Submit bug report: http://risk.io@riskio
Policy
This engagement is an on-going bounty against a hosted vulnerability intelligence platform. The application processes over 50 million vulnerabilities daily on behalf of its customers against threat, exploit and breach data collected across 150+ countries across the internet.
Targets
The target services for this bounty is the Risk I/O application. You'll need an account to get started, sign up at
www.risk.io. The domains in scope for this bounty: [yourdomain].risk.io
In order to be eligible for a reward, you must stay within your specific subdomain. Vulnerabilities reported outside of this domain will not be eligible for a reward.
The following finding types are specifically excluded from the bounty:
Descriptive error messages (e.g. Stack Traces, application or server errors).
Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
HTTP 404 codes/pages or other HTTP non-200 codes/pages.
Banner disclosure on common/public services.
Disclosure of known public files or directories, (e.g. robots.txt).
Clickjacking and issues only exploitable through clickjacking.
Self-XSS and issues exploitable only through Self-XSS.
CSRF on forms that are available to anonymous users (e.g. the contact form).
Logout Cross-Site Request Forgery (logout CSRF).
Presence of application or web browser ‘autocomplete’ or ‘save password
Policy source:
https://bugcrowd.com/riskioPolicy:
https://bugcrowd.com/riskio/reportDomains
yourdomain.risk.io
risk.io
HackerOne Directory
Information is provided and moderated by members of the community. Accuracy has not been validated by HackerOne. This page is not affiliated with Risk.io.
Claim this page
Suggest edits
OpportunitiesSecurityLeaderboardBlogDocsSupportDisclosure GuidelinesPressPrivacyTerms© HackerOne
