Submit bug report: https://skinport.com@skinport
What we would like you to give special attention to:
Trading/Purchase manipulations (e.g. trading with no confirmed payment)
Unauthorized access to project servers (e.g. vulnerabilities that leads to RCE).
XSS vulnerabilities on the assets with critical functionality (with proven script execution)
Serverside vulnerability with information disclosure (e.g. memory Leaks / IDORs) of critical or highly confidential data
Any other vulnerability that breaks business logic or can lead to loss of user privacy.
We will continue to monitor the reward amounts and reserve the right to change the amounts at any time.
Policy
Skinport is a marketplace for digital in-game items from famous games like CS:GO, Dota 2, Rust and Team Fortress 2. Customers can sell and buy their items on our website. We are using the Platform Steam to trade (trade offer) these digital assets.
We look forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.
Program Rules
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degra.
Response Targets
Skinport will make a best effort to meet the following response targets for hackers participating in our program:
Time to triage (from report submit) - 5 business days
Time to bounty decision (from report submit) - 15 business days
Time to issue resolved (from report submit) - 31 business days
Exclusions
While researching, we'd like to ask you to refrain from:
Spamming
Social engineering (including phishing) of Skinport staff or contractors
Any physical attempts against Skinport property or data centers
Manipulating on accounts not owned by you
Withdrawal of unfairly received CS:GO skins from the site
Stealing and disclosure of Skinport user's private information
Distributed network/request flooding and another resources exhaustion attacks. Automated scanning tools must be limited to 5 request per second (300 requests per minute) to one target host summing up all tools and threads running in parallel and must not exceed 5 parallel requests at the same time (5 threads).
Disclosure Policy
As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organisation.
Follow HackerOne's disclosure guidelines. dation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Skinport and our users safe!
