A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.
#Policy # - Only detailed reports with reproducible steps are accepted. # - Reports from vulnerability scanners and other automated tools are not accepted. # - Reports of vulnerabilities in software dependencies without demonstrating real impact are not accepted. # - In case of duplication, the reward will be given only for the first report. # - If fixing a vulnerability from a previous report eliminates the vulnerability in a new report, the reward will only be given for the original report. # - Violation of confidentiality, data destruction, mass disruption, or deterioration of service quality is not allowed. # - Activities are allowed only with your accounts or with explicit permission from the owner of another account. # - Accessing and making changes to real customer accounts is prohibited. Use your own test accounts. # - Social engineering attacks, including phishing, are not accepted. # - Attacks related to physical access to the user's device are not accepted. # - Any lateral movement and exploitation after initial access are prohibited. In case of severe system vulnerabilities (LFI, RCE, SQLi, SSRF etc), only basic tests must be performed (commands like id/whoami, printing common system files, DB names). # - XSS without demonstrating real impact is considered Low severity. If you want to get more - show full chain of exploitation to an account takeover, financial impact etc #SLA #We will make every effort to adhere to the following SLA: # - First response time (from report submission): up to 5 business days. # - Time to report approval (from the initial response): up to 10 business days. # - Time to payout approval (from the approval of the report): up to 15 business days. # - Time to payout processing (from the approval of the payout): up to 5 business days. #We reserve the right not to respond to reports that clearly do not meet our requirements, to save both your and our time. #Bug Hunter Recommendations #Kindly use identifiers that help identify you as a security researcher (e.g., prefix "bounty" to account/email, other user parameters). #Report Formatting Rules #The report must contain all necessary steps/commands/dependencies/HTTP request details to reproduce the vulnerability. #For complex vulnerabilities related to application business logic, video recordings may be useful in addition to reports. #We may request additional details if necessary, be prepared to provide them. #Testing Scope #Our domain and all of its subdomains. #Our mobile application. #In case of suspicion of a vulnerability in a resource you believe is associated with us, you can inquire about its ownership with us beforehand. #We reserve the right not to respond to such requests. #Vulnerabilities EXPLICITLY outside the Program: # - Clickjacking. # - Distributed brute-force of accounts with bypassing protection by rotating a large number of IP addresses. # - Man-in-the-middle attacks on users. # - Any social engineering methods. # - Self-XSS. # - Vulnerabilities in the client part of the mobile application without affecting the mobile API. # - Possibility of "reversing" the mobile application without demonstrating real consequences on the mobile API level. # - HTTP response splitting, HTTP response smuggling, open redirect, HTTP cache poisoning/deceiption, and other attacks without demonstrating the attack's real impact. # - CSRF without authentication/authorization, Logout CSRF. # - DDoS. # - Incorrect SPF/DKIM/DMARC/DNS settings. # - SSL/TLS configuration errors and other violations of "best practices" without demonstrating impact. # - User enumeration vulnerabilities without profile data details output (simple account enumeration). # - Scripted attacks where the presence of a vulnerability on a third-party site or in a third-party application is a mandatory condition and is not demonstrated. #Estimated Payouts #Critical severity vulnerabilities - $3000-5000 depending on the impact assessment. #Examples: # - Business logic error (with direct financial impact, assessed based on the severity of consequences). # - Gaining privileged access (root, administrator) on the server/application/database level. # - Gaining the ability to have mass access to financial information or personal data. #High severity vulnerabilities - $1000-3000 depending on the impact assessment. #Examples: # - Obtaining higher-privilege access (not available to regular users), assessed based on the level of privileges obtained. # - Business logic error (with direct financial impact, assessed based on the severity of consequences). # - Making arbitrary changes to the database. # - Reading data from the database (depending on the criticality of the data). # - Obtaining (critical) information about other users from the database. # - Gaining access to service accounts in the application/OS/DB. # - Account Takeover. # - Potential DoS in critical application functions (assessed based on impact). # - Gaining the ability to access financial information, personal data. # - Gaining access to internal company systems. #Medium severity vulnerabilities - $500-1000 depending on the impact assessment. #Examples: # - Gaining access to another user's account (deleting, modifying data) without using OSINT and password guessing. # - Business logic error (without direct financial impact, assessed based on the severity of impact). # - Reading data from the database (depending on the criticality of the data). #Low severity vulnerabilities - $100-500 depending on the impact assessment. #Examples: # - Obtaining non-critical but hidden from ordinary users information. # - Performing actions that will not cause malfunctions but are not intended by the logic of the system. # - Business logic error (without direct financial impact, assessed based on the severity of impact). #We reserve the right to adjust the final reward amount based on the impact assessment of the vulnerability on our systems. #The more reproducible impact details you show in your report, the more chances for vulnerability to be assessed as high as possible. #The reward is paid only in cryptocurrency (USDT, ETH, BTC). Expires: 2025-11-15T12:00:00Z Contact: mailto:security_report@1xbet-team.com
This policy crawled by Onyphe on the 2024-04-30 is sorted as securitytxt.
FireBounty © 2015-2024