52235 policies in database
Link to program      
2015-09-30
2019-09-10
Imgur logo
Thank
Gift
HOF
Reward

Reward

Imgur

SIMPLE RULES


  • Do not make any information public until the issue has been resolved.

  • Make a good faith effort to avoid interruption or degradation of our services .

  • Do not access or modify data that does not belong to you - create a free account to test with.

  • Making many substantially similar reports will only be eligible for one bounty award and marked as duplicate. For example, the same vulnerability reported across multiple subdomains. Please consolidate these issues into a single report.

  • Please try to limit the number of times you follow up on a report. Making daily comments only adds to our workload and makes turnaround time longer for everyone.

  • This bounty program is only concerned with security-related bugs, please e-mail support@imgur.com for all other bugs.

  • If your report is related to an advertiser on our site, please refer to https://help.imgur.com/hc/en-us/articles/205107685-Bad-Ads for further guidance.

SCOPE


We are interested in hearing about any security flaw. This could include, but is not limited to:

  • Anything that leaks personal user data, e.g. emails, passwords, content a user has set to private or deleted.

  • Accessing someone's account without their knowledge.

  • Bug exposing a way to perform an action on behalf of another user.

  • Changing a user's settings without their knowledge.

  • Changing values of any site wide data.

  • Programmatically deleting images that don't belong to you.

  • Cross-site scripting.

DOMAINS UNDER SCOPE


We are interested in your findings for the following domains:

  • imgur.com

  • api.imgur.com

  • i.imgur.com

Please disregard subdomains/domains such as:

  • blog.imgur.com

  • community.imgur.com

  • imgurads.com

REWARDS


For each resolved eligible vulnerability report, the first reporter will receive at Imgur’s discretion:

  • Recognition on our Hall of Fame.

  • Monetary compensation ranging from $50 to $5000, depending on severity and potential impact of the vulnerability.

EXCLUSIONS


The following conditions are out of scope for the vulnerability disclosure program. Any of the activities below will result in disqualification from the program permanently.

  • Public release of information before submission through Hackerone.

  • Bugs coming from third party softwares in use by imgur. e.g. store.imgur.com and help.imgur.com

  • Physical attacks against Imgur employees, offices, and data centers.

  • Any vulnerability obtained through the compromise of a Imgur customer or employee accounts. If you need to test a vulnerability, please create a free account.

  • Social engineering of Imgur employees, contractors, vendors, or service providers.

  • Self-XSS without a vector for a third party attack.

  • Knowingly posting, transmitting, uploading, linking to, or sending any malware.

  • Pursuing vulnerabilities which send unsolicited bulk messages (spam) or unauthorized messages.

  • Content injection vulnerabilities where the field injected always shows the result of a user's input.

  • Attacks requiring physical access to a user's device.

  • Tricking a user into manually performing a series of steps.

Please do not make reports for the following issues:

  • Password policy.

  • Brute force attacks on the /delete/ or /edit/ endpoints.

  • Username enumeration and other similar enumeration reports.

  • Sessions not being destroyed on password reset (a separate utility exists for this under the "security" tab)

  • Imgur has global rate limiting that might not be apparent with low testing volume. Please refrain from reporting issues that require no rate limit to be in place.

  • CSRF - we are aware of many parts of the site that are vulnerable to CSRF and are currently working on a site wide fix. After the fix goes out, we'll remove this exclusion.

  • Open redirects. We currently are not addressing this issue, but hope to in the future. We will mark these as "Informative".

  • OAuth misconfiguration and email signup merging can lead to issues - we are aware that there is a potential problem and are already working on a fix for all platforms.


Firebounty have crawled on 2015-09-30 the program Imgur on the platform Hackerone.

FireBounty © 2015-2024

Legal notices | Privacy policy