Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
HackenProof logo
Hall of Fame


50 HKN 

In Scope

Scope Type Scope Name

Out of Scope

Scope Type Scope Name


HackenProof is a Bug Bounty and Vulnerability Coordination Platform. We connect our customers with the global hacker community to uncover security issues in their products. By running custom-tailored bug bounty programs we help our customers significantly reduce the risk of losing their data to cybercriminals.


In Scope

Target | Type | Severity | Reward
  • HackenProof main site

| WEB | Critical | Bounty

Out of scope

Target | Type | Severity | Reward
  • Our Blog

| WEB | None | --


Severity (CVSSv3) | Reward
Critical | 1500$
High | 900$
Medium | 300$
Low | 100$

__Focus Area

In-Scope Vulnerabilities

We are interested in next web vulnerabilities:

  • Business Logic
  • Remote code execution (RCE)
  • Database vulnerability, SQLi
  • Cross Site Scripting (XSS)
  • Privilege escalation
  • Sensitive data exposure (IDOR, etc.)
  • Authentication bypass
  • Obtaining sensitive information
  • Password attacks
  • Cross-Site Request Forgery (CSRF)
  • Server Side Request Forgery (SSRF)

Out-of-Scope Vulnerabilities

In general, the following vulnerabilities do not correspond to the severity threshold:

  • UI and UX bugs and spelling or localization mistakes.
  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • Open redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing auth tokens, we do still want to hear about them
  • Vulnerabilities in third-party applications
  • Publicly accessible login panels without proof of exploitation.
  • Reports that state that software is out of date/vulnerable without a proof of concept.
  • Host header issues without proof-of-concept demonstrating the vulnerability.
  • HTTP codes/pages or other HTTP non-codes/pages.
  • Fingerprinting/banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tapjacking.
  • CSRF in forms that are available to anonymous users (e.g. the contact form).
  • Login & Logout CSRF
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-security-sensitive Cookies.
  • OPTIONS HTTP method enabled
  • Lack of Security Speed bump when leaving the site.
  • Weak Captcha
  • Content injection issues.
  • HTTPS Mixed Content Scripts
  • Content Spoofing without embedded links/html
  • Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console).
  • Reflected File Download (RFD).
  • Best practices concerns.
  • Highly speculative reports about theoretical damage. Be concrete.
  • Missing HTTP security headers, specifically, For e.g.
  • Strict-Transport-Security

  • X-Frame-Options

  • X-XSS-Protection

  • Host Header

  • X-Content-Type-Options

  • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP

  • Content-Security-Policy-Report-Only

  • Infrastructure vulnerabilities, including:
  • Certificates/TLS/SSL related issues

  • DNS issues (i.e. mx records, SPF records, etc.)

  • Server configuration issues (i.e., open ports, TLS, etc.)

  • Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers will not be honored, including Internet Explorer all versions
  • Vulnerabilities involving active content such as web browser add-ons
  • XSS issues that affect only outdated browsers (like Internet Explorer)
  • Issues that require physical access to a victim’s computer.
  • Physical or social engineering attempts (this includes phishing attacks against employees).
  • Recently disclosed 0day vulnerabilities.
  • Microsites with little to no user data
  • Most brute forcing issues
  • Denial of service
  • Spamming

__Program Rules

  • Avoid compromising any personal data, interruption or degradation of any service .
  • Don’t access or modify other user data, localize all tests to your accounts.
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam.
  • In case you find chain vulnerabilities we pay only for vulnerability with the highest severity.
  • Only the first valid bug is eligible for reward.
  • Don’t disclose publicly any vulnerability until you are granted permission to do so.
  • Don’t break any law and stay in the defined scope.
  • Comply with the rules of the program.
  • The rewards will be paid out in HKN based on the current price.
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission.

FireBounty © 2015-2019

Legal notices