Security is a top priority at MG Freesites Ltd (“MG”). MG loves to work with skilled security researchers to improve the security of MG’s Services. If you (also referred herein as the “Finder”) believe you have found a (“Vulnerability” or “Vulnerabilities”), as defined in the vulnerability disclosure guideline on www.hackerone.com, in the services listed in MG’s scope, MG will be happy to work with you to resolve the issue promptly and ensure you are rewarded for your discovery.
At this time, the scope of this program is limited to Vulnerabilities found on assets listed under the "Program Scope" section. Vulnerabilities reported on other assets are NOT eligible for Reward.
Important:
Contacting MG’s support team directly to inquire about the status of examination of a HackerOne report (“Report”) will result in an immediate disqualification from receiving a Reward. All communications must be conducted through HackerOne's communication system only.
Severity:
Severity of Vulnerability shall be assessed in accordance with the Common Vulnerability Scoring System (CVSS).
You must avoid tests that could cause degradation or interruption of MG’s services;
You must not access, leak, manipulate, or destroy any user data, including but not limited to, user information, metadata, preferences, configurations etc. “User Data”;
You are only allowed to perform tests against your own accounts.
The use of automated tools or scripted testing is not allowed. This includes but is not limited to vulnerability scanning tools such as OWASP ZAP and Vega, or any tools or scripts which may result in heavy traffic or flooding of any of MG’s services.;
Physical attacks against offices and data centers are prohibited;
Social engineering of MG’s support agents, service desk, employees or contractors is prohibited;
Do not compromise a user's or employee's account
You will qualify for a Reward only if you are the first Finder to responsibly disclose an unknown Vulnerability. Note that posting details, conversations or any other Confidential Information about a vulnerability report or posting details that reflect negatively on the program will result in immediate removal from the program. We would also like to bring to your attention that this shall be treated as a breach of your confidentiality, therefore, disqualifies your eligibility for safe harbor as it is outlined in this policy.
Any Vulnerability found must be reported no later than 24 hours after discovery
Report on Vulnerability shall be disclosed to MG exclusively.
To obtain any type of verified account on our platform your user's account must be created using the HackerOne alias email 'username@wearehackerone.com';
You must send a clear textual description of the report along with steps to reproduce the vulnerability (proof of concept “PoC”) that must be included in the Report;
You must Include attachments such as screenshots or PoC code as necessary. To be acceptable, any submitted Vulnerability report must include as a minimum:
List the URL and any affected parameters;
Describe the browser, OS, and/or app version;
Describe the perceived impact. How could Vulnerability potentially be exploited?
Reports that only feature a video PoC without written reproduction steps will be refused.
MG may provide Rewards to eligible Finders of Vulnerabilities in accordance with this Policy. *Reward amounts may vary depending upon the severity of the Vulnerability reported at MG’s sole discretion. *
Promotional material (“Swag”) may be awarded as a bonus to triaged qualifying, in-scope reports. MG allows one Swag item per researcher. MG will not respond to repeated requests to be awarded Swag under any circumstances.
MG will, at its sole discretion, decide if the minimum severity threshold is met for each reported Vulnerabilities. MG shall use commercially reasonable efforts to inform Finder if the Vulnerability was previously reported. Rewards are granted entirely at the discretion of MG in accordance with this Policy.
If your report was closed as duplicate, you cannot be invited in the original report to preserve its confidentiality.
-Follow HackerOne's disclosure guidelines.
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
-Information Disclosure without significant and executable impact
-Information leakage, data cached in search engines or the web archive
-Cross-Origin Resource Sharing (CORS)
-Self XSS and XSS without impact
-Anything related to confirmation emails
-Password and account recovery policies
-Session Management, such as: session timeout, session hijacking, etc.
-Clickjacking on pages with no sensitive actions
-Cross-Site Request Forgery (CSRF) on forms with no sensitive actions or without a realistic exploitation scenario
-Attacks requiring MITM or physical access to a user's device.
-Previously known vulnerable libraries without a working Proof of Concept.
-Comma Separated Values (CSV) injection without demonstrating vulnerability.
-Missing best practices in SSL/TLS configuration.
-Any activity that could lead to the disruption of our service (DoS).
-Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
-Rate limiting or brute force issues on non-authentication endpoints
-Missing best practices in Content Security Policy.
-Missing HTTP Only or Secure flags on cookies
-Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
-Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
-Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors).
-Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.
-Tab nabbing
-Open redirect - unless an additional security impact can be demonstrated
-Issues that require unlikely user interaction
-Physical testing (e.g., office access, open doors, tailgating), or any other non-technical vulnerability testing
-Tests against Cloud Service Providers where no Vulnerability Disclosure Policy exists.
-Phishing or Social Engineering
-Third party services or systems used by MindGeek
You must be at least 18 years old to participate in MG’s Bug bounty Program.
Payments are made through HackerOne only. You are legally bound by the Finders Terms and Conditions, The General Terms and Conditions, The Code of Conduct for Finders, Vulnerability Disclosure Guidelines as well as any other agreement found on https://www.hackerone.com/ that applies to Finders (the "Agreements") and these, as well as this Program Policy shall govern the legal relationship between you and MG. All terms used but not defined herein shall have the meaning ascribed to them in the Agreements.
Current and previous employees of MG, its affiliates, subsidiaries, agencies and divisions, partners, and their respective employees and immediate family members can responsibly disclose vulnerabilities by participating in MG’s Bug Bounty Program but are not eligible for monetary Rewards. The term (“Immediate Family”) includes spouses, siblings, parents, children, grandparents, and grandchildren, whether as “in-laws,” or by current or past marriages(s), remarriage(s), adoption, cohabitation or other family extension, and any other persons residing at the same household whether related or not.
MG reserves the right to modify the terms of this Policy or terminate this program at any time. By participating in this program, you agree to be bound by these rules. You must comply with all applicable laws in connection with your participation in this program.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Thank you for helping keep MindGeek safe!
Scope Type | Scope Name |
---|---|
web_application | www.youporn.com |
web_application | www.youpornpremium.com |
Scope Type | Scope Name |
---|---|
web_application | *.youporn.com |
web_application | *.youpornpremium.com |
web_application | *.youporn.com/world |
web_application | feedback.youporn.com |
The public program YouPorn on the platform Hackerone has been updated on 2019-08-03, The lowest reward is 50 $.
FireBounty © 2015-2024