1
Beta Testers Bounty Programs / Re: Beta Users for an App on computer [5-10$]
« Last post by luckytrandai on May 25, 2023, 03:18:50 PM »I would love to accompany with you guys in this project 
Recent Posts
2
Beta Testers Bounty Programs / Re: Beta Users for an App on computer [5-10$]
« Last post by Sandhunangal on May 24, 2023, 10:55:45 PM »well i think i can test your app properly because i'm from Computer Science background.
3
Beta Testers Bounty Programs / Re: Beta Users for an App on computer [5-10$]
« Last post by Baljaa on May 19, 2023, 12:49:51 AM »replying this forum as instructed in step 2
4
Beta Testers Bounty Programs / Re: Beta Users for an App on computer [5-10$]
« Last post by ValeB on May 18, 2023, 10:17:05 AM »Step 2
5
Bug bounty programs / Practo Bug Bounty
« Last post by Angelina on May 16, 2023, 06:52:29 PM »submit bug report: https://www.practo.com/company/responsible-disclosure-policy
At Practo, we take safety and security of our customers’ data very seriously and stand guard to the trust put in us by our users.
We understand the importance and value of the role played by security researchers and ethical hackers in keeping the internet safe. Therefore, we support their responsible efforts in not only identifying potential vulnerabilities but also reporting them responsibly.
We urge you to review the Responsible Disclosure Policy before you test and/or report an issue with any of our applications. We assure you that Practo will never pursue any legal action against users who report the issues, as long as they follow these guidelines.
Who can participate in the program?
Anyone who doesn't work for Practo or partners of Practo who reports a unique security issue in scope and does not disclose it to a third party before we have patched and updated will be eligible to take part in this program.
Responsible Disclosure policy:
- Report your finding by writing to us directly at [email protected] without making any information public.
- We will respond as quickly as possible, generally takes 24-48 hours.
- In best interest of our customers and their data, please do not publicly disclose the issue until it has been addressed by Practo within a reasonable timeframe.
- In order to keep everyone safe, please act in good faith towards our users' privacy and data during your disclosure. We won't take legal action against you or administrative action against your account if you act accordingly.
- Make every effort to avoid privacy violations, disruption to production systems, degradation of user experience and destruction of data during security testing. This would include Brute Force, DoS, Spamming, Scraping, Social Engineering etc.
Reporting guidelines
Please include the following information when sending us the details:
- Operating System name and version.
- Client name and version.
- Plugin names and version installed in the client.
- Steps necessary to reproduce the vulnerability including any specific settings required to be reproduced (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).
- A copy of the source code following your successful test.
- What is the impact of the issue.
- What are some scenarios where an attacker would be able to leverage this vulnerability?
- What would be your suggested fix?
Scope
- All subdomains of practo.com i.e. *.practo.com
- Practo mobile apps -- Android, iOS
Not in Scope
Phishing attacks
Wordpress Users Disclosure
Wordpress DoS CVE-2018-6389
Wordpress CORS in wp-json
SPF Misconfiguration
Our responsibility
Once we receive the details from you, we will ensure to acknowledge the issue within 24-48 hours. We’ll assess the issue and provide you with an estimated timeframe for addressing the reported vulnerability. We will notify you once the vulnerability is fixed. And last but not least, our gratitude and sincerest thanks to you for helping us keep user data and services safe and secure by featuring you in our security hall of fame 🗗.
Legal terms
By participating in Practo’s Responsible Disclosure program (the “Program”), you acknowledge that you have read and agree to Practo’s Terms of Service as well as the following:
- Your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.
- You are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments when we run bug bounty programs in the future.
- Practo reserves the right to terminate or discontinue the Program at its discretion.
At Practo, we take safety and security of our customers’ data very seriously and stand guard to the trust put in us by our users.
We understand the importance and value of the role played by security researchers and ethical hackers in keeping the internet safe. Therefore, we support their responsible efforts in not only identifying potential vulnerabilities but also reporting them responsibly.
We urge you to review the Responsible Disclosure Policy before you test and/or report an issue with any of our applications. We assure you that Practo will never pursue any legal action against users who report the issues, as long as they follow these guidelines.
Who can participate in the program?
Anyone who doesn't work for Practo or partners of Practo who reports a unique security issue in scope and does not disclose it to a third party before we have patched and updated will be eligible to take part in this program.
Responsible Disclosure policy:
- Report your finding by writing to us directly at [email protected] without making any information public.
- We will respond as quickly as possible, generally takes 24-48 hours.
- In best interest of our customers and their data, please do not publicly disclose the issue until it has been addressed by Practo within a reasonable timeframe.
- In order to keep everyone safe, please act in good faith towards our users' privacy and data during your disclosure. We won't take legal action against you or administrative action against your account if you act accordingly.
- Make every effort to avoid privacy violations, disruption to production systems, degradation of user experience and destruction of data during security testing. This would include Brute Force, DoS, Spamming, Scraping, Social Engineering etc.
Reporting guidelines
Please include the following information when sending us the details:
- Operating System name and version.
- Client name and version.
- Plugin names and version installed in the client.
- Steps necessary to reproduce the vulnerability including any specific settings required to be reproduced (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).
- A copy of the source code following your successful test.
- What is the impact of the issue.
- What are some scenarios where an attacker would be able to leverage this vulnerability?
- What would be your suggested fix?
Scope
- All subdomains of practo.com i.e. *.practo.com
- Practo mobile apps -- Android, iOS
Not in Scope
Phishing attacks
Wordpress Users Disclosure
Wordpress DoS CVE-2018-6389
Wordpress CORS in wp-json
SPF Misconfiguration
Our responsibility
Once we receive the details from you, we will ensure to acknowledge the issue within 24-48 hours. We’ll assess the issue and provide you with an estimated timeframe for addressing the reported vulnerability. We will notify you once the vulnerability is fixed. And last but not least, our gratitude and sincerest thanks to you for helping us keep user data and services safe and secure by featuring you in our security hall of fame 🗗.
Legal terms
By participating in Practo’s Responsible Disclosure program (the “Program”), you acknowledge that you have read and agree to Practo’s Terms of Service as well as the following:
- Your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.
- You are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments when we run bug bounty programs in the future.
- Practo reserves the right to terminate or discontinue the Program at its discretion.
6
Bug bounty programs / Prezi Bug Bounty
« Last post by Angelina on May 16, 2023, 06:50:00 PM »submit bug report:https://prezi.com/bug-bounty/
Prezi Responsible Disclosure
At Prezi, we take security of our users’ data very seriously and we believe in harnessing the power of the security researcher community to help keep our users safe. We encourage the responsible disclosure of security vulnerabilities.
This brief ("brief") covers your participation in the Prezi Responsible Disclosure Program (the "Program"). It sets out terms between you and Prezi ("Prezi," "us" or "we"). By submitting any vulnerabilities to Prezi or otherwise participating in the Program in any manner, you accept these terms, the Prezi Privacy Policy, and the BugCrowd Standard Disclosure Terms, Code of Conduct, Disclosure Policy, and Terms of Service.
To join the program, you should read this entire brief, and only proceed if you accept all the terms within.
Thank you for making Prezi better for everyone!
Discovering security vulnerabilities
We encourage and allow you to conduct security research and vulnerability testing on Prezi services and products to which you have authorized access on the “prezi.com” domain.
Please always keep the following rules in mind:
Never attempt to access someone else’s account or data; please always use your own account(s) for testing.
Never try to modify or destroy any data that does not belong to you.
Do not attempt or launch a denial of service attack. We and our users appreciate reliability.
Do not attempt or execute social engineering attacks (including but not limited to unsolicited or unauthorized emails, spam, or other forms of unsolicited messages).
Do not test third parties that integrate with Prezi services (see the “What we are not interested in” section below for more details).
Do not operate directly or indirectly with malicious or harmful software. We like to keep prezi.com clean for our users.
Don’t do anything that violates any applicable law.
Your participation in the Program is entirely voluntary. You acknowledge that Prezi has not offered or promised any reward or bounty payment for your participation in the Program. However, Prezi reserves the right to reward participation in the Program in its sole discretion on a case by case basis.
What we are not interested in
In general, please don’t report the following findings, unless you can showcase an actual vulnerability leading to significant impact:
CSRF vulnerabilities where exploitation is not really probable (other random / hard to get value is required for exploitation), CSRF in the authentication function
Missing “HTTP only” flag for cookies, which are not the following ones: auth-sessionid, prezi-auth, sessionid
Missing “Secure” flags for any cookie
Username / user id enumeration
Missing “X-Frame-Options”, “Strict-Transport-Security”, “Nosniff”, “X-Xss-Protection” headers
Phishing by navigating password tabs a.k.a "window.opener" (reason)
Absence of rate limiting
Denial of Service
User password brute force attack
"Leakage" of publicly available information (e.g.: server version info in response header)
Since our list of integrations might change, please always resolve our subdomains before any testing to verify that they are not pointing to some external / 3rd party service.
For example, the following domains and subdomains are pointing to different third-party solutions, which we are not authorized to include in this program:
beautifulbits.prezi.com/
blog.prezi.com/
support.prezi.com
*.cdn01.prezi.com
*.cdn02.prezi.com
streamingcdn.prezi.com
videocdn.prezi.com
videothumbcdn.prezi.com
email.prezi.com
*.preziusercontent.com
*.prezicdn.net
*.prezi.community
Reporting security vulnerabilities
If you believe you have discovered a security vulnerability, please share the details with us by completing the form below.
We will acknowledge receipt of your report within five business days and work with you to understand the issue so we can validate it. We will also do our best to give an estimate on the resolution of the vulnerability and notify you when it is fixed.
Prezi Responsible Disclosure
At Prezi, we take security of our users’ data very seriously and we believe in harnessing the power of the security researcher community to help keep our users safe. We encourage the responsible disclosure of security vulnerabilities.
This brief ("brief") covers your participation in the Prezi Responsible Disclosure Program (the "Program"). It sets out terms between you and Prezi ("Prezi," "us" or "we"). By submitting any vulnerabilities to Prezi or otherwise participating in the Program in any manner, you accept these terms, the Prezi Privacy Policy, and the BugCrowd Standard Disclosure Terms, Code of Conduct, Disclosure Policy, and Terms of Service.
To join the program, you should read this entire brief, and only proceed if you accept all the terms within.
Thank you for making Prezi better for everyone!
Discovering security vulnerabilities
We encourage and allow you to conduct security research and vulnerability testing on Prezi services and products to which you have authorized access on the “prezi.com” domain.
Please always keep the following rules in mind:
Never attempt to access someone else’s account or data; please always use your own account(s) for testing.
Never try to modify or destroy any data that does not belong to you.
Do not attempt or launch a denial of service attack. We and our users appreciate reliability.
Do not attempt or execute social engineering attacks (including but not limited to unsolicited or unauthorized emails, spam, or other forms of unsolicited messages).
Do not test third parties that integrate with Prezi services (see the “What we are not interested in” section below for more details).
Do not operate directly or indirectly with malicious or harmful software. We like to keep prezi.com clean for our users.
Don’t do anything that violates any applicable law.
Your participation in the Program is entirely voluntary. You acknowledge that Prezi has not offered or promised any reward or bounty payment for your participation in the Program. However, Prezi reserves the right to reward participation in the Program in its sole discretion on a case by case basis.
What we are not interested in
In general, please don’t report the following findings, unless you can showcase an actual vulnerability leading to significant impact:
CSRF vulnerabilities where exploitation is not really probable (other random / hard to get value is required for exploitation), CSRF in the authentication function
Missing “HTTP only” flag for cookies, which are not the following ones: auth-sessionid, prezi-auth, sessionid
Missing “Secure” flags for any cookie
Username / user id enumeration
Missing “X-Frame-Options”, “Strict-Transport-Security”, “Nosniff”, “X-Xss-Protection” headers
Phishing by navigating password tabs a.k.a "window.opener" (reason)
Absence of rate limiting
Denial of Service
User password brute force attack
"Leakage" of publicly available information (e.g.: server version info in response header)
Since our list of integrations might change, please always resolve our subdomains before any testing to verify that they are not pointing to some external / 3rd party service.
For example, the following domains and subdomains are pointing to different third-party solutions, which we are not authorized to include in this program:
beautifulbits.prezi.com/
blog.prezi.com/
support.prezi.com
*.cdn01.prezi.com
*.cdn02.prezi.com
streamingcdn.prezi.com
videocdn.prezi.com
videothumbcdn.prezi.com
email.prezi.com
*.preziusercontent.com
*.prezicdn.net
*.prezi.community
Reporting security vulnerabilities
If you believe you have discovered a security vulnerability, please share the details with us by completing the form below.
We will acknowledge receipt of your report within five business days and work with you to understand the issue so we can validate it. We will also do our best to give an estimate on the resolution of the vulnerability and notify you when it is fixed.
7
Bug bounty programs / Puppet Bug Bounty
« Last post by Angelina on May 16, 2023, 06:47:51 PM »submit bug report: https://www.puppet.com/security
Security Policy
Puppet supports coordinated disclosure of security vulnerabilities and welcomes reports from security researchers on issues found in Puppet products, and Puppet distributed packages or infrastructure.
Out-of-Scope:
Software version or banner disclosures
Directory traversal on yum, apt, or downloads.puppet.com where traversal is explicitly desired
Self-XSS or CSRF on unauthenticated web forms (including logout CSRF)
Disclosure or discovery of known public files or directories (for example, robots.txt, simple DNS enumeration)
Brute force attempts (for example, log-in and forgot password pages don’t have lockouts)
Account enumeration (for example, enumerating login or reset fields for valid accounts without lockouts)
Email spoofing possibilities. Suggesting turning on SPF, DMARC, or DKIM isn’t welcome, though specific issues with those configurations are.
To report a vulnerability contact the Puppet security team at [email protected].
Contact the Puppet security team via encrypted communication using our PGP Public key:
Puppet Security Team
Key Long-format ID: 8728524FE21D3FC6
Key Fingerprint: 489C F9E6 BB24 2589 EFF5 BB68 8728 524F E21D 3FC6
The key is available in ASCII encoded format. It can also be retrieved and verified from the MIT Key Server.
We credit security researchers based on the value of the contributions they provide. The Puppet security team reviews each disclosure and assigns a scored value based on the relevance of the disclosure. These scores are calculated quarterly, and the top-scoring individuals are publicly credited on our website. Additional credit will be awarded to individuals who provide code fixes or additional information about how to fix the vulnerability.
Thank you for supporting Puppet’s coordinated disclosure process!
Security Policy
Puppet supports coordinated disclosure of security vulnerabilities and welcomes reports from security researchers on issues found in Puppet products, and Puppet distributed packages or infrastructure.
Out-of-Scope:
Software version or banner disclosures
Directory traversal on yum, apt, or downloads.puppet.com where traversal is explicitly desired
Self-XSS or CSRF on unauthenticated web forms (including logout CSRF)
Disclosure or discovery of known public files or directories (for example, robots.txt, simple DNS enumeration)
Brute force attempts (for example, log-in and forgot password pages don’t have lockouts)
Account enumeration (for example, enumerating login or reset fields for valid accounts without lockouts)
Email spoofing possibilities. Suggesting turning on SPF, DMARC, or DKIM isn’t welcome, though specific issues with those configurations are.
To report a vulnerability contact the Puppet security team at [email protected].
Contact the Puppet security team via encrypted communication using our PGP Public key:
Puppet Security Team
Key Long-format ID: 8728524FE21D3FC6
Key Fingerprint: 489C F9E6 BB24 2589 EFF5 BB68 8728 524F E21D 3FC6
The key is available in ASCII encoded format. It can also be retrieved and verified from the MIT Key Server.
We credit security researchers based on the value of the contributions they provide. The Puppet security team reviews each disclosure and assigns a scored value based on the relevance of the disclosure. These scores are calculated quarterly, and the top-scoring individuals are publicly credited on our website. Additional credit will be awarded to individuals who provide code fixes or additional information about how to fix the vulnerability.
Thank you for supporting Puppet’s coordinated disclosure process!
8
Bug bounty programs / Python Bug Bounty
« Last post by Angelina on May 16, 2023, 06:46:27 PM »submit bug report: https://www.python.org/blogs/
The Python Community
Great software is supported by great people. Our user base is enthusiastic, dedicated to encouraging use of the language, and committed to being diverse and friendly.
The Python Community
Great software is supported by great people. Our user base is enthusiastic, dedicated to encouraging use of the language, and committed to being diverse and friendly.
9
Bug bounty programs / QWANT Bug Bounty
« Last post by Angelina on May 16, 2023, 06:43:35 PM »submit bug report: https://yeswehack.com/programs/qwant
Program Ten commandments
• First commandment:
We Qwant, reserve us the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion.
• Second commandment:
Thou shalt not disrupt any service or compromise personal data.
• Third commandement:
Thou shalt not publicly disclose a bug before it has been fixed. Thou shalt also be the first person to responsibly disclose the bug.
• Forth commandment:
Thou shalt not be an actual or a past employee of QWANT to join the program.
• Fifth commandment:
Thou shalt not use bruteforcing or scanners tools nor performs Denial of Service tentatives on the platform.
• Sixth commandment:
Thou shalt not violate any local, state, national or international law.
• Seventh commandment:
Thou shalt stay in the defined scope.
• Eighth commandment:
Thou shalt not perform physical attacks against Qwant's employees, offices or datacenter.
• Ninth commandment:
Thou shalt have fun and drink some beers while snooping around for vulnerabilities.
• Tenth commendment:
Thy participation to this program will constitute acceptance of these rules.
Any failure to comply with these rules will be sanctioned by the exclusion of the hunter from the bug-bounty program and even worse (legal pursuits, ...).
Rewards
Qwant will offer a minimum reward of 100€. There is no maximum reward as it will be determined by Qwant security team according to the level of criticity and impact of the reported vulnerability.
Any non-security related issue (bug, wrong interface/API behavior, ...) will not be eligible for a money reward and should be sent to https://www.qwant.com/contact.
Qualifying vulnerabilities
• Authentication bypass
• User session compartmentalization issue
• SQL / NoSQL injections
• Remote code execution or information leakage through XML external entities
• Reflected / persistent Cross-site scripting
• Cross-site request forgery
• Server-side request forgery
• Remote code execution on Qwant servers through memory corruption, command injection or other exploitation technique
• Any vulnerability in defined scope that could impact security of the platorm and its users
Non-qualifying issues
• Issues outside of defined scope
• Duplicate issue
• CSRF in login or logout
• Social engineering or shoulder-surfing on Qwant's employees
• Security bugs in third-party websites that integrate with Qwant
• Spam or exploit-kit in search results (URLs that bypasses Qwant's anti-malware solutions)
• Password complexity or any other issue related to account or password policies
• Missing/invalid HTTP headers
• Cookie flags
• Clickjacking
• Denial of service
• Results from pivoting or scanning internals systems
• SSL/TLS issues
• Accounts enumeration
• SPF/DKIM issues
• Issues with no security impact
• Issues impacting protocols or software not developed nor maintained by Qwant
• Rate-limit issues
• Forms missing CSRF tokens
• Text injection
• Content spoofing
• Forms missing Catpcha
• Homograph attacks
• Bypasses of results filters
• Client-side Issues impacting specific browsers
• Any Adobe Flash / SWF related issues
• Account policies related issues (token expiration, reset link, password complexity)
• Self-exploitation
Update 07/11/2016
Non-qualifying issues additions
• += Rate-limit issues
• += Forms missing CSRF tokens
• += Text injection
• += Content spoofing
• += Forms missing Catpcha
• += Homograph attacks
• += Bypasses of results filters
• += Client-side Issues impacting specific browsers
• += Any Adobe Flash /SWF related issues
• += Account policies related issues (token expiration, reset link, password complexity)
• += Self-exploitation
Program Ten commandments
• First commandment:
We Qwant, reserve us the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion.
• Second commandment:
Thou shalt not disrupt any service or compromise personal data.
• Third commandement:
Thou shalt not publicly disclose a bug before it has been fixed. Thou shalt also be the first person to responsibly disclose the bug.
• Forth commandment:
Thou shalt not be an actual or a past employee of QWANT to join the program.
• Fifth commandment:
Thou shalt not use bruteforcing or scanners tools nor performs Denial of Service tentatives on the platform.
• Sixth commandment:
Thou shalt not violate any local, state, national or international law.
• Seventh commandment:
Thou shalt stay in the defined scope.
• Eighth commandment:
Thou shalt not perform physical attacks against Qwant's employees, offices or datacenter.
• Ninth commandment:
Thou shalt have fun and drink some beers while snooping around for vulnerabilities.
• Tenth commendment:
Thy participation to this program will constitute acceptance of these rules.
Any failure to comply with these rules will be sanctioned by the exclusion of the hunter from the bug-bounty program and even worse (legal pursuits, ...).
Rewards
Qwant will offer a minimum reward of 100€. There is no maximum reward as it will be determined by Qwant security team according to the level of criticity and impact of the reported vulnerability.
Any non-security related issue (bug, wrong interface/API behavior, ...) will not be eligible for a money reward and should be sent to https://www.qwant.com/contact.
Qualifying vulnerabilities
• Authentication bypass
• User session compartmentalization issue
• SQL / NoSQL injections
• Remote code execution or information leakage through XML external entities
• Reflected / persistent Cross-site scripting
• Cross-site request forgery
• Server-side request forgery
• Remote code execution on Qwant servers through memory corruption, command injection or other exploitation technique
• Any vulnerability in defined scope that could impact security of the platorm and its users
Non-qualifying issues
• Issues outside of defined scope
• Duplicate issue
• CSRF in login or logout
• Social engineering or shoulder-surfing on Qwant's employees
• Security bugs in third-party websites that integrate with Qwant
• Spam or exploit-kit in search results (URLs that bypasses Qwant's anti-malware solutions)
• Password complexity or any other issue related to account or password policies
• Missing/invalid HTTP headers
• Cookie flags
• Clickjacking
• Denial of service
• Results from pivoting or scanning internals systems
• SSL/TLS issues
• Accounts enumeration
• SPF/DKIM issues
• Issues with no security impact
• Issues impacting protocols or software not developed nor maintained by Qwant
• Rate-limit issues
• Forms missing CSRF tokens
• Text injection
• Content spoofing
• Forms missing Catpcha
• Homograph attacks
• Bypasses of results filters
• Client-side Issues impacting specific browsers
• Any Adobe Flash / SWF related issues
• Account policies related issues (token expiration, reset link, password complexity)
• Self-exploitation
Update 07/11/2016
Non-qualifying issues additions
• += Rate-limit issues
• += Forms missing CSRF tokens
• += Text injection
• += Content spoofing
• += Forms missing Catpcha
• += Homograph attacks
• += Bypasses of results filters
• += Client-side Issues impacting specific browsers
• += Any Adobe Flash /SWF related issues
• += Account policies related issues (token expiration, reset link, password complexity)
• += Self-exploitation
10
Bug bounty programs / QIWI Bug Bounty
« Last post by Angelina on May 16, 2023, 06:42:16 PM »submit bug report:https://qiwi.com
Policy
Qiwi Bug Bounty Program
We currently do not accept new reports.
Scope:
• qiwi kiosks
• Visa Qiwi Wallet mobile apps for iOS, Android
• *.qiwi.ru
• *.qiwi.com
• *.qiwi.me
• *.rapida.ru
• *.contact-sys.com
• vitrina.contact-sys.com (only High and Critical severity server-side)
• *.flocktory.com ( only High and Critical severity server-side)
• *.qiwi.kz
• *.tochka-tech.com (except for issues with rate limits)
• *.tochka.com (except for issues with rate limits)
We do not accept/review reports with:
• Rate limits (including lack of captcha, etc) on domains tochka-tech.com, tochka.com and their subdomains
• Vulnerability scanners and other automated tools reports
• Reports based on product/protocol version without demonstration of real vulnerability presence, except for vulnerabilities with a CVSS v3 score 7+
• Reports of missed protection mechanism / inconsistent with best practices (e.g. no CSRF token, framing/clickjacking protection) without demonstration of real security impact for user or system
• framing, clickjacking;
• Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept -- and not just a report from a scanner);
• Self-XSS;
• Logout CSRF;
• Host header Injection;
• Reports regarding public availability of update1.qiwi.com and update-security1.qiwi.com
• SPF misconfiguration;
• Text-injection based on server error page;
How do I submit a bug report?
A bug report must give a detailed description of the discovered vulnerability:
• vulnerable hosts;
• the type of vulnerability;
• where exactly;
• security impact;
• steps impact;
• recommendations for fixing.
Reward payment and amounts.
We will pay you a reward if you are the first person to report a given vulnerability. The amounts mentioned in the table below are approximate and may vary from vulnerability influence.
We are interested the following vulnerabilities criteria:
• possible use of the vulnerability
• on what service vulnerability found;
• value of financial, reputational and other risks from vulnerabilities.
Payments will be made through HackerOne.
Number of bug reports by one person of the Program is unlimited.
Also, public 0-day/1-day vulnerabilities may be considered as a duplicate within few days after vulnerability details publication, if vulnerability is known to our team from public sources and we are working to mitigate or patch it.
Qiwi Responsible Disclosure Policy
By submitting a bug report you agree to comply with Qiwi Responsible Disclosure Policy, which forbids public or private disclosure of the details of any vulnerability found on Qiwi within 90 days after vulnerability is fixed and only reciprocal agreement of the parties.
Qiwi employees, the employees in any of Qiwi companies group can't participate in the Qiwi Bug Bounty Program.
Policy
Qiwi Bug Bounty Program
We currently do not accept new reports.
Scope:
• qiwi kiosks
• Visa Qiwi Wallet mobile apps for iOS, Android
• *.qiwi.ru
• *.qiwi.com
• *.qiwi.me
• *.rapida.ru
• *.contact-sys.com
• vitrina.contact-sys.com (only High and Critical severity server-side)
• *.flocktory.com ( only High and Critical severity server-side)
• *.qiwi.kz
• *.tochka-tech.com (except for issues with rate limits)
• *.tochka.com (except for issues with rate limits)
We do not accept/review reports with:
• Rate limits (including lack of captcha, etc) on domains tochka-tech.com, tochka.com and their subdomains
• Vulnerability scanners and other automated tools reports
• Reports based on product/protocol version without demonstration of real vulnerability presence, except for vulnerabilities with a CVSS v3 score 7+
• Reports of missed protection mechanism / inconsistent with best practices (e.g. no CSRF token, framing/clickjacking protection) without demonstration of real security impact for user or system
• framing, clickjacking;
• Reports of insecure SSL/TLS ciphers (unless you have a working proof of concept -- and not just a report from a scanner);
• Self-XSS;
• Logout CSRF;
• Host header Injection;
• Reports regarding public availability of update1.qiwi.com and update-security1.qiwi.com
• SPF misconfiguration;
• Text-injection based on server error page;
How do I submit a bug report?
A bug report must give a detailed description of the discovered vulnerability:
• vulnerable hosts;
• the type of vulnerability;
• where exactly;
• security impact;
• steps impact;
• recommendations for fixing.
Reward payment and amounts.
We will pay you a reward if you are the first person to report a given vulnerability. The amounts mentioned in the table below are approximate and may vary from vulnerability influence.
We are interested the following vulnerabilities criteria:
• possible use of the vulnerability
• on what service vulnerability found;
• value of financial, reputational and other risks from vulnerabilities.
Payments will be made through HackerOne.
Number of bug reports by one person of the Program is unlimited.
Also, public 0-day/1-day vulnerabilities may be considered as a duplicate within few days after vulnerability details publication, if vulnerability is known to our team from public sources and we are working to mitigate or patch it.
Qiwi Responsible Disclosure Policy
By submitting a bug report you agree to comply with Qiwi Responsible Disclosure Policy, which forbids public or private disclosure of the details of any vulnerability found on Qiwi within 90 days after vulnerability is fixed and only reciprocal agreement of the parties.
Qiwi employees, the employees in any of Qiwi companies group can't participate in the Qiwi Bug Bounty Program.
