Welcome to the AAF HackerOne Bug Bounty Program!
Our rewards are based on the severity of a vulnerability. HackerOne and AAF use CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. Please note, however, that reward decisions are up to the discretion of AAF. Examples of issues that may be considered to be lower severity given additional context include: a reflected XSS that has minimal impact (only works in some browsers, can't be used to steal session information); or an RCE on an asset that doesn't house production data.
Min/Max | Critical (CVSS 9.0 - 10.0) | High (CVSS 7.0 - 8.9) | Medium (CVSS
4.0 - 6.9) | Low (CVSS 0.0 - 3.9)
Minimum | $1,000 | $500 | $250 | $100
Maximum | $3,000 | $1500 | $500 | $200
In short, all AAF properties are in scope. These can be found in the assets section below with details specific to each target.
Information disclosures that reveal unannounced plans for the AAF or its future products are in scope. For example, if you were able to discover through file name guessing or API introspection that our users will be able to capture and trade digital creatures, that would be in scope. (This is just an example; we definitely have no plans for this.)
Infrastructure is in scope. We primarily use AWS. Issues such as subdomain takeovers or misconfigured S3 access controls are in scope.
XSS vulnerabilities are in scope, even if the actual execution of them is prevented by content security policies.
Unless otherwise noted for a particular asset, the following issues are considered out of scope:
Note that many denial of service attacks are left in scope. For example, if you can submit a request body that significantly degrades or disables a service, that is in scope. However: Do not disrupt our production services! If you do, your submission will not be eligible for reward. If possible, test denial of service attacks on hackerone.aaf.com subdomains instead.
If you have any questions or concerns on this program, please contact email@example.com