follow us on twitter . like us on facebook . follow us on instagram . subscribe to our youtube channel . announcements on telegram channel



Author Topic: Spreaker Bug Bounty  (Read 13088 times)

Angelina

  • Moderator
  • Experienced Member
  • *****
  • Posts: 357
    • View Profile
Spreaker Bug Bounty
« on: May 11, 2023, 06:42:28 pm »
submit bug report:https://help.spreaker.com/en/articles/5123644-bug-bounty-program

At Spreaker, we take security very seriously and we believe that all help matters to promptly discover and address bugs and security issues. If you believe you've found a security issue within our service, we're happy to work with you to resolve that issue and ensure you are compensated for your discovery.

 

By submitting a security bug or vulnerability to Spreaker, you acknowledge that you have read and agreed to the Program Terms and Conditions set forth below. By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Spreaker's prior written approval.
 

Program Terms and Conditions

 

Your participation in our program is voluntary and subject to the below terms and conditions:

You need to show that you could exploit a vulnerability, but you must not actually exploit it. You must not: access, modify, copy, download, delete, compromise or otherwise misuse others’ data; access non-public information without authorization; degrade, interrupt or deny services to our users; and/or incur loss of funds that are not your own.

If you are performing research, please use your own accounts and do not interact with other users’ accounts or data.

You must not leverage the existence of a vulnerability or access to sensitive or confidential data to make threats, extortionate demands, or ransom requests.

Your testing must not violate any applicable laws or regulations.

You are prohibited from participating in the program if you are a resident of any U.S. embargoed jurisdiction, including but not limited to Iran, North Korea, Cuba, the Crimea region, and Syria; or if you are on the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Person’s List or Entity List. By participating in the program, you represent and warrant that you are not located in any such country or on any such list.

By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Spreaker’s prior written approval.

You will be responsible for any tax implications related to any bounty payment you receive, as determined by the laws of your jurisdiction.

You must be 18 years of age or older.

You must not be employed by Spreaker or any of its affiliates. You must also not be an immediate family member of someone employed by Spreaker or any of its affiliates.

By reporting a bug, you grant Spreaker and its affiliates a perpetual, irrevocable, worldwide, royalty-free license to use, copy, adapt, develop, create derivative work from, or share your submission for any purpose. You waive all claims, including breach of contract or implied-in-fact contract, arising out of your submission.

Whether to provide a payment for the disclosure of a bug and the amount of the payment is entirely at our discretion, and we may cancel or modify the program at any time.

Only the earliest, responsibly-disclosed submission of a vulnerability instance with enough actionable information to identify the issue will be marked as valid. All other reports for a given issue will not be eligible for reward under our program.

 

Non-Qualifying Vulnerabilities
Furthermore, Spreaker does not consider the following to be eligible vulnerabilities:

Account squatting by preventing users from registering with certain email addresses

Attacks requiring MITM or physical access to a user’s device

Best practice reports without a valid exploit (for example, use of “weak” TLS ciphers)

Clickjacking on pages with no sensitive actions

Comma Separated Values (CSV) injection without demonstrating a vulnerability

Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

Denial of service

Disclosure of server or software version numbers

Hypothetical subdomain takeovers without supporting evidence

Issues that require unlikely user interaction

Missing best practices in Content Security Policy

Missing best practices in SSL/TLS configuration

Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, and so on)

Missing HttpOnly or Secure flags on cookies

Open redirect - unless an additional security impact can be demonstrated

Perceived security weaknesses without concrete evidence of the ability to compromise a user (for example, missing rate limits, missing headers, and so on)

Previously known vulnerable libraries without a working Proof-of-Concept

Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis

Rate limiting or bruteforce issues on non-authentication endpoints

Reports exploiting the behavior of, or vulnerabilities in, outdated browsers

Reports of spam

Self-XSS

Session invalidation or other improved-security related to account management when a credential is already known (for example, password reset link does not immediately expire, adding MFA does not expire other sessions, and so on)

Social engineering

Software version disclosure / Banner identification issues / Descriptive error messages or headers (for example, stack traces, application or server errors)

Tabnabbing

Unconfirmed reports from automated vulnerability scanners

User/merchant enumeration

Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version)

 

Services in Scope
 

Reports for assets in the following domains are not eligible for reward:

blog.spreaker.com

try.spreaker.com

help.spreaker.com

elasticemail.spreaker.com

careers.spreaker.com

Also third-party plugins / inclusions / websites are excluded (eg: javascript included by a third-party).

 

Any other *.spreaker.com web services are intended to be in scope.

 

Reward Amounts
 

Rewards for qualifying bugs range from $100 to $1,000, sent to your PayPal account. The following table outlines the usual rewards given for the most common classes of bugs:

up to 100$: vulnerabilities that compromise third party user data (ie. you can edit a 3rd party user profile data)

up to 500$: vulnerabilities that globally compromise user accounts (ie. you can authenticate as any 3rd party user, you can delete any 3rd party account, you can change the email or password of any 3rd party account, ...)

up to 1000$: vulnerabilities that compromise Spreaker’s private data and servers (ie. you can access the source code, query the database, get remote access to server, etc)