submit bug report: http://card.com

CARD.com creates Fair, Fashionable and Fun online prepaid card solutions.
Inelegible targets
The following are specifically excluded from scope and should not be tested:
3rd party tools used by by CARD.com
3rd party service providers to CARD.com
All shared hosting environment (e.g. networking equipment, firewalls and other equipment) components that are not directly used to host the target URL
Physical environment pen-testing such as obtaining access to offices, server rooms, cars, homes, and physical objects (such as USB keys, phones, laptops)
Note: Our server may indicate a banner (e.g. Apache version X.Y.Z) that seems out of date, but which is not in fact out of date due to the way we manage patches to that software.
Policy: https://bugcrowd.com/card

submit bug report: https://brave.com

Brave Software believes that working with security researchers across the globe is crucial in making the web safer. If you believe you've found a security issue in our product or service, we encourage you to notify us. We will do our best to work with you to resolve the issue promptly. Thanks in advance!
📅 Recent Changes
This section summarizes notable recent changes. It's only a summary, though — the full policy is below the changelog.
ℹ️ On May 17 2021, we added details about Brave Search
ℹ️ On April 23 2021, we added details about BAT fraud issues that are in-scope.
ℹ️ On March 2 2021, we added details about in-scope network connections.
ℹ️ On Jan 29 2020, we added Brave Android Beta to in scope.
ℹ️ On Oct 29 2019, we clarified exclusions for DoS bugs.
ℹ️ On August 21 2019, we noted that social media account takeovers on our websites are out of scope.
ℹ️ On March 15 2019, we noted that non-default extensions are out of scope.
ℹ️ On March 8 2019, we noted that Github wikis being publicly editable is out of scope.
ℹ️ On February 25 2019, we removed the PGP key ID for encrypting reports since it had expired.
ℹ️ On February 5 2019, we noted that issues in Chromium are generally out of scope and should be reported to (and fixed by) the Chromium team, not the Brave team.
ℹ️ On January 11 2019, we noted that unexpected outbound network connections are always in-scope.
💵 Bounty Schedule
This is approximately how much we expect to pay for reports. Understand that this is a guide — it's meant to help set expectations.
"not applicable" — Reports about things that we have specifically noted as out of scope.
"informative" — We're aware of this, or we don't really see it as a security issue.
$50 — [Special] This is a public security issue (like a CVE) for another browser or platform — but it also works on Brave and we should fix it in Brave. [See scope section for details.]
≤$100 — While this bug is appropriately categorized as a security issue, it doesn't present much risk and isn't a priority to fix.
≤$250 — A minor security problem. Someone should probably fix it. It's likely not getting fixed in the next release.
≤$500 — This is definitely a real problem that puts Brave users at risk. We will ship a fix in a scheduled release. Hacker swag available upon request.
≤$1000 and beyond — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems — but if we do, we really want to hear about them.
Most of the bounties we award are $50-$300. Few of them are more than $500.
👁‍🗨 Disclosure Policy
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. We may publicly disclose the issue before resolving it, if appropriate.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
If you would like to send us an encrypted report, email security@brave.com with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it in our hackerone page.
We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.
ℹ️ Program notes
The output of an analysis tool doesn't constitute a report on its own. Please submit a PoC or describe in detail the specific attack which you've identified.
We prefer it when hackers file one report per bug, no matter how many different ways that underlying issue can be exploited. This makes it easier for us to understand what you're reporting and track our progress in fixing the issue. If fixing the problem described in one report would also prevent the troubling behavior described in another report of yours, those issues should probably be combined.
We are a relatively small team with a relatively large project to protect. Please bear with us if it takes a few days for us to validate and triage your report. Sometimes reports get lost in the shuffle, and we need a reminder. The best way to do this is to comment on your report and mention the Brave team member(s) you were working with. If this doesn't get our immediate attention, we are probably all putting out a fire, but you can also email security@brave.com. We would prefer that you not personally message Brave team members on other platforms or channels.
To our discretion, we may decide to grant the highest between the Impact and the Severity for constructive and detailed reports/vulnerability cases.
✅ In-scope
Security/privacy issues in any current release of the Brave browser (with occasional exclusions). This includes the Chromium-based desktop browser, and the current iOS and Android releases. Packages are available at https://brave.com/downloads.html.
Security/privacy issues in https://github.com/brave-experiments/sta-rs, especially cryptography bugs.
Network connections from the Brave browser that may compromise user privacy. This includes but is not limited to: requests to Brave Rewards endpoints for users who have NOT opted into Rewards, connections to third-party services (like Google) in the background and not in response to a user action, requests that leak IP or browsing activity from Tor windows, and DNS requests that do not use the DNS-over-HTTPS setting on platforms that fully support DoH. This does NOT include requests initiated by websites not owned by Brave, or requests that we deem necessary for Brave to function properly.
Security or privacy issues in any repo owned by https://github.com/brave-intl or https://github.com/brave (not forked) that is NOT deprecated or archived.
Information about BAT fraud that is not already known to us. We are particularly interested in knowing how fraudulent users can bypass our payout antifraud checks, such as specific IP rotation services or VM types.
Security issues affecting high-impact web services like https://search.brave.com, https://talk.brave.com, https://creators.basicattentiontoken.org/, and https://subscriptions.bsg.brave.com.
Security issues affecting any of the following Ethereum addresses: 0x0d8775f648430679a709e98d2b0cb6250d2887ef, 0x44fcfabfbe32024a01b778c025d70498382cced0, 0x7c31560552170ce96c4a7b018e93cddc19dc61b6, 0xfbfa258b9028c7d4fc52ce28031469214d10daeb, 0x67fa2c06c9c6d4332f330e14a66bdf1873ef3d2b
Medium or high severity security issues for other browsers which also affect Brave (as long as we don't already know about them). Public issues are only eligible for our $50 notification tier, rather than by severity. Chromium/Firefox security issues are only eligible for this tier if we fix them in Brave directly rather than waiting for the upstream Chromium/Firefox fix.
❌ Exclusions
The following products are out of scope:
All LinkBubble products
The legacy Muon-based version of Brave
The Muon desktop framework
Jira helpdesk which isn't ours
Issues in Chromium/Firefox are only eligible for this program if we plan to fix them directly in Brave. For most Chromium security issues, we wait for the issue to be fixed in Chromium and inherit the fix from them — these issues are out of scope. The same goes for iOS with Firefox, which is what iOS Brave is based on.
⭕️ The following bug classes are out-of scope:
Bugs that are already reported on any of Brave's issue trackers (https://github.com/brave, https://github.com/brave-intl), or that we already know about. Note that some of our issue trackers are private.
Bugs on community.brave.com should be reported to Discourse, not Brave: https://hackerone.com/discourse. Bugs on support.brave.com should be reported to Zendesk: https://hackerone.com/zendesk. Bugs on survey-admin.brave.com should be reported to https://blocksurvey.io/, though we can help escalate if they do not respond.
Bugs on websites that are not owned or operated by Brave.
Issues in an upstream software dependency (ex: Chromium or Firefox) which are not severe enough to warrant a fix independently of upstream. If the upstream maintainer believes the issue is wontfix but we disagree, we may reward for the issue and consider it valid.
Login/logout CSRF
Attacks requiring physical/local access to a user's device.
New browser fingerprinting or cross-site tracking methods are generally out-of-scope but will be considered on a case-by-case basis.
Attacks that allow a website to detect whether a user is using Brave instead of Chrome. This is impossible to defend fully against, and we are already aware of ways this can be done.
Attacks that allow a website to detect whether a user is using or has used a Tor or Private Browsing window.
Self-XSS
Issues related to software or protocols not under Brave's control
Vulnerabilities in outdated versions of Brave
Redirect continuation URL vulnerabilities
Missing security best practices that do not directly lead to a vulnerability
Issues that have little to no impact on the general public
Issues in LinkBubble (https://play.google.com/store/apps/details?id=com.linkbubble.playstore) are no longer in scope.
Pairs of Unicode and Latin characters which look similar-enough to be used in homoglyph-based phishing.
Denial-of-service and crash issues in our client-side products are out-of-scope UNLESS: the issue does not exist in Chrome AND the issue crashes/hangs the entire browser (not just a single tab). In addition, unless the DOS issue also leads to remote code execution or disclosure of users' data, we will not award a bounty but may give you thanks. In general, we do not consider resource exhaustion attacks to be security bugs.
Denial-of-service and crash issues on our services will be considered on a case-by-case basis but usually are out-of-scope unless serious.
A Github wiki being publicly editable is out of scope. Even though this poses a reputation risk, we already know about this issue and are continually working on fixing it.
Bugs in browser extensions which are not enabled/installed by default in Brave.
Social media account takeovers on our websites, unless the account is an official one owned by Brave (as opposed to an employee account or a community-maintained account)
DLL hijacking unless it doesn't require attacker to modify the PATH variable or do other actions that require local access.
Email flooding attacks
Server metrics being exposed on /metrics endpoints
Reports of scam sites in Brave Search result listings. Please report these to search-abuse@brave.com instead.
Repos containing NPM package names that are unclaimed on the public NPM registry, unless you find examples of code that try to install them from the public NPM registry.
Path being displayed in 404 pages
Documents with public commenting/suggesting/reading permission that don't contain any private info
Reports without clear steps that allow us to reproduce the vulnerability
Reports about npm/pip/etc. dependency vulnerabilities will be considered on a case-by-case basis. We may not award for these unless there is a proof of concept.
Reflected/self-XSS, including entering javascript: in the URL bar (this is generally needed for bookmarklets functionality)
Hostname confusion due to '@' symbol in a URL.
We will try our best to consider reports which are not in English but may not be able to triage them due to lack of non-English speakers.
While researching, we'd like to ask you to refrain from:
Denial of service
Spamming
Social engineering (including phishing) of Brave Software staff or contractors
Any physical attempts against Brave Software property or data centers
Thank you for helping keep Brave Software and our users safe!

submit bug report: https://www.blockchain.com/·

Blockchain.com is the most trusted and fastest-growing crypto company, helping millions across the globe have an easy and safe way to access cryptocurrencies.
To date, we have over 80 million wallet signups, 1 trillion cryptocurrency and token transactions, and 37 million verified users supporting 200+ countries.
If you are new to our products, please review our Security Learning Portal before submitting reports.
Terms
You are welcome to test our products with your own funds but please note that Blockchain.com is not responsible for any losses.
Our evaluation of all reported vulnerabilities is final.
Response Targets
Blockchain.com will make a best effort to meet the following response targets for hackers participating in our program:
Time to first response (from report submit) - 2 business days
Time to triage (from report submit) - 5 business days
Time to bounty (from triage) - 10 business days
Time to resolution - depends on severity and complexity
Severity   SLA in business days
Critical   2 days
High   7 days
Medium   60 days
Low   180 days
We’ll try to keep you informed about our progress throughout the process.
Disclosure Policy
Do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from Blockchain.com.
Follow HackerOne's disclosure guidelines.
Program Rules
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Please do NOT use automatic scanners. We cannot accept any submissions found by using automatic scanners.
Rate limit (maximum amount of requests per second) used in automation: max 3 requests per second.
Submit one vulnerability per report, unless you need to chain vulnerabilities to maximise impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Issues identified by our internal security testing prior to your report count as duplicates.
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering of any type (e.g. phishing, vishing, smishing) is strictly prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
The scope approximately lists assets in scope for bounty testing including wildcards, except where otherwise excepted. We exercise sole and final discretion on which assets are in scope.
Out of Scope
When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:
Open redirect at blockchain.com/r unless you devise a way to bypass the warning screen
The same email address can be used to register multiple wallet accounts -- this is intentional.
https://en.bitcoin.it/wiki/ and the en.bitcoin.it domain are NOT owned by Blockchain.com and therefore are NOT in scope.
Support for HTTP methods such as OPTIONS does not constitute a vulnerability by itself; please ONLY submit findings related to this if you identify specific vulnerabilities.
Clickjacking on pages with no sensitive actions.
Password, email, and account policies, such as email address verification, password complexity.
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Rate limiting or brute-force issues on non-authentication endpoints
Missing flags like HttpOnly or Secure on cookies
Missing best practices in Content Security Policy or best practice security headers
Presence of autocomplete attribute on web forms
Tabnabbing or Reverse tabnabbing
Blind SSRF without proven business impact (DNS pingback only is not sufficient)
Open redirect - unless an additional security impact can be demonstrated
Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Phishing websites and malware lookalike applications (please report to Support staff instead)
Physical security of our offices, employees, etc.
Non-security-impacting UX issues
Web applications operated by third parties are only considered in scope under the following ways:
Aspects which we directly control such as our own DNS records for subdomains that point to third party applications are in scope.
Vulnerabilities in third-party applications must first be reported to the vendor. We may optionally reward these issues on top of the vendor based on the outcome of that report.
The following assets represent third-party applications, along with their vendors to report issues to:
email-clicks.blockchain.com (SendGrid)
support.blockchain.com (ZenDesk)
blog.blockchain.com (Medium)
why.blockchain.com (InstaPage)
track.blockchain.com (Tune)
partners.blockchain.com (Tune)
Testing Tips
When spidering or testing our blockchain data, our site contains many URL variations exposing the data with few variations that merit individual security testing. This includes:
Data for each transaction, block, address, etc. e.g. https://www.blockchain.com/btc/block/00000000000000000001b8cefefef6694987f5f4af52086dbb32867dbb8954eb vs https://www.blockchain.com/btc/block/00000000000000000009e6496f198e2b7767ffa935ad7ef0023f3a63ce46ce25
Data presented in multiple human languages, e.g. https://www.blockchain.com/explorer vs https://www.blockchain.com/es/explorer
Our open source application source code can be found for review at GitHub.
Safe Harbor
Any activities conducted in a manner consistent with the law and our bounty policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Blockchain.com and our users safe!

submit bug report: https://bitnet.io

Bitnet encourages responsible disclosure of security vulnerabilities through this bug bounty program. If you believe you have found a security vulnerability that could impact Bitnet or our customers, we encourage you to let us know right away.
Responsible disclosure includes giving Bitnet a reasonable amount of time to fix an issue before you make it public or publish it elsewhere. In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided that they do their best to discover and disclose of the vulnerability responsibly.
Bitnet may modify the terms of this program or terminate this program at any time. Any changes will affect the program going forward from the time of the change.
Scope of the Bitnet Bug Bounty Program
In scope for this program is the Bitnet API. Bitnet asks that tests are performed against our Test Environment, which runs the same code as production, in order to avoid potential privacy violations, destruction of data and interruption to or degradation of our service during your research. You will need to be registered with Bitnet and have your IP white-listed in order to access this environment.
The www.bitnet.io and the Bitnet Developer Website are NOT in scope for this Bug Bounty Program.
Reporting A Vulnerability
If you think you have discovered a security vulnerability or problem, please contact us at security@bitnet.io to be invited to our HackerOne program.
When reporting a suspected vulnerability, we ask that you be as precise as possible including detailed steps on how to recreate so that we can address it in a timely manner. If appropriate, please include a video or screenshots. Let us know how you believe the issue will affect Bitnet.
Policy: https://bitnet.io/whitehat/

submit bug report: http://www.bitdefender.com

The Bug Bounty Reward program encourages security researchers to identify and submit vulnerability reports regarding virtually everything that bears the Bitdefender brand, including but not limited to the website, products and services.
Program Terms
Participation in the Bitdefender Bug Bounty Reward program is voluntary and subject to the legal terms and conditions detailed on Terms and Conditions page. By submitting a vulnerability report to Bitdefender, you acknowledge that you have read and agreed to our program terms.
Qualification Criteria
The program covers any exploitable vulnerability that can compromise the integrity of our user data, crash applications (leading to compromise of data) or disclose sensitive information (for example remote code execution, SQL injection, Cross-Site Scripting, Cross-Site Request Forgery, information disclosure of sensitive data, authentication theft or bypass, clickjacking).
Make sure your submission report includes the proof of concept and replication information.
Non-qualifying vulnerabilities
This is not a BETA test program. Cosmetic bugs, UX issues, product crashes that can’t be exploited will not qualify.
Submission process
We encourage you to send your submissions in an encrypted format to bugbounty@bitdefender.com
We prefer PGP and you can import our public key from here. Make sure your report includes:
A clear and relevant title
Affected product / service
Vulnerability details and impact
Reproduction steps / Proof of Concept
Policy: http://www.bitdefender.com/site/view/bug-bounty.html
Domains
bitdefender.com