Banner object (1)

Hack and Take the Cash !

745 bounties in database

Managed by HackenProof logo

50 HKN 

HackenProof Managed by HackenProof

HackenProof is a Bug Bounty and Vulnerability Coordination Platform. We connect our customers with the global hacker community to uncover security issues in their products. By running custom-tailored bug bounty programs we help our customers significantly reduce the risk of losing their data to cybercriminals.


In Scope

Target | Type | Severity | Reward
  • HackenProof main site

| WEB | Critical | Bounty

Out of scope

Target | Type | Severity | Reward
  • Our Blog

| WEB | None | --


Severity (CVSSv3) | Reward
Critical | 1500$
High | 900$
Medium | 300$
Low | 100$

__Focus Area

In-Scope Vulnerabilities

We are interested in next web vulnerabilities:

  • Business Logic
  • Remote code execution (RCE)
  • Database vulnerability, SQLi
  • Cross Site Scripting (XSS)
  • Privilege escalation
  • Sensitive data exposure (IDOR, etc.)
  • Authentication bypass
  • Obtaining sensitive information
  • Password attacks
  • Cross-Site Request Forgery (CSRF)
  • Server Side Request Forgery (SSRF)

Out-of-Scope Vulnerabilities

In general, the following vulnerabilities do not correspond to the severity threshold:

  • UI and UX bugs and spelling or localization mistakes.
  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • Open redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing auth tokens, we do still want to hear about them
  • Vulnerabilities in third-party applications
  • Publicly accessible login panels without proof of exploitation.
  • Reports that state that software is out of date/vulnerable without a proof of concept.
  • Host header issues without proof-of-concept demonstrating the vulnerability.
  • HTTP codes/pages or other HTTP non-codes/pages.
  • Fingerprinting/banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tapjacking.
  • CSRF in forms that are available to anonymous users (e.g. the contact form).
  • Login & Logout CSRF
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-security-sensitive Cookies.
  • OPTIONS HTTP method enabled
  • Lack of Security Speed bump when leaving the site.
  • Weak Captcha
  • Content injection issues.
  • HTTPS Mixed Content Scripts
  • Content Spoofing without embedded links/html
  • Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console).
  • Reflected File Download (RFD).
  • Best practices concerns.
  • Highly speculative reports about theoretical damage. Be concrete.
  • Missing HTTP security headers, specifically, For e.g.
  • Strict-Transport-Security

  • X-Frame-Options

  • X-XSS-Protection

  • Host Header

  • X-Content-Type-Options

  • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP

  • Content-Security-Policy-Report-Only

  • Infrastructure vulnerabilities, including:
  • Certificates/TLS/SSL related issues

  • DNS issues (i.e. mx records, SPF records, etc.)

  • Server configuration issues (i.e., open ports, TLS, etc.)

  • Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers will not be honored, including Internet Explorer all versions
  • Vulnerabilities involving active content such as web browser add-ons
  • XSS issues that affect only outdated browsers (like Internet Explorer)
  • Issues that require physical access to a victim’s computer.
  • Physical or social engineering attempts (this includes phishing attacks against employees).
  • Recently disclosed 0day vulnerabilities.
  • Microsites with little to no user data
  • Most brute forcing issues
  • Denial of service
  • Spamming

__Program Rules

  • Avoid compromising any personal data, interruption or degradation of any service .
  • Don’t access or modify other user data, localize all tests to your accounts.
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam.
  • In case you find chain vulnerabilities we pay only for vulnerability with the highest severity.
  • Only the first valid bug is eligible for reward.
  • Don’t disclose publicly any vulnerability until you are granted permission to do so.
  • Don’t break any law and stay in the defined scope.
  • Comply with the rules of the program.
  • The rewards will be paid out in HKN based on the current price.
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission.
Hall of Fame

List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2019