Banner object (1)

Hack and Take the Cash !

800 bounties in database
  Back Link to program      
02/05/2019
RealSelf logo
Thanks
Gift
Hall of Fame
Reward

Reward

200 $ 

In Scope

Scope Type Scope Name
ios_application RealSelf
web_application www.realself.com
web_application assets.realself.com
web_application auth.realself.com
web_application charon.realself.com
web_application ei.realself.com
web_application fi.realself.com
web_application i.realself.com
web_application kraken.realself.com
web_application log.realself.com
web_application search-faf.realself.com
web_application search.realself.com
web_application wwa.realself.com
web_application style.realself.com
web_application realself.com
web_application wwf.realself.com

RealSelf

RealSelf is the leading and most trusted source for people considering an elective cosmetic treatment. More than ten years ago, we built RealSelf as the destination for people to learn about cosmetic procedures, share their experiences, and connect with top providers.

Today there are more cosmetic treatment options than ever before—from Botox to laser hair removal, microneedling to CoolSculpting. That’s why RealSelf provides unbiased information about cosmetic procedures and the doctors and clinicians who perform them. Every month, millions of RealSelf visitors research procedures and connect with highly qualified providers. RealSelf is a must-visit resource for people considering cosmetic treatments and providers seeking to connect with them. We help millions of people find the right treatment and provider for them.

RealSelf invites you to test and help secure our public-facing assets. We appreciate your efforts and hard work in making the internet (and RealSelf) more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!


Our bug bounty program allows you to test the production edition of our site. This is risky business. To make sure your testing doesn't interfere with our users and cause the very problems we are trying to prevent, we ask:

  • Use a username ending in _bugc to identify yourself as a bug bounty participant, for all the accounts you create on our site
  • Use your @bugcrowdninja.com email address for all accounts you create on our site (we support username+suffix@bugcrowdninja.com email addresses to allow you to test with several accounts)
  • Do not interact with users or content that you did not create yourself. Please contact us if you need to access other content to test something, and we will do our best to set you up with what you need.
  • Do not leave attack remnants on the site for other users to discover. If you create content that you find you cannot delete, please contact us to let us know as soon as possible.
  • Normal users must not see the data that you are posting to the systems. For example, please do not drop SQL injection attempts into the middle of live user comments and discussions.
  • Users must not be contacted or messaged in the research of an exploit, and you must not harass site users.
  • Our community managers and other staff may take actions that interfere with your testing as we defend against your attack. If this happens, contact us and we'll work out a test plan.

If we find you did not abide by these rules while testing our site, we will not award a bounty and may terminate your participation.


Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward Range

Last updated 11 Oct 2018 20:35:53 UTC

Technical severity | Reward range
---|---
p1 Critical | $2,000 - $2,500
p2 Severe | $1,000 - $1,500
p3 Moderate | $500 - $750
p4 Low | $200 - $300

P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name | Type
---|---
www.realself.com | Website
assets.realself.com | Website
auth.realself.com | API
charon.realself.com | API
ei.realself.com | Website
fi.realself.com | Website
i.realself.com | Website
kraken.realself.com | API
log.realself.com | Other
search-faf.realself.com | API
search.realself.com | API
wwa.realself.com | Website
style.realself.com | Other
RealSelf | iOS
realself.com | Website
wwf.realself.com | Website

Any domain not listed in the targets section is out of scope. This includes any/all subdomains not listed above.


Focus Areas:

  • Logging into another user's or doctor's account
  • Disclosure of users' information beyond what is published on our site
  • Performing actions as another user or as a doctor
  • Access to administrator functionality such as moderation actions and approvals
  • Ways to spam or harass a user
  • Denial of service against one or more users or doctors
  • Things that could make our site inaccessible
  • Attacks on our infrastructure, such as source disclosure or injection attacks
  • Remote code execution on our servers

Out-of-Scope

We are not interested in reports of the following issues:

  • Scenarios where the user takes over their own account, including self-XSS
  • Spamming of RealSelf
  • Creation of accounts with false information
  • Denial-of-service attacks against RealSelf's CDN or other service providers
  • Traffic volume-based denial of service attacks
  • Issues requiring physical access to, or prior compromise of, RealSelf's premises or those of one of RealSelf's service providers
  • Social engineering of any type, including of users or RealSelf staff
  • Scenarios which require prior privileged access to a victim's device or use of development mode features in browsers
  • Scenarios where prior compromise of a user's information assets (such as their email account) allow RealSelf account takeover
  • Vulnerabilities which only disclose the existence of a user or allow user enumeration
  • Criticism of RealSelf's authentication policies (including password policies), account recovery requirements, or other customer service processes
  • Uninterpreted reports from scans indicating potential vulnerability
  • Invalid or missing DNS records including DANE, CAA, SPF, DKIM, and similar record classes
  • Issues related to software, services, and protocols not under RealSelf's control
  • Vulnerabilities which require users to use old and out-of-support client software
  • Issues without a clearly identified security impact, including the absence of unnecessary protective measures and "vulnerabilities" which when exploited do not cause any problems
  • Missing restrictive headers, flags, or tokens (including CSRF tokens) that would not mitigate any actual threat if they were present

Any service not directly hosted or controlled by RealSelf is also out of scope, some of which are listed below:

  • atwork.realself.com
  • blog.realself.com
  • bounce.realself.com
  • claim.realself.com
  • click.realself.com
  • contest.realself.com
  • em4474.realself.com
  • engine.realself.com
  • expert.realself.com
  • hello.realself.com
  • help.realself.com
  • horizon.realself.com
  • industry.realself.com
  • info.realself.com
  • insights.realself.com
  • insightscenter.realself.com
  • intranet.realself.com
  • learn.realself.com
  • link.realself.com
  • m.realself.com
  • premier.realself.com
  • rs.realself.com
  • static.realself.com
  • trends.realself.com
  • upgrade.realself.com
  • video.realself.com

Safe Harbor Language

The language around safe harbor for this program can be found on the following page:
https://realself.com/security

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

FireBounty © 2015-2019

Legal notices