#We reserve the right not to respond to reports that clearly do not meet our requirements, to save both your and our time.

#Bug Hunter Recommendations
#Kindly use identifiers that help identify you as a security researcher (e.g., prefix "bounty" to account/email, other user parameters).

#Report Formatting Rules
#The report must contain all necessary steps/commands/dependencies/HTTP request details to reproduce the vulnerability.
#For complex vulnerabilities related to application business logic, video recordings may be useful in addition to reports.
#We may request additional details if necessary, be prepared to provide them.

#Testing Scope
#Our domain and all of its subdomains.
#Our mobile application.
#In case of suspicion of a vulnerability in a resource you believe is associated with us, you can inquire about its ownership with us beforehand.
#We reserve the right not to respond to such requests.

#Vulnerabilities EXPLICITLY outside the Program:
# - Clickjacking.
# - Distributed brute-force of accounts with bypassing protection by rotating a large number of IP addresses.
# - Man-in-the-middle attacks on users.
# - Any social engineering methods.
# - Self-XSS.
# - Vulnerabilities in the client part of the mobile application without affecting the mobile API.
# - Possibility of "reversing" the mobile application without demonstrating real consequences on the mobile API level.
# - HTTP response splitting, HTTP response smuggling, open redirect, HTTP cache poisoning/deceiption, and other attacks without demonstrating the attack's real impact.
# - CSRF without authentication/authorization, Logout CSRF.
# - DDoS.
# - Incorrect SPF/DKIM/DMARC/DNS settings.
# - SSL/TLS configuration errors and other violations of "best practices" without demonstrating impact.
# - User enumeration vulnerabilities without profile data details output (simple account enumeration).
# - Scripted attacks where the presence of a vulnerability on a third-party site or in a third-party application is a mandatory condition and is not demonstrated.

#Estimated Payouts
#Critical severity vulnerabilities - $3000-5000 depending on the impact assessment.
#Examples:
# - Business logic error (with direct financial impact, assessed based on the severity of consequences).
# - Gaining privileged access (root, administrator) on the server/application/database level.
# - Gaining the ability to have mass access to financial information or personal data.

#High severity vulnerabilities - $1000-3000 depending on the impact assessment.
#Examples:
# - Obtaining higher-privilege access (not available to regular users), assessed based on the level of privileges obtained.
# - Business logic error (with direct financial impact, assessed based on the severity of consequences).
# - Making arbitrary changes to the database.
# - Reading data from the database (depending on the criticality of the data).
# - Obtaining (critical) information about other users from the database.
# - Gaining access to service accounts in the application/OS/DB.
# - Account Takeover.
# - Potential DoS in critical application functions (assessed based on impact).
# - Gaining the ability to access financial information, personal data.
# - Gaining access to internal company systems.

#Medium severity vulnerabilities - $500-1000 depending on the impact assessment.
#Examples:
# - Gaining access to another user's account (deleting, modifying data) without using OSINT and password guessing.
# - Business logic error (without direct financial impact, assessed based on the severity of impact).
# - Reading data from the database (depending on the criticality of the data).


#Low severity vulnerabilities - $100-500 depending on the impact assessment.
#Examples:
# - Obtaining non-critical but hidden from ordinary users information.
# - Performing actions that will not cause malfunctions but are not intended by the logic of the system.
# - Business logic error (without direct financial impact, assessed based on the severity of impact).

#We reserve the right to adjust the final reward amount based on the impact assessment of the vulnerability on our systems. 
#The more reproducible impact details you show in your report, the more chances for vulnerability to be assessed as high as possible.
#The reward is paid only in cryptocurrency (USDT, ETH, BTC).

Expires: 2025-11-15T12:00:00Z
Contact: mailto:security_report@1xbet-team.com