Banner object (1)

Hack and Take the Cash !

794 bounties in database
  Back Link to program      
Alliance of American Football  logo
Hall of Fame


50 $ 

Alliance of American Football

Welcome to the AAF HackerOne Bug Bounty Program!

Program Rules

  • Do not attempt to execute any social engineering (e.g. phishing, vishing, smishing).
  • Follow HackerOne's disclosure guidelines.
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Amounts below are the minimum and maximum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.


Our rewards are based on the severity of a vulnerability. HackerOne and AAF use CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. Please note, however, that reward decisions are up to the discretion of AAF. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can't be used to steal session information); or an RCE on an asset that doesn't house production data.

Min/Max | Critical (CVSS 9.0 - 10.0) | High (CVSS 7.0 - 8.9) | Medium (CVSS 4.0 - 6.9) | Low (CVSS 0.0 - 3.9)
Minimum | $1,000 | $500 | $250 | $100
Maximum | $3,000 | $1500 | $500 | $200


In short, all AAF properties are in scope. These can be found in the assets section below with details specific to each target.

Information disclosures that reveal unannounced plans for the AAF or its future products are in scope. For example, if you were able to discover through file name guessing or API introspection that our users will be able to capture and trade digital creatures, that would be in scope. (This is just an example; we definitely have no plans for this.)

Infrastructure is in scope. We primarily use AWS. Issues such as subdomain takeovers or misconfigured S3 access controls are in scope.

XSS vulnerabilities are in scope, even if the actual execution of them is prevented by content security policies.

Out of scope vulnerabilities

Unless otherwise noted for a particular asset, the following issues are considered out of scope:

  • Attacks requiring physical access to a user's device
  • Best practices such as missing content security policies
  • Brute force attacks such as password guessing
  • Denial of service attacks that require admin privileges
  • Denial of service attacks that exhaust server resources with repeated actions. If it can be solved with rate-limiting, it's probably out of scope.

Note that many denial of service attacks are left in scope. For example, if you can submit a request body that significantly degrades or disables a service, that is in scope. However: Do not disrupt our production services! If you do, your submission will not be eligible for reward. If possible, test denial of service attacks on subdomains instead.

If you have any questions or concerns on this program, please contact

FireBounty © 2015-2020

Legal notices