Security is a top priority at Tube8. We love to work with skilled security researchers to improve the security of our service. If you believe you've found a security bug in the services listed in our scope, we will be happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
At this time, the scope of this program is limited to security vulnerabilities found on Tube8.com and its associated language-based domains and sub-domains. Vulnerabilities reported on other properties or applications are currently not eligible for monetary reward. High impact vulnerabilities outside of this scope might be considered on a case by case basis.
For account access issues or visual layout and website functionality bugs, please work with our Customer Support __which will resolve those issues independently.
Note: Contacting our support team about the status of a HackerOne report will result in an immediate disqualification from receiving a reward. All communications must be conducted through the HackerOne system only.
You will qualify for a reward only if you are the first person to responsibly disclose an unknown issue. The Tube8 security team has 30 days to respond to the report, and up to 120 days to implement a fix based on the severity of the report.
Please allow for this process to fully complete before attempting to contact us again. Note that posting details or conversations about the report or posting details that reflect negatively on the program and the Tube8 brand will result in immediate removal from the program.
Tube8 may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $50 USD, and our maximum reward amount is $25,000 USD. Reward amounts may vary depending upon the severity of the vulnerability reported.
Swag may be awarded as a bonus to qualifying, in-scope reports. We allow one swag item per researcher. We will not respond to repeated requests to be awarded swag under any circumstances.
The following table outlines the average rewards for specific classes of vulnerabilities:
Vulnerability Types | Core Tube8 *
Remote Shell / Command Execution | $15,000
Remote Code Execution | $10,000
SQL Injection (with output) | $5,000
Significant Authentication Bypass | $5,000
Local file Inclusion | $2,500
SQL Injection (blind) | $2,500
Insecure Direct Object References | $1,500
Server Side Request Forgery | $1,500
Stored Cross Site Scripting | $1,500
Other Cross Site Scripting | $250
** Core Tube8 covers tube8.com and its associated language-based domains and sub-domains (https://www.tube8.fr __, https://www.tube8.es __, https://de.tube8.com __, https://jp.tube8.com __). It does not include any other domains, sub-domains, or services such as the Tube8 Blog ( https://blog.tube8.com __).
Tube8 reserves the right to decide if the minimum severity threshold is met and whether it was previously reported. Rewards are granted entirely at the discretion of Tube8.
To qualify for a reward under this program, you should:
A good bug report should include the following information at a minimum:
Our bug bounty program is limited strictly to technical security vulnerabilities of Tube8 services listed in the scope. Any activity that would disrupt, damage or adversely affect any third-party data or account is not allowed.
Please do not mass create accounts to perform testing against Tube8 applications and services. Also do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.
The following are strictly prohibited:
Additionally, the following vulnerabilities will not be considered for bounty:
You must be at least 18 years old to participate in our Bug bounty Program.
Payments are made through HackerOne only. You are responsible for paying any taxes associated with rewards.
Employees of the Company, its affiliates, subsidiaries, agencies and divisions, partners, and their respective employees and immediate family members can responsibly disclose vulnerabilities by participating in our Bug Bounty Program but are not eligible for monetary rewards. The term “immediate family” includes spouses, siblings, parents, children, grandparents, and grandchildren, whether as “in-laws,” or by current or past marriages(s), remarriage(s), adoption, co-habitation or other family extension, and any other persons residing at the same household whether or not related.
We reserve the right to modify the terms of this program or terminate this program at any time. By participating in this program, you agree to be bound by these rules. You must comply with all applicable laws in connection with your participation in this program.
Thank you for helping keep Tube8 safe!
Contact us if you want more information.