Bountytalk Launched

Recent Posts

Pages: 1 ... 8 9 [10]
Bug bounty programs / Sony Bug Bounty
« Last post by Angelina on May 11, 2023, 06:52:17 PM »
submit bug report:

Our global information security team is working hard to protect Sony's information assets, services and products and the confidentiality of customer information. But we're always willing to accept more help. We recognize the valuable role that the research community plays in enhancing our security posture and welcome the opportunity to partner with you.
The [email protected] program accepts reports of bugs that provide a potential attacker with the ability to compromise the integrity, availability or confidentiality of Sony products, services or information technology infrastructure. Please see below for specific submission criteria.
If you believe you've found a qualifying security vulnerability in a Sony product or Web site, please submit a report in accordance with the guidelines below that includes a detailed description of your discovery with clear, concise reproducible steps or a working proof-of-concept.
When investigating vulnerabilities, avoid altering existing files, file permissions, reading sensitive information (e.g., /etc/shadow) or disrupting services. Do not utilize an identified vulnerability to pivot to other hosts or services. If sensitive information or personal information is encountered, immediately cease activities and report via the HackerOne portal where triage and Sony personnel can assist.
Reports of broken link hijacking without proof of significant potential impact to Sony will likely be closed as N/A
We value the positive impact of your work and thank you in advance for your contribution.
Qualifying Vulnerabilities
The [email protected] team is interested in the following types of vulnerabilities:
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
Unauthorized Cross-Tenant Data Tampering or Access (for multi-tenant services)
Insecure Direct Object References
Injection Vulnerabilities
Authentication Vulnerabilities
Server-Side Code Execution
Privilege Escalation
Significant Security Misconfiguration (when not caused by user)
Directory Traversal
Information Disclosure
Open Redirects
Sony Product Vulnerabilities (specific to the Sony designed/controlled components of the product)
Sony reserves the right to reject any submission that we, in our sole discretion, determine does not meet the above criteria. Submissions that require manipulation of data, network access, or physical attack against Sony offices or data centers and/or social engineering of our service desk, employees or contractors will not be accepted. Submissions that result in the alteration or theft of Sony data, or the interruption or degradation of Sony systems will not be accepted.
Non-Qualifying Vulnerabilities
The following submissions are not accepted by [email protected]:
Vulnerabilities disclosed without a working proof-of-concept or clear reproducible steps
Logout Cross-Site Request Forgery
Involvement of Sony products or corporate technology in Denial of Service attacks [Note: Submissions of specific vulnerabilities will be considered in accordance with the Qualifying Vulnerabilities described above]
Descriptive Error Messages
Fingerprinting/Banner disclosure on common public services
Lack of secure/HTTPOnly flags
HTTP Methods
SSL Attacks, such as BEAST/BREACH
Subdomain takeovers without a complete proof of concept
Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML
CMS Application updates within 5 business days of release (e.g., WordPress security releases)
Bugs requiring exceedingly unlikely user interaction (e.g., requiring a user to manually type in an XSS payload)
Vulnerabilities related to networking protocols or industry standards not controlled by Sony, including flaws that impact outdated browsers and plugins
Any Sony-developed software/hardware that is End of Life or no longer supported
Any product vulnerability in which the vulnerability is in code or hardware not created, designed, or updated by Sony
Any product vulnerability that involves device modification or bypassing of security controls inherent to the device in a way that requires ownership, hardware modification, or direct device access

Swag shipments are processed once a month but may be delayed due to COVID-19. Thank you for your understanding!
Sony will determine, in its sole discretion, whether recognition will be provided, and Sony will only recognize the first researcher to have discovered a specific, and previously unreported, vulnerability. Sony reserves the right to withhold recognition for researchers who have violated this policy in the past.
Sony is unable to provide a t-shirt if you are a resident of a country that faces United States export sanctions or trade restrictions. Sony assumes the shipping costs of a “Finder” t-shirt to the vulnerability submitter. All other country and local taxes or fees are the responsibility of the researcher. All reward decisions by Sony are final.
Responsible Disclosure
Sony believes in responsible disclosure and we ask that researchers:
Act in good faith, by conducting your activities under this policy, and reporting the vulnerability with us:
In sufficient detail for us to determine the validity of the vulnerability
Without coercion, dishonesty, or fraudulent intent
Give us reasonable time to remediate vulnerabilities before talking about them publicly and notify us of your disclosure plans in advance. If you would like to disclose a resolved vulnerability, make the request directly in your report.
Whether a disclosure provides a positive contribution to the security community is a key factor in our evaluation.
Please note reports closed as Spam, Not Applicable, or Informative will not be approved for disclosure.
Legal Notice:
If we conclude, in our sole discretion, that you have complied with the requirements above when reporting a security vulnerability, Sony will not pursue claims against you or initiate a law enforcement investigation in response to your report:
You do not cause harm to Sony or our customers;
You make a good faith effort to avoid compromising the privacy of our customers or employees, or disrupting the operation of our products, services or IT infrastructure;
You do not violate any law;
Once you have confirmed a vulnerability, you report it in a timely manner and do not exploit it further;
To the extent that you have accessed non-public Sony information in the course of your research, you do not maintain copies of any such information or share any such information with any third party; and
You do not publicly disclose or share the vulnerability details without the written permission of Sony. Violation of these requirements may result in permanent disqualification from the program.
Any activity determined to involve the intentional compromise of the privacy of our customers or employees or the intentional disruption of the operation of our products, services or IT infrastructure will result in permanent disqualification from the program.
We may collect information that could reasonably be used to identify you (e.g., IP address). Sony uses this information to evaluate a reported vulnerability and protect Sony products, services or information technology infrastructure.
Sony reserves the right to modify or terminate this program at any time.
Bug bounty programs / Sophos Bug Bounty
« Last post by Angelina on May 11, 2023, 06:50:56 PM »
submit bug report:

Program Overview
At Sophos, we understand the effort that goes into security research. To show our appreciation to researchers, who help keep our products and our customers safe, we are glad to introduce a Responsible Disclosure Program to provide recognition and rewards for responsibly disclosed vulnerabilities.

Sophos rewards the responsible disclosure of any identified and confirmed security vulnerability that could be used to compromise the confidentiality, integrity, or availability of Sophos products, as well as services and infrastructure impacting Sophos' or users' data.

In general no credentials or product keys will be provided for this program - all testing is to be performed using self-provisioned credentials against legally obtained Sophos products, including free trials. See the section Credentials for more details.

The severity of submissions will be determined using CVSSv3.1 according to Sophos' internal standard.

Researchers should use test accounts or test systems where possible, such that the security and privacy of real users is protected. At all times, make a good faith effort to avoid privacy violations as well as destruction, interruption or segregation of Sophos services. Do not modify or destroy data that does not belong to you.

Potentially destructive tests, including denial of service, require prior written consent by Sophos.

Reach out to [email protected], if a potentially destructive test on a production system is required to find, or confirm, a finding.

Denial of Service testing against Sophos Central is explicitly prohibited and will not be approved at this time.

Rewards or recognition require that the Sophos security team can reproduce and verify an issue and that the security impact is clear.

Reproduction steps need to be clear, and may include screenshots, videos, scripts, etc.

DO NOT use the output from automated scanners and tools as the entire vulnerability report.

Rewards will be provided according to the rules of this bug bounty program as outlined above. At the discretion of Sophos, quality, creativity, or novelty of submissions may modify payouts within a given range.

In case of multiple reports about the same issue, Sophos will reward the earliest submission, regardless of how the issue was reported.

Issues in Security Features
Reports about bugs or limitations in Sophos product security features, such as the ability to bypass a particular filter, are out of scope for the Sophos Bug Bounty Program and not eligible for rewards upon acceptance, unless explicitly stated otherwise in the section Special Targets below.

Valid reports about novel security feature bypasses will be forwarded to the respective product team and subsequently tracked as P5/Informational on the Bugcrowd platform.

At the sole discretion of the Sophos Product Management team, individual reports may be rewarded on a case by case basis after the fact.

Responsible Disclosure
Sophos takes responsibility for disclosing product vulnerabilities to customers. To encourage responsible disclosure, we ask that all researchers comply with the following Responsible Disclosure Guidelines:

Allow Sophos an opportunity to both correct and disclose a vulnerability (including any CVE, if applicable) first within a reasonable time frame.
Allow Sophos' customers 30 days to install the security patch before disclosing vulnerability details to anyone.
Coordinate with Sophos on any publication of vulnerability details.
Sophos advises its customers that those who exploit security systems often do so by reverse engineering published security updates, and therefore encourages its customers to patch timely.

For the full responsible disclosure policy, please refer to and comply with the Sophos Responsible Disclosure Policy.

Reward Eligibility
Current employees or contractors of a Sophos Group entity are not eligible to participate in the program. Former employees and contractors are eligible to participate in the program only, if

they have left the Sophos Group entity more than 1 year prior to submission, and
they are not making use of, or referring to, any non-public Sophos information obtained when they were an employee or contractor.
For testing services and products that require credentials, please create an account on your own using your email address. Your bugcrowdninja email address is your username All emails will go to the email address associated with your account.

If for some reason your IP address or account are banned during your research activity, please contact us at [email protected] and we'll restore your access ASAP.
To obtain credentials for the target, please email [email protected] with your Bugcrowd username.

Special Targets
Sophos Endpoint Products
Sophos offers a broad range of Endpoint protection products on multiple platforms (Windows, Mac, Linux, Android, iOS, etc.), including (but not limited to) Anti-Virus and Exploit Prevention. Relating to our Endpoint protection products, we are particularly interested in:

Privilege escalation via Sophos Endpoint products, including (but not limited to):
Unauthorized disabling of components, services, or features (including crashes, hangs, etc.)
Weak architecture (including the resulting inability to address a class of issues, ...)
Disclosure of information (e.g. unauthorized access of other users, files, etc.)
File parsing and/or scanning-related crashes, hangs, memory-corruption, etc.
Bypassing exploit prevention technologies (if present in a product)
For example, innovative mechanisms for injecting code into other processes, leading to privilege escalation
False negatives (undetected malware) are excluded from the program. However, we encourage you to submit any false negatives via or email to [email protected].

Sophos Optix
To test Sophos Optix, follow these instructions:

On your Sophos Central Dashboard, scroll down to find the card titled "Cloud Security Posture Management"
Click on "Go to product dashboard" or the "Activate Cloud Optix" button
You will be greeted with setup instructions
Click on the 2nd button labelled "Go to Demo Console"
By engaging or participating in this bug bounty program, you agree to treat the following types of information as Sophos’s confidential information and not divulge to any third person (except disclosure to Sophos through the Bugcrowd platform) any such information until disclosure is approved in writing by Sophos:
(i) all information you receive or collect about Sophos and its products, or any of Sophos’s customers during your participation in this program; and/or
(ii) vulnerability report and any vulnerability.

Disclosure of Sophos’s confidential information to any third parties before Sophos’s approval forfeits the reward and could disqualify you from participating in this bug bounty program in the future. Please notify Sophos immediately upon discovery of any loss or unauthorized disclosure of confidential information.

You must notify Sophos immediately if you:
(i) gain access to another person's accounts or data;
(ii) destroy any data, or
(iii) cause interruption or degradation of Sophos’s infrastructure and services. Additionally, if you encounter personally identifiable information, customer data or other sensitive information, please contact Sophos immediately, and do not retain any copies of such information.

By submitting your vulnerability report, you perpetually allow Sophos and its affiliates and subsidiaries the unconditional ability to use, modify, create derivative work from, distribute, publish and display information provided in your report or to have others do the same on Sophos’s behalf, and these rights cannot be revoked.

Sophos cannot provide a reward if you’re a minor, on a sanctions list, or live in a country that is on a sanctions list.

You must comply with all applicable laws in connection with your participation in this program.

As a participant in this program, you will not be deemed to be in breach of applicable Sophos license provisions so long as your actions are consistent with this bug bounty brief.
Bug bounty programs / Splitwise Bug Bounty
« Last post by Angelina on May 11, 2023, 06:48:16 PM »
submit bug report:

Responsible Disclosure / Special Thanks
At Splitwise, we’re lucky to have supportive users who help us to find bugs and potential security vulnerabilities via responsible disclosure. If you believe you have discovered a potential issue with our system, we appreciate your help in disclosing the issue to us responsibly. This page contains info on how to report an issue, and gives thanks to all the individuals who have reported issues in the past.

Researchers who submit a valid report to us within the bounds of this policy will be given credit and thanks on this page once the submission has been accepted, remedied, and validated by our security team.

How we approach security reports
Splitwise will not take legal action against users for disclosing vulnerabilities as instructed here.
Valid vulnerability reports will always be responded to as fast as possible – usually within 2 business days.
If we agree that you’ve reported a valid issue with our service, we’ll attribute you with a special thanks on this page after the issue has been remedied. Please let us know if you’d like us to include a link to your Twitter account or other profile.
To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:

Share the security issue with us in detail right away by emailing us at [email protected].
Don’t perform any actions that could harm the reliability or integrity of our services and data. Some examples of harmful activities that are not permitted include: brute forcing, denial of service (DoS), spamming, timing attacks, etc.
Don’t use scanners or automated tools to find vulnerabilities.
Do not engage in social engineering or phishing of Splitwise users or employees.
Please give us a reasonable time to respond to the issue before making any information about it public.
Do not access or modify our data or our users’ data. Only interact with your own accounts or test accounts for security research purposes.
Do not view, alter, save, store, transfer, or otherwise access to any data obtained incidentally during your research, and immediately purge any local information after reporting the vulnerability to Splitwise.
Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service).
Comply with all applicable laws.
In the event of duplicate reports for the same issue, Splitwise will generally only add the first person to report the issue to our Responsible Disclosure page.

We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior. We will not negotiate in response to duress or threats (e.g., we do not offer cash rewards and will not negotiate a payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).

Third-party services
Some subdomains of are run via third-party services. If you find an issue with one of these subdomains, you may want to report it directly to the appropriate company, depending on the issue: runs on UserVoice runs on GitHub Pages runs on
Out-of-scope issues
The following issues are generally considered out-of-scope and not eligible for thanks. We try to respond to every report within 48 hours, but we may be slower to respond to reports about the following:

Our policies on presence/absence of SPF/DMARC records.
Password, email and account policies, such as email id verification, reset link expiration, password complexity.
Host header injections, unless you can show how they can lead to stealing user data.
Attacks requiring physical access to a user’s device.
Reports of spam (i.e., any report involving ability to send emails without rate limits).
Missing best practices (we require a repeatable proof of concept demonstrating a security vulnerability).
Any physical attacks against Splitwise property, offices, or employees.
We will only accept critical reports in (e.g., RCE). Minor issues that can’t impact Splitwise users are out of scope. Please report them to the Automattic Program.
Clickjacking on domains other than or
Bug bounty programs / Splunk Bug Bounty
« Last post by Angelina on May 11, 2023, 06:43:35 PM »
submit bug report:

Customers turn to Splunk to understand and improve their security posture. We practice what we preach. We are dedicated to keeping your data secure and private. We are committed to adhering to global and industry compliance initiatives. We prepare for incidents, and we help you prepare, respond to, and remediate the consequences of any incidents. To learn about how Splunk keeps your data secure and private in its offerings, how it deploys Security by Design particularly in hosted services, and our policies visit Splunk Protects.

If you discover a security vulnerability in a Splunk product or service, we want to hear it. If you’re a Splunk Customer, go to the Support Portal and submit a New Case. If you already submitted through Support, we’ll be in touch with you through the Case.

To report a vulnerability to Splunk Security, please fill out the submission form below. If you prefer not to use the form, email [email protected] [PGP public key]. Someone will be in touch with you within two business days of receipt of your communication.

The form routes to Splunk Security through the HackerOne managed platform, which requires creating an account on HackerOne to claim the submission. Splunk’s Responsible Disclosure program does not offer monetary rewards. By submitting your report, you agree to the Splunk Website Terms & Conditions of Use.

Bug bounty programs / Spreaker Bug Bounty
« Last post by Angelina on May 11, 2023, 06:42:28 PM »
submit bug report:

At Spreaker, we take security very seriously and we believe that all help matters to promptly discover and address bugs and security issues. If you believe you've found a security issue within our service, we're happy to work with you to resolve that issue and ensure you are compensated for your discovery.


By submitting a security bug or vulnerability to Spreaker, you acknowledge that you have read and agreed to the Program Terms and Conditions set forth below. By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Spreaker's prior written approval.

Program Terms and Conditions


Your participation in our program is voluntary and subject to the below terms and conditions:

You need to show that you could exploit a vulnerability, but you must not actually exploit it. You must not: access, modify, copy, download, delete, compromise or otherwise misuse others’ data; access non-public information without authorization; degrade, interrupt or deny services to our users; and/or incur loss of funds that are not your own.

If you are performing research, please use your own accounts and do not interact with other users’ accounts or data.

You must not leverage the existence of a vulnerability or access to sensitive or confidential data to make threats, extortionate demands, or ransom requests.

Your testing must not violate any applicable laws or regulations.

You are prohibited from participating in the program if you are a resident of any U.S. embargoed jurisdiction, including but not limited to Iran, North Korea, Cuba, the Crimea region, and Syria; or if you are on the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Person’s List or Entity List. By participating in the program, you represent and warrant that you are not located in any such country or on any such list.

By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Spreaker’s prior written approval.

You will be responsible for any tax implications related to any bounty payment you receive, as determined by the laws of your jurisdiction.

You must be 18 years of age or older.

You must not be employed by Spreaker or any of its affiliates. You must also not be an immediate family member of someone employed by Spreaker or any of its affiliates.

By reporting a bug, you grant Spreaker and its affiliates a perpetual, irrevocable, worldwide, royalty-free license to use, copy, adapt, develop, create derivative work from, or share your submission for any purpose. You waive all claims, including breach of contract or implied-in-fact contract, arising out of your submission.

Whether to provide a payment for the disclosure of a bug and the amount of the payment is entirely at our discretion, and we may cancel or modify the program at any time.

Only the earliest, responsibly-disclosed submission of a vulnerability instance with enough actionable information to identify the issue will be marked as valid. All other reports for a given issue will not be eligible for reward under our program.


Non-Qualifying Vulnerabilities
Furthermore, Spreaker does not consider the following to be eligible vulnerabilities:

Account squatting by preventing users from registering with certain email addresses

Attacks requiring MITM or physical access to a user’s device

Best practice reports without a valid exploit (for example, use of “weak” TLS ciphers)

Clickjacking on pages with no sensitive actions

Comma Separated Values (CSV) injection without demonstrating a vulnerability

Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

Denial of service

Disclosure of server or software version numbers

Hypothetical subdomain takeovers without supporting evidence

Issues that require unlikely user interaction

Missing best practices in Content Security Policy

Missing best practices in SSL/TLS configuration

Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, and so on)

Missing HttpOnly or Secure flags on cookies

Open redirect - unless an additional security impact can be demonstrated

Perceived security weaknesses without concrete evidence of the ability to compromise a user (for example, missing rate limits, missing headers, and so on)

Previously known vulnerable libraries without a working Proof-of-Concept

Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis

Rate limiting or bruteforce issues on non-authentication endpoints

Reports exploiting the behavior of, or vulnerabilities in, outdated browsers

Reports of spam


Session invalidation or other improved-security related to account management when a credential is already known (for example, password reset link does not immediately expire, adding MFA does not expire other sessions, and so on)

Social engineering

Software version disclosure / Banner identification issues / Descriptive error messages or headers (for example, stack traces, application or server errors)


Unconfirmed reports from automated vulnerability scanners

User/merchant enumeration

Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version)


Services in Scope

Reports for assets in the following domains are not eligible for reward:

Also third-party plugins / inclusions / websites are excluded (eg: javascript included by a third-party).


Any other * web services are intended to be in scope.


Reward Amounts

Rewards for qualifying bugs range from $100 to $1,000, sent to your PayPal account. The following table outlines the usual rewards given for the most common classes of bugs:

up to 100$: vulnerabilities that compromise third party user data (ie. you can edit a 3rd party user profile data)

up to 500$: vulnerabilities that globally compromise user accounts (ie. you can authenticate as any 3rd party user, you can delete any 3rd party account, you can change the email or password of any 3rd party account, ...)

up to 1000$: vulnerabilities that compromise Spreaker’s private data and servers (ie. you can access the source code, query the database, get remote access to server, etc)
Bug bounty programs / Sprout Social Bug Bounty
« Last post by Angelina on May 11, 2023, 06:41:11 PM »
submit bug report:

Sprout Social’s social media management platform will help you find, form and deepen real connections with the people who love your brand. We invite you to test and help secure our primary publicly facing assets. We appreciate your efforts in making SproutSocial more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Out of Scope Submissions
2/11/2020- Moving forward DMARC and SPF records will be considered out of scope

Testing is only authorized on the targets listed as In-Scope. Any domain/property of SproutSocial not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to [email protected] before submitting.

A note about the targets above
We generally appreciate any bug reports about systems that we use. However, we cannot authorize testing against third parties that we may contract with, and such testing may be in violation of their terms of service. In addition, for anything hosted on AWS, please avoid using network scanners, as this is prohibited by AWS unless you have prior permission (and even then is prohibited in many cases).

There are a few specific exclusions above. Please ensure that you have read and fully understood the target listing above before testing anything.

For new features to test, please see the following:

Sprout Social offers a free 30-day trial, so go ahead and make an account (no credit card needed to sign up). Use your email addresses when signing up. You may attach your own profiles to those accounts (this may be useful to give yourself more experience with the various parts of the app), or you may attach fake profiles of your choosing. We do not provide test accounts for use.

Researchers testing the mobile applications should note that we do not presently allow new account signups from the mobile apps. New trial accounts may be created on the site from a mobile browser, and subsequently used in the mobile applications.

Safe Harbor:
When conducting vulnerability research according to this policy, we consider this research to be:

Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through this program, or inquire via [email protected] before going any further.
Bug bounty programs / Stanford University Bug Bounty
« Last post by Angelina on May 11, 2023, 06:39:25 PM »
submit bug bounty:

Report an Incident
For lost or stolen devices and High Risk data compromise or other unauthorized exposure, contact the University Privacy Office.

In cases where you become aware of a security issue regarding Stanford's computers or networking resources.  Below are some examples of reportable IT security incidents:

Compromised endpoint (e.g., malware, keylogger, ransomware)
Compromised server (e.g., malware, unauthorised use/access, unusual activity)
Compromised Stanford websites (e.g., website defacement)
Compromised infrastructure (e.g., router, switch, firewall, ICS device)
Compromised user account
Unauthorized exposure of sensitive data (especially high risk data types)
Denial of service (DoS)

Please use one of the following contacts to report an IT security incident:

Contact your local IT support
Information Security Office (ISO):
Submit a help ticket to ISO
650-725-4357 (UIT Service Desk)
Bug bounty programs / Starbucks Bug Bounty
« Last post by Angelina on May 11, 2023, 06:37:45 PM »
submit bug report:


Starbucks believes in a program that fosters collaboration among security professionals to help protect our systems and customers’ personal information from malicious activity and to help set security policies across our organization. We value the security and safety of our customers’ personal information above all.
For the protection of our customers, Starbucks does not publicly disclose, discuss, or confirm security matters before comprehensively investigating, diagnosing, and fixing any known issues.
Table of Contents
Program Eligibility
Program Rules
Report Submissions
What is required when submitting a report?
What happens after you submit a report?
How do I make my report great?
What causes a report to be closed as Informative, Duplicate, N/A, or Spam?
Helpful Hints
Starbucks reserves the right to modify terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting. We reserve the right to cancel this program at any time. Must be 18 or older to be eligible for an award.
Program Eligibility
You must agree and adhere to the Program Rules and Legal terms as stated in this policy.
You must be the first to submit a sufficiently reproducible report for an issue in order to be eligible for a bounty.
You must be available to supply additional information, as needed by our team, to reproduce and triage the issue.
Zero-day vulnerabilities will not be considered for eligibility until more than 30 days have passed since patch availability.
Out-of-scope vulnerability reports may be addressed as a form of vulnerability disclosure but will generally not be considered reward eligible.
Starbucks partners (employees) and vendors are not eligible for participation in this program.
Program Rules
Read and abide by the program policy.
Perform testing using only accounts that are your own personal/test accounts or an account that you have the explicit permission from the account holder to utilize.
Exercise caution when testing to avoid negative impact to customers and the services they depend on.
Stop when unsure. If you think you may cause, or have caused, damage with testing a vulnerability, report your initial finding(s) and request authorization to continue testing.
Do not Brute force credentials or guess credentials to gain access to systems.
Do not participate in denial of service attacks.
Do not upload shells or create a backdoor of any kind.
Do not engage in any form of social engineering of Starbucks employees, customers, or vendors.
Do not engage or target any Starbucks employee, customer or vendor during your testing.
Do not attempt to extract, download, or otherwise exfiltrate data which you believe may have PII other than your own.
Do not change passwords of any account that is not yours or that you do not have explicit permission to change. If ever prompted to change a password, stop and report the finding immediately.
Do not publicly disclose vulnerability reports that are not resolved and approved for disclosure by Starbucks.
Do not submit reports here as a means to engage us to buy your products or services. Please direct your sales inquiries through proper channels.
Report Submissions
What is required when submitting a report?
Provide the information asked for by the new report form, following the instructions there. Some important considerations include:
Title – this should be a quick and clear summary of your issue.
Asset – this should match exactly the asset you are reporting, or “Other”.
Severity – the CVSS calculator is used to evaluate severity and bounty, so to avoid disappointment, be honest and critical when scoring severity.
Weakness – select the most appropriate vulnerability type.
Description – provide all the requested fields.

The Starbucks team will then review your report. We will be working on the issue but may not have enough information to immediately move it from "New" to "Triage". As a global company, we often need to engage with teams across multiple time zones so we may need additional time to fully validate the report.
Starbucks will "Triage" valid & eligible reports that we intend to take action on. During this time, we will work with our internal teams to resolve the issue and follow up to close the report as "Resolved".
Reward amounts are calculated based on the numerical CVSS score assigned to the report.
We strive to pay bounty on "Triage" and will do so when there is high confidence in the accuracy of the assigned scope and severity. Occasionally, we may need to delay payment until we fully investigate the details of a report.
All bounty amounts will be at the discretion of the Starbucks Bug Bounty team.
Reports that include a unique Nuclei Template to validate the finding will be rewarded a $250 bonus.
Starbucks will not bonus submissions that include an open-source community template demonstrating vulnerability findings. The template must be unique for the vulnerability being demonstrated.
Starbucks retains a perpetual right to utilize any templates submitted as part of a report and will not make any templates provided to Starbucks available to the public.
Reports submitted using methods that violate policy rules will not be eligible for reward.
To be eligible for a reward, the report must be for a reward eligible asset as defined in the scope section of our policy.
Reports where the researcher has confirmed and reported the same vulnerability on multiple assets, with the same root cause, may qualify for a 1.5 multiplier on their bounty award. Do not submit duplicate reports for the same issue across multiple sites as the duplicates will be closed and the issue will be treated as one report.
While we aim for consistency, previous reports and prior bounty amounts do not set a precedent and are not to be used for negotiating a higher reward. Changes to policy and the occasional human error should be considered.
Understand that there could be submissions for which we accept the risk, have other compensating controls, or will not address in the manner expected.

Bug bounty programs / Stack Exchange Bug Bounty
« Last post by Angelina on May 11, 2023, 06:34:13 PM »
submit bug report:

Reporting Security Vulnerabilities
We take security vulnerabilities very seriously and work hard to provide a secure online experience for our users. If you believe you have discovered a security issue that affects many users, please report it to us so we can investigate and correct the problem.

Don't abuse other users when testing. You can use your own account or create sockpuppet accounts, but do not test or demonstrate your theories on (or at the expense of) your unsuspecting peers.

To report a security vulnerability that affects many users, please fill out this form:

Contact Form

Choose "Other" as the type and include the words "Security Vulnerability". Be as detailed as you can in the steps required to reproduce the error. Please do not post serious security issues publicly on a meta site or elsewhere.

Hall of Fame
We are extremely grateful to members of the security research community who have reported serious security vulnerabilities to us directly. While we cannot always reveal what the vulnerability was, we do want to recognize their contributions publicly.

Year   Name   Link
2022, 2016-2017   Rene   Blogging About .Net and other stuff
2022   Moein abas AKA mosec
2022   Sayooj B Kumar
2021   Tinu Tomy
2021   Abdalla Ali   ElanAli
2021   Lauritz Holtmann
2021   Ioannis Kakavas
2020   Andreas Wixler
2020   Priyanshu Parihar
2020   Marek Jilek
2019   Ai Ho
2018   Arminius
2018   ~Ele the HackDemonium~   
2018, 2011-2016   Jeremy Banks
2018   Arun Babu
2017   Vineet Kumar
2017   Elyesa in der Maur
2017   Kenny Hietbrink
2017   David Albert
2016   Bhavuk Jain
2016   Pedro Cardoso
2016   Kamran Saifullah
2016   Michał Perłakowski
2016   Slava Shklyaev
2015   Russel Van Laurio
2015   Nadav S. Samet
2013   Reginaldo Silva
2012   Mathias Bynens
2009-2010   Daniel LeCheminant   javascript:$.getScript("")
Bug bounty programs / Swiggy Bug Bounty
« Last post by Angelina on May 11, 2023, 06:33:02 PM »
submit bug report:

What is Security Bug Bounty Responsible Disclosure Program?
We work hard to keep Swiggy secure, and make every effort to keep on top of the latest threats by working with our inhouse security team. If you think we've made a security mistake or have a vulnerability, please share with us right away
How to report a bug
If you're the first one to alert us and it leads to us making a change, we'll pay you a reward based on the criticality.
To participate in the Swiggy Bug Bounty Program, you can Sign Up using your phone number and email ID from the website home page or app. Do ensure that you are reachable on the mobile number that you shall use to register with us. While creating account, participants should use this particular email ID format as below:
[email protected]
Participants to the Program shall strictly be bound by Swiggy Non-Disclosure Terms.
Responsible Disclosure
The identified bug shall have to be reported to our security team by sending us a mail from your registered email address to [email protected] with email containing below details with subject prefix with "Bug Bounty". The mail should strictly follow the format below.

Bug Bounty: <Vulnerability Category> - <Bounty Hunter Full Name>

Email body:
Vulnerability Information:
Name of Vulnerability:
Vulnerability Category:
Vulnerable Instances:
Steps to Reproduce:
Proof of Concept:
Bounty Hunter details:
Full Name:
Email Address:
Mobile Number:
Any Publicly Identifiable profile:

Note: For <Vulnerability Category> in subject line, please try to select vulnerability category closely matched with defined in Reward categorisations. The Swiggy security team will review the submission and revert back within 5 working days.

Program scope
Our Targets

Android App
iOS App
Infra Security [Ex: Open Network Ports, Open Services other than HTTP Endpoints ] [DoS and DDoS testings ARE STRICTLY PROHIBITED]

Out-of-Scope Apps
Vendor Endpoints
Delivery App Endpoints
3rd Party Applications

Reward Categorisation
Note: Automated tools or scripts ARE STRICTLY PROHIBITED, and any POC submitted to us should have a proper step-by-step guide to reproduce the issue.
Abuse of any vulnerability found shall be liable for legal penalties.
Note: Bounty rewards will be established after discussion with the stakeholder leadership team.

All the bounty rewards will be paid based on an internal assessment by the Swiggy security team. We have grouped vulnerabilities based on impact in below severity categorisation. Vulnerability categorisation based on severity created to give insight how we assess the vulnerabilities. It's not an exhaustive list and Swiggy can update it at any point of time.

SQL Injections (Able to access and manipulate sensitive and PII information)
Remote Code Execution (RCE) vulnerabilities
Shell Upload vulnerabilities (Only upload basic backend script that just prints some string, preferably try printing the hostname of the server and stop there!)
Vertical privilege escalation (Gaining admin access)
Bulk user sensitive information leak
Business logic vulnerabilities (Critically impacting Swiggy Brand, User (Customer/Vendor/Delivery Executive) data and financial transactions)
Authentication bypass
Non-Blind SSRF
Account Takeover (Without user interaction)
Stored XSS
Subdomain Takeover (On active domains )
IDOR (Able to access and modify sensitive and PII information)
Horizontal privilege escalation
Deserialization vulnerabilities
Path traversal (Access to sensitive information)
Mobile App vulnerability (Doesn’t require root/jailbreak access on the device and having access to sensitive information)
SQL Injection (For non-sensitive information)
Account Takeover (With user interaction)
IDOR ( (Able to access and modify non-sensitive information)
Reflected/DOM XSS to steal user cookies
Subdomain Takeover ( On non-active domains)
Injection attacks ( Formula injection, Host header injection)
Mobile App vulnerability (Require root/jailbreak access on the device and having access to sensitive information)
Path Traversal (Access non-sensitive information)
IDOR (Non-sensitive information disclosure)
Mobile App vulnerability (Require root/jailbreak access on the device and having access to non-sensitive information)
Mobile App vulnerability (Doesn’t require root/jailbreak access on the device and having access to non-sensitive information)
Captcha bypass
Hall of Fame Criteria
Bounty hunter’s name and profile, with valid critical and high finding will be displayed in our "Hall of Fame" page
Bounty hunter’s name and profile, with more than 5 new valid medium and low findings within 90 days, will also be displayed in our "Hall of Fame" page
For medium and low findings, we will provide bounty rewards without displaying their name and profile on "Hall of Fame" page
IDOR references for objects that you have permission to
Duplicate submissions that are being remediated
Known issues
Rate limiting (Unless which impacts severe threat to data, business loss)
Multiple reports for the same vulnerability type with minor differences (only one will be rewarded)
Open redirects
Clickjacking and issues only exploitable through clickjacking
Only session cookies needed http and secure flags. Apart from these, for other cookies we won’t consider as vulnerability
Social Engineering attacks
System related
Patches released within the last 30 days
Networking issues or industry standards
Password complexity
Email related
SPF or DMARC records
Gmail "+" and "." acceptance
Email bombs
Unsubscribing from marketing emails
Information Leakage
Descriptive error messages (e.g. Stack Traces, application or server errors)
HTTP 404 codes/pages or other HTTP non-200 codes/pages
Fingerprinting / banner disclosure on common/public services
Disclosure of known public files or directories, (e.g. robots.txt)
Cacheable SSL pages
SSL/TLS best practices
CSRF on forms that are available to anonymous users (e.g. the contact form, sign-up form)
Logout Cross-Site Request Forgery (logout CSRF)
Weak CSRF in the APIs
Login/Session related
Forgot Password page brute force and account lockout not enforced
Lack of Captcha
Sessions not expiring after email change
Presence of application or web browser 'autocomplete' or 'save password' functionality
Session Timeouts
Swiggy Non-Disclosure Terms ("Terms")
'Confidential information' shall mean all information supplied in confidence by the Company to the Participant, which may be disclosed to the Participant or otherwise acquired by the Participant in its performance under this Security Bug Bounty Responsible Disclosure Program including -
All information which a reasonable person would consider confidential under the context of disclosure or due to the nature of the information itself, and shall include technical and non-technical information, intellectual property rights, know-how, designs, techniques, plans, procedure, improvement, technology or method, object code, source code, databases or any other information relating to the Company’s product, work in progress, future development of the Company’s product
Marketing strategies, plans, financial information, projections, operations, sales estimates, shareholding patterns, business plans and performance results relating to the past, present or future business of the Company, plans for products or services, and customer or supplier lists
The content, the technical documents and all information in relation to the Company’s product the terms of this Agreement
Any information which may be communicated.
Obligation of Confidentiality
The Participant undertakes to treat and maintain all Confidential Information in confidence. With respect thereto, the Participant undertakes and agrees as follows:
These Terms do not create a joint venture or partnership between the Parties.
For a period of 5 (five) years the Participant shall not publish, disseminate, disclose any Confidential Information.
The Participant shall use the Confidential Information only in connection with the Purpose and for no other reason whatsoever
The Participant shall not copy or reproduce to writing any part of the Confidential Information and any copies, reproductions or reductions to writing of the Confidential Information which have already been made by the Parties shall be the property of the Company.
The Participant shall not, from the date of agreeing to these Terms, independently develop or have developed for itself products, concepts, systems or techniques that are similar to or compete with the products, concepts, systems or techniques contemplated by or embodied in the Confidential Information of the Company or the Purpose, which development shall be construed as a violation of the obligations of the Participant under these Terms.
The Participant shall indemnify, defend and hold the Company harmless from and against any losses, costs, expenses, damages of whatsoever nature which may be incurred or suffered by the Company arising out of or as a result of any breach of contract, warranty, tort (including negligence) or otherwise of any of the Participant’s obligations or agreements contained herein.
All Confidential Information furnished to the Participant by the Company shall remain the exclusive property of the Company and the Company shall have the sole and exclusive ownership of all right, title, and interest in and to the Confidential Information, including ownership of all copyrights, patents and trade secrets pertaining thereto, subject only to the rights and privileges expressly granted by the Company under the Terms mentioned here in above.

Promptly upon the Company’s request at any time, the Participant shall return / cause to be returned to the Company all the Confidential Information, including all materials or documents, any copies, summaries and notes of the contents thereof (whether in hard or soft copy form) without limitation, all copies of any analyses, compilations, studies or other documents prepared by and/or for Company, containing or reflecting any Confidential Information and give written certification accordingly.

The Participant understands and acknowledges that any disclosure or misappropriation of any of the Confidential Information in violation of the confidentiality obligations will cause the Company grave and irreparable harm, loss and injury, the amount of which may be difficult to ascertain. The Participant agrees that the Company have the right to apply to a court of competent jurisdiction for specific performance and/ or an order restraining and enjoining any such further disclosure or breach and for such other relief as the Company shall deem appropriate, without posting or the need to post any bond or other security. Such right of the Company to obtain equitable relief in the form of specific performance, temporary restraining order, temporary or permanent injunction or any other equitable remedy which may then be available to it, without the necessity of proving actual damages, shall be in addition to the remedies otherwise available to it at law. The Participant expressly waives the defense that a remedy in damages will be adequate.

No Warranties
Nothing contained in the Terms mentioned hereinabove shall be construed to obligate the Company to disclose any information to the Participant.

Any notice or communication to be given under to the Participant shall be given if delivered in writing to the intended Participant on the email id provided by the Participant at the time of registration
These Terms shall be fully binding upon the Participant.
The Participant shall not make any assignment of these Terms or any interest therein.
The failure of the Company to insist upon or enforce strict performance of any of the Terms mentioned hereinabove or to exercise any rights or remedies mentioned hereinabove, shall not be construed as a waiver or relinquishment to any extent of the Company’s rights to assert or rely upon any such provisions, rights or remedies in that or any other instance; rather the same shall remain in full force and effect.
These Terms shall be governed by, construed and enforced in accordance with the laws of the Republic of India.
The courts in Bangalore shall have the exclusive jurisdiction
Pages: 1 ... 8 9 [10]