Banner object (1)

Hack and Take the Cash !

815 bounties in database
  Back Link to program      
20/06/2019
Better logo
Thanks
Gift
Hall of Fame
Reward

Reward

100 $ 

Better

Better invites you to test and help secure our primary publicly facing assets - focusing on our web and api applications. We appreciate your efforts and hard work in making the internet (and Better) more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!


Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Reward Range

Last updated 14 Nov 2018 21:42:56 UTC

Technical severity | Reward range
---|---
p1 Critical | $1,200 - $1,500
p2 Severe | $800 - $1,000
p3 Moderate | $300 - $500
p4 Low | $100 - $150

P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name | Type
---|---
*.better.com | Website
api.better.com | Website
better.com/api | Website

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Better not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.


Target Info:

  • *.better.com - The landing page for all of Better's services. Researchers are invited to test the entirety of this domain, including any and all subdomains.
  • api.better.com - One of the API endpoints utilized by Better's applications.
  • better.com/api - The other API endpoint utilized by Better's applications.

Credentials:

  • Please sign up for an account using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.

Bonuses:

  • Submissions that chain multiple vulnerabilities may be eligible for a reward bonus.

Reporting:

Please do not include any Personally identifiable information (PII) in your reports, if you come across this information during the course of testing.

Exclusions:

  • Any reports about rate limiting (or lack of rate limiting) are out of scope.

Other Exclusions:

Common low threats (i.e. information gathering or not exploitable on its own) are exempted. That being said, if you are able to demonstrate an exploit that utilizes low threats in combination with others, it is eligible.

  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • Clickjacking and issues only exploitable through clickjacking.
  • Lack of Secure and HTTPOnly cookie flags.
  • Weak Captcha / Captcha Bypass (captcha implementation issue)
  • Username enumeration via Login Page error message
  • Username enumeration via Forgot Password error message
  • Login or Forgot Password page brute force and account lockout not enforced.
  • SSL Attacks such as BEAST, BREACH, Renegotiation attack
  • Missing HTTP security headers

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

In Scope

Scope Type Scope Name
web_application

*.better.com

web_application

api.better.com

web_application

better.com/api


This programe feature scope type like web_application.

FireBounty © 2015-2019

Legal notices