follow us on twitter . like us on facebook . follow us on instagram . subscribe to our youtube channel . announcements on telegram channel . ask urgent question ONLY . Subscribe to our reddit



Recent Posts

Pages: 1 ... 8 9 [10]
91
Bug bounty programs / Blockchain Bug Bounty
« Last post by Angelina on July 15, 2023, 10:08:41 AM »
submit bug report: https://www.blockchain.com/·

Blockchain.com is the most trusted and fastest-growing crypto company, helping millions across the globe have an easy and safe way to access cryptocurrencies.
To date, we have over 80 million wallet signups, 1 trillion cryptocurrency and token transactions, and 37 million verified users supporting 200+ countries.
If you are new to our products, please review our Security Learning Portal before submitting reports.
Terms
You are welcome to test our products with your own funds but please note that Blockchain.com is not responsible for any losses.
Our evaluation of all reported vulnerabilities is final.
Response Targets
Blockchain.com will make a best effort to meet the following response targets for hackers participating in our program:
Time to first response (from report submit) - 2 business days
Time to triage (from report submit) - 5 business days
Time to bounty (from triage) - 10 business days
Time to resolution - depends on severity and complexity
Severity   SLA in business days
Critical   2 days
High   7 days
Medium   60 days
Low   180 days
We’ll try to keep you informed about our progress throughout the process.
Disclosure Policy
Do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from Blockchain.com.
Follow HackerOne's disclosure guidelines.
Program Rules
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Please do NOT use automatic scanners. We cannot accept any submissions found by using automatic scanners.
Rate limit (maximum amount of requests per second) used in automation: max 3 requests per second.
Submit one vulnerability per report, unless you need to chain vulnerabilities to maximise impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced). Issues identified by our internal security testing prior to your report count as duplicates.
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering of any type (e.g. phishing, vishing, smishing) is strictly prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
The scope approximately lists assets in scope for bounty testing including wildcards, except where otherwise excepted. We exercise sole and final discretion on which assets are in scope.
Out of Scope
When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:
Open redirect at blockchain.com/r unless you devise a way to bypass the warning screen
The same email address can be used to register multiple wallet accounts -- this is intentional.
https://en.bitcoin.it/wiki/ and the en.bitcoin.it domain are NOT owned by Blockchain.com and therefore are NOT in scope.
Support for HTTP methods such as OPTIONS does not constitute a vulnerability by itself; please ONLY submit findings related to this if you identify specific vulnerabilities.
Clickjacking on pages with no sensitive actions.
Password, email, and account policies, such as email address verification, password complexity.
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Rate limiting or brute-force issues on non-authentication endpoints
Missing flags like HttpOnly or Secure on cookies
Missing best practices in Content Security Policy or best practice security headers
Presence of autocomplete attribute on web forms
Tabnabbing or Reverse tabnabbing
Blind SSRF without proven business impact (DNS pingback only is not sufficient)
Open redirect - unless an additional security impact can be demonstrated
Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Phishing websites and malware lookalike applications (please report to Support staff instead)
Physical security of our offices, employees, etc.
Non-security-impacting UX issues
Web applications operated by third parties are only considered in scope under the following ways:
Aspects which we directly control such as our own DNS records for subdomains that point to third party applications are in scope.
Vulnerabilities in third-party applications must first be reported to the vendor. We may optionally reward these issues on top of the vendor based on the outcome of that report.
The following assets represent third-party applications, along with their vendors to report issues to:
email-clicks.blockchain.com (SendGrid)
support.blockchain.com (ZenDesk)
blog.blockchain.com (Medium)
why.blockchain.com (InstaPage)
track.blockchain.com (Tune)
partners.blockchain.com (Tune)
Testing Tips
When spidering or testing our blockchain data, our site contains many URL variations exposing the data with few variations that merit individual security testing. This includes:
Data for each transaction, block, address, etc. e.g. https://www.blockchain.com/btc/block/00000000000000000001b8cefefef6694987f5f4af52086dbb32867dbb8954eb vs https://www.blockchain.com/btc/block/00000000000000000009e6496f198e2b7767ffa935ad7ef0023f3a63ce46ce25
Data presented in multiple human languages, e.g. https://www.blockchain.com/explorer vs https://www.blockchain.com/es/explorer
Our open source application source code can be found for review at GitHub.
Safe Harbor
Any activities conducted in a manner consistent with the law and our bounty policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Blockchain.com and our users safe!
92
Bug bounty programs / Blackphone Bug Bounty
« Last post by Angelina on July 15, 2023, 10:07:49 AM »
submit bug report: http://blackphone.ch

Program Rules
Maintaining top-notch security is a group effort and Blackphone encourages independent security researchers to help us spot potential issues. To recognize such efforts and the important role they play in keeping the Blackphone ecosystem safe we offer a bounty for reporting qualifying security vulnerabilities. Please review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.
Rewards
Blackphone may provide rewards to eligible reporters of qualifying vulnerabilities. The standard reward is $128.00 USD. Reward amounts may vary depending upon the severity of the vulnerability reported. Blackphone will determine, in its discretion, whether a reward should be granted and the amount of the reward.
Eligibility and Responsible Disclosure
We are pleased to thank every researcher who submits valid reports that help us improve the security of the Blackphone. However, only those that meet the following eligibility requirements may receive a reward:
You must be the first reporter of a vulnerability;
The vulnerability must be a qualifying vulnerability (see Scope);
We can’t be legally prohibited from rewarding you;
You may not publicly disclose the vulnerability prior to our resolution;
Not be employed by Blackphone or its subsidiaries or related entities.
The Fine Print
As a condition of participation in this program, you hereby grant Blackphone, its affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sub-licensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work form, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Blackphone in connection therewith, for any purpose. You must comply with all applicable laws in connection with your participation in this program. As well, this program is not an offer of employment, nor of a contractual relationship between Blackphone and any other party. You are also responsible for any applicable taxes associated with any reward you receive. We may modify the terms of this program or terminate this program at any time. We will not apply changes to this program retroactively.
Eligible targets
PrivatOS (plus available updates & integrated applications)
Associated web portals
*.Blackphone update servers
Ineligible
Descriptive error messages (e.g. Stack Traces, application or server errors).
Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
HTTP 404 codes/pages or other HTTP non-200 codes/pages.
Banner disclosure on common/public services.
Disclosure of known public files or directories, (e.g. robots.txt).
Clickjacking and issues only exploitable through clickjacking.
Self-XSS and issues exploitable only through Self-XSS.
CSRF on forms that are available to anonymous users (e.g. the contact form).
Logout Cross-Site Request Forgery (logout CSRF).
Presence of application or web browser ‘autocomplete’ or ‘save password'
This bounty requires explicit permission to disclose the results of a submission.
Policy: https://bugcrowd.com/blackphone
93
Bug bounty programs / Bitnet Bug Bounty
« Last post by Angelina on July 15, 2023, 10:07:04 AM »
submit bug report: https://bitnet.io

Bitnet encourages responsible disclosure of security vulnerabilities through this bug bounty program. If you believe you have found a security vulnerability that could impact Bitnet or our customers, we encourage you to let us know right away.
Responsible disclosure includes giving Bitnet a reasonable amount of time to fix an issue before you make it public or publish it elsewhere. In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided that they do their best to discover and disclose of the vulnerability responsibly.
Bitnet may modify the terms of this program or terminate this program at any time. Any changes will affect the program going forward from the time of the change.
Scope of the Bitnet Bug Bounty Program
In scope for this program is the Bitnet API. Bitnet asks that tests are performed against our Test Environment, which runs the same code as production, in order to avoid potential privacy violations, destruction of data and interruption to or degradation of our service during your research. You will need to be registered with Bitnet and have your IP white-listed in order to access this environment.
The www.bitnet.io and the Bitnet Developer Website are NOT in scope for this Bug Bounty Program.
Reporting A Vulnerability
If you think you have discovered a security vulnerability or problem, please contact us at [email protected] to be invited to our HackerOne program.
When reporting a suspected vulnerability, we ask that you be as precise as possible including detailed steps on how to recreate so that we can address it in a timely manner. If appropriate, please include a video or screenshots. Let us know how you believe the issue will affect Bitnet.
Policy: https://bitnet.io/whitehat/
94
Bug bounty programs / Bitgo Bug Bounty
« Last post by Angelina on July 15, 2023, 10:06:16 AM »
submit bug report: https://bitgo.com

BitGo’s Bug Bounty Program allows developers to discover and resolve bugs before the general public is aware of such bugs, preventing incidents of widespread abuse. If you find a security vulnerability on the BitGo API, open source software, libraries, or website please let us know right away. Please review the following information before submitting a report.
Responsible Disclosure Policy
If you give us reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you. We would prefer to give you recognition for your efforts, but you can remain anonymous at your discretion.
As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines.
Program Info
Rewards
Hall of Fame: if you send in a qualifying vulnerability, at your discretion BitGo will list your name on our website.
Your name will be submitted with your discretion with any CVEs registered if public disclosure is appropriate.
Your choice of payment at various reward tiers.
Job opportunities! We are frequently hiring talented security researchers with strong communication skills. Finding bugs and communicating them well is a great way to get our attention
BitGo employees, former employees, contractors and consultants (including immediate family members and persons living in the same household) are not eligible to receive bounties or rewards of any kind under the BitGo Bug Bounty program.
Attributes of a Helpful Vulnerability
You’re the first person to responsibly disclose the security vulnerability.
The reported vulnerability could compromise the integrity of user data, circumvent the privacy protections of user data, or enable access to a system within our infrastructure, such as:
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF/XSR)
Broken Authentication
Circumvention of our Platform/Privacy permission models
Remote Code Execution
Privilege Escalation
Provisioning Errors
While investigating vulnerabilities, you made every attempt to use a test account instead of a real account.
While investigating vulnerabilities you did not cause any service disruption for BitGo customers. We will still never prosecute you if you adhered to our responsible disclosure policy and caused no damages beyond very short term Denial of Service, however irresponsible testing methods may impact your reward level.
While investigating vulnerabilities, you had no interaction with other accounts without the consent of their owners.
How to Send a Report
If a security vulnerability is found that meets the above qualifications, please submit a report through the HackerOne platform or contact BitGo and HackerOne at [email protected]
What to Send in a Report
Provide detailed steps in your message explaining how to reproduce the security vulnerability. This should include any links you clicked on, pages you visited, URLs, user IDs, etc. Provide clear descriptions of any accounts used in your report and the relationships between them.
If you send an image or a video, please:
Keep it short by showing only the necessary parts.
Record at a readable resolution.
Make sure the language of the video is in English to help us quickly identify the problem.
If a large amount of text appears in your video, please include a copy of the text in your message as well.
Please keep the video private by uploading it as an attachment.

* The final amount is always chosen at the discretion of the reward panel. In particular, we may decide to pay higher rewards for unusually clever or severe vulnerabilities; decide to pay lower rewards for vulnerabilities that require unusual user interaction; decide that a single report actually constitutes multiple bugs; or that multiple reports are so closely related that they only warrant a single reward.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Rate limiting or bruteforce issues on non-authentication endpoints
Missing best practices in Content Security Policy.
Missing HttpOnly or Secure flags on cookies
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
Tabnabbing
Open redirect - unless an additional security impact can be demonstrated
Issues that require unlikely user interaction
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep BitGo and our users safe!
95
Bug bounty programs / Bitdefender Bug Bounty
« Last post by Angelina on July 15, 2023, 10:05:14 AM »
submit bug report: http://www.bitdefender.com

The Bug Bounty Reward program encourages security researchers to identify and submit vulnerability reports regarding virtually everything that bears the Bitdefender brand, including but not limited to the website, products and services.
Program Terms
Participation in the Bitdefender Bug Bounty Reward program is voluntary and subject to the legal terms and conditions detailed on Terms and Conditions page. By submitting a vulnerability report to Bitdefender, you acknowledge that you have read and agreed to our program terms.
Qualification Criteria
The program covers any exploitable vulnerability that can compromise the integrity of our user data, crash applications (leading to compromise of data) or disclose sensitive information (for example remote code execution, SQL injection, Cross-Site Scripting, Cross-Site Request Forgery, information disclosure of sensitive data, authentication theft or bypass, clickjacking).
Make sure your submission report includes the proof of concept and replication information.
Non-qualifying vulnerabilities
This is not a BETA test program. Cosmetic bugs, UX issues, product crashes that can’t be exploited will not qualify.
Submission process
We encourage you to send your submissions in an encrypted format to [email protected]
We prefer PGP and you can import our public key from here. Make sure your report includes:
A clear and relevant title
Affected product / service
Vulnerability details and impact
Reproduction steps / Proof of Concept
Policy: http://www.bitdefender.com/site/view/bug-bounty.html
Domains
bitdefender.com
96
Bug bounty programs / Bugbasket Bug Bounty
« Last post by Angelina on July 15, 2023, 10:04:19 AM »
submit bug report: http://bigbasket.com

Security is a top priority for us and we take it very seriously. We put a lot of effort into our application, infrastructure, and processes to ensure that BigBasket is safe and secure for our customers to shop their groceries online. We also put a lot of effort in ensuring the security of our customer’s data. However, in case you are able to discover any security vulnerability, we would appreciate your help in responsibly reporting it to us so that we can investigate and address it as soon as possible.
For any responsible disclosure of a security vulnerability in our website, mobile application or our services,
Send a mail to [email protected] with complete details, that would allow us to reproduce the vulnerability. Feel free to include POC code, screenshots, videos that would make it easier for us to reproduce it. Please also include your contact details such as phone number so that we can reach you if we need more information from you.
All the communication with us should remain absolutely confidential. You must destroy all the artifacts mentioned above (code, screenshots, videos) after the vulnerability is resolved.
In case you find a vulnerability that allows system access, you should refrain from proceeding further. You should not attempt to disrupt our service, destroy data or violate the privacy of customers.
Please note that exploiting the vulnerability for own or others benefit would mean that the disclosure is not responsible and would be considered as an attack to our service and infrastructure for which, we might take a legal recourse.
Policy: https://tech.bigbasket.com/security-at-bigbasket/
97
Bug bounty programs / Bugify Bug Bounty
« Last post by Angelina on July 15, 2023, 10:03:07 AM »
submit bug report: http://bugify.com

Responsible Disclosure
Security issues within our product offerings take a very high priority. We want to work with you to understand the scope of the vulnerability and ensure that we correct the problem fully.
In pursuit of the best possible security for our service, we welcome responsible disclosure of any vulnerability you find in Bugify. Principles of responsible disclosure include, but are not limited to:
Accessing or exposing only customer data that is your own.
Avoiding destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.
Avoiding scanning techniques that are likely to cause degradation of service to other customers (e.g. by overloading the servers).
Keeping within the guidelines of our Terms Of Service.
Keeping details of vulnerabilities confidential until we have been notified and had a reasonable amount of time to fix the vulnerability, and further time to allow our customers a reasonable amount of time to upgrade.
In order to be eligible for a bounty, your submission must be accepted as valid by Bugify. We use the following guidelines to determine the validity of requests and the reward compensation offered:
Reproducibility - Our engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations and working code are more likely to garner rewards.
Severity - More severe bugs will be met with greater rewards. We are most interested in vulnerabilities with the Bugify web app and bugify.com. Rewards are offered at our discretion.
Excluded
support.bugify.com is a third-party service and is specifically excluded from the program.
Rewards
Only 1 bounty will be awarded per vulnerability.
If we receive multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.
We maintain flexibility with our reward system, and have no minimum/maximum amount; rewards are based on severity, impact, and report quality.
Process
Contact us via the email address [email protected] with a detailed report of the potential vulnerability. This email should include as much of the following as possible:
Type of vulnerability.
Whether the information has been published or shared with others.
Affected products/websites and versions.
Affected configurations if applicable.
Step-by-step instructions/proof-of-concept codes to replicate the issue.
Once submitted, we will acknowledge that we have received your report with a non-automated reply within 7 days and provide an outline response plan where applicable.
We will then review the information and work to validate the reported vulnerability. In the event that a true vulnerability is discovered we will complete the investigation and notify the reporter. Where appropriate the reporter will receive results of the vulnerability findings, a plan for resolution and plans for public disclosure.
Policy: https://bugify.com/security
98
Bug bounty programs / Moodle Bug Bounty
« Last post by Angelina on June 14, 2023, 07:18:30 PM »
submit bug report:https://docs.moodle.org/dev/Moodle_security_procedures

Disclosure policy
We practice responsible disclosure, which means we have a policy of disclosing all security issues that come to our attention, but only after we have solved the issue and given registered Moodle sites time to upgrade or patch their installations.

We ask that when reporting a security issue, you observe these same guidelines, and beyond communicating with the security team, do not share your knowledge of security issues with the public at large.

How can I report a security issue?
Please submit your findings via our security issue submission form, providing step by step instructions if possible. The form is broken down into sections to help you provide all of the necessary details to help us assess the issue.

The submission form is linked to our Bugcrowd program, which ensures more efficient triage of incoming security issues and a smoother overall responsible disclosure process.

If you are a developer and wish to submit a fix along with your submission, please feel free to create a new issue in the Moodle Tracker instead, ensuring that you set a security level on the issue ("Serious security issue" or "Minor security issue"), which will hide it from public view. If you are submitting via Tracker and not sure whether an issue is a security issue, you should set the security level to "Could be a security issue".

In line with our responsible disclosure philosophy, please do not post about security issues in the forums on moodle.org or elsewhere, as this will reveal the issue before we are able to prepare a fix.

How we deal with a reported security issue
Issues submitted via the submission form are received by Bugcrowd's triage team, who perform initial triage on the report.
If the issue is confirmed valid and not a duplicate by the Bugcrowd team, the Moodle security team reviews the issue and evaluates its potential impact on all supported versions of Moodle. If the issue was submitted directly into Tracker rather than via the form, this will be the first step in the process.
Valid issues are then pushed to the Moodle Tracker (restricted from public view).
The Moodle security team works with the issue reporter to resolve the problem, following the Security issue development process and keeping details of the problem and its solution hidden until a release is made.
New versions are created and tested.
Meanwhile Moodle requests CVE identifiers for the security issue.
New packages are created and made available on download.moodle.org.
Advisories are mailed to administrators of registered Moodle sites, giving a period of time when they can upgrade before the issue becomes public.
A public announcement is made about the security issue in the Moodle security news forum.
Open Source Software Security is notified about it.
Issues submitted via the submission form are marked fixed in the Bugcrowd platform, which will notify the reporter.
Rewards
When a patched Moodle LMS security vulnerability is announced via CVE and the Moodle security news forum, we will always give credit by naming the first reporter of the issue (regardless of submission method).

In addition to this, if an email address is provided with submissions made via the submission form, it is possible for members of the Bugcrowd platform to claim their submissions under their Bugcrowd account. Please note that security issues submitted by other means (eg Tracker, email) cannot be linked to a Bugcrowd account, as they will not be triaged via that platform.

At this time, we do not offer a paid public bug bounty program.
99
Bug bounty programs / Keybase Bug Bounty
« Last post by Angelina on June 14, 2023, 07:17:06 PM »
submit bug report:https://keybase.io

The Keybase Bug Bounty program has merged with the Zoom Bug Bounty program. If you would like to submit a security bug report for Keybase via HackerOne, please email [email protected] to request an invitation.
Thank you
100
Bug bounty programs / Grofers Bug Bounty
« Last post by Angelina on June 14, 2023, 07:15:39 PM »
submit bug report:https://blinkit.com/security

Help keep Blinkit safe for the community by disclosing security issues to us
We take security seriously at Blinkit. If you are a security researcher or expert, and believe you’ve identified security-related issues with Blinkit's website or apps, we would appreciate you disclosing it to us responsibly.

Our team is committed to addressing all security issues in a responsible and timely manner, and ask the security community to give us the opportunity to do so before disclosing them publicly. Please submit a bug to us on our HackerOne page, along with a detailed description of the issue and steps to reproduce it, if any. We trust the security community to make every effort to protect our users data and privacy.


Pages: 1 ... 8 9 [10]