follow us on twitter . like us on facebook . follow us on instagram . subscribe to our youtube channel . announcements on telegram channel



Author Topic: Unikrn Bug Bounty [$40-$50]  (Read 19841 times)

Angelina

  • Moderator
  • Experienced Member
  • *****
  • Posts: 357
    • View Profile
Unikrn Bug Bounty [$40-$50]
« on: May 08, 2023, 07:33:34 pm »
submit bug report:https://unikrn.com

Unikrn built the most technologically advanced sportsbook for esports. We run the best fully-regulated and licensed esports bookmaker on the planet. No technology is perfect, and Unikrn believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Disclosure Policy
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder
Bounty Program
To show our appreciation of responsible security researchers, Unikrn offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion.
Scope Exclusions (are not eligible for a reward)
DNS related or HTTP(S) Header related reports
Reports relating to self-DoS issues (as in, only the person doing the action is denied service)
Reports relating to self-Exploit issues (as in, only the logged in person doing the action is exploited in a non sticky fashion)
Reports of the same issue in an alias domain - if there already is a open report for the same issue on another domain
Server/Software version disclosure
login csrf / logout csrf
Email spoofing (Dmarc/SPF/DKIM)
Reflected file download
Clickjacking on emtpy or stage sites (read: must have high real world impact)
Flaws affecting out-of-date browsers and plugins
Publicly accessible login panels or html, js,..
CSP Policy Weaknesses
TabNabbing Rel=“noopener”
HTTP Public Key Pinning
We use s3 buckets to temporary store files people provided. This files expire and should never transition into anything we deliver as files. As long as you can not show a report where this is the case (we deliver this file or url to someone who did not upload this file) its not relevant. The usecase then is not different to an attacker creating his own s3 bucket and linking people to the file he uploaded (if you have reasons to disagree with this assessment please open an report about it)
Vulnerabilities in 3rd party libraries without working exploit against our apps/servers
Recently disclosed 0-day vulnerabilities
Vulnerabilities on sites hosted by third parties, unless they lead to a vulnerability on our scoped domains
Bugs that have not been responsibly investigated and reported or are directly copy and paste from automated scann reports
Bugs already known to us, or already reported by someone else (reward goes to first reporter)
Issues that aren't reproducible
Issues that we can't reasonably be expected to do anything about
Requirements
If you report on a network attack please provide a CURL command line (if possible)
Researchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect
If you exploit something using a custom crafted request (and it does not affect an api), please describe a real world user impact visiting with a browser
Please allow 3 business days for us to respond before sending another question on it
Make sure to correctly classify the report severity. Refrain from reporting an severity above medium, if the report has medium or limited impact towards real users of a unikrn service
Exclusions
While researching, we'd like to ask you to refrain from:
Denial of service
Spamming
Social engineering (including phishing) of Unikrn staff or contractors
Any physical attempts against Unikrn property or data centers
Probing well known third party components (like Olark) on our assets
If you are looking to report a non-security-related bug, please make use of this link https://unikrn.com/contact or send an email to support@unikrn.com instead - GPG https://unikrn.com/unikrn.asc
Thank you for helping keep Unikrn and our users safe!