submit bug report: https://eure.jpEureka Bug Bounty Program Terms
Security is a priority at Eureka. If you believe you've found a security bug in our in-scope applications or infrastructure, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.
Your participation in our Bug Bounty Program is voluntary and by invitation-only. By joining our Bug Bounty Program, submitting a report or otherwise disclosing a vulnerability to us (“Submission”), you are indicating that you have read and agree to follow the rules set forth on this page (“Program Terms”).
If (i) you do not meet the eligibility requirements below; (ii) you breach any of these Program Terms or any other agreements you have with Eureka or its affiliates; or (iii) we determine that your participation in our Bug Bounty Program could adversely impact us, our affiliates or any of our users, employees or agents, we, in our sole and absolute discretion, may remove you from our Bug Bounty Program and disqualify you from receiving any benefit of our Bug Bounty Program.
Confidentiality
Regardless of the manner (whether as a direct result of you finding and/or investigating a security bug in our in-scope applications/infrastructure or received/collected through other methods) and timing (whether after or before you joined the Bug Bounty Program) in which it was obtained, any information about us, our services, our affiliates or any of our users, employees or agents in connection with our Bug Bounty Program (“Confidential Information”) must be kept confidential, only used in connection with the Bug Bounty Program and not disclosed to any third party. You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your participation in our Bug Bounty Program and any Submission.
By joining our Bug Bounty Program, you represent and warrant that you have not used and will not use Confidential Information for any purpose other than in connection with the Bug Bounty Program and that you have not shared and will not share such Confidential Information with any third party.
At any time after a Submission is made, Eureka reserves the right to request that you securely and irreversibly delete any data related to such Submission, including, without limitation, any data about us, our services, our affiliates or any of our users, employees or agents.
Upon making a Submission, you accept the responsibility to fully comply with any such request.
Additionally, you agree to securely and irreversibly delete any data related to the Submission immediately upon it no longer being reasonably necessary to retain for the purposes of conveying the impact or scope of the reported issue, after verifying with Eureka that it is no longer necessary, and/or if the Submission is closed, regardless of outcome.
Eligibility to Participate
To participate in our Bug Bounty Program, you must:
Be at least 18 years of age if you test using an account in "Pairs" app, or otherwise be the age of majority in your jurisdiction of residence.
Be at least 13 years old and have the consent of your parent or guardian to participate in our Bug Bounty Program if you are under the age of majority in your jurisdiction of residence.
Not be a resident of, or make a Submission to our Bug Bounty Program from, a country against which the United States has issued export sanctions or other trade restrictions.
Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Bug Bounty Program.
Not be employed by Eureka or any of its affiliates or an immediate family member of a person employed by Eureka or any of its affiliates.
You are responsible for any tax implications of a reward from our Bug Bounty Program depending on your country of residency and citizenship.
Program Ground Rules
Don’t mass create accounts to perform testing against our applications and services.
Don’t conduct automated testing - under no circumstance is automated testing allowed and will result in disqualification of the security bug(s).
Don’t engage in social engineering (e.g. phishing, vishing, smishing).
Don’t attempt to extort us.
Don’t leave any system in a more vulnerable state than you found it.
Don’t publicly disclose vulnerabilities.
Do respect our users’ privacy.
Do research vulnerabilities and disclose vulnerabilities to us in good faith.
Do be respectful when interacting with our team.
Bounty Eligibility
Eureka reserves the right to decide if the minimum severity threshold is met and whether the vulnerability was previously reported.
To qualify for a reward under this program, you must:
Send a clear textual vulnerability description of the bug along with the steps to reproduce the vulnerability.
Include attachments such as screenshots and proof of concept code as necessary. A clear description and proof of concept helps you prove that the security bug is legitimate and speeds up the reward process.
Be the first to report a specific vulnerability.
Disclose the vulnerability report directly and exclusively to us. Reminder: you are not permitted to disclose vulnerabilities to third parties -- including vulnerability brokers.
Stay in scope.
Do not attempt to elevate privileges, or explore a system beyond the minimum necessary to prove access or attempt to pivot in any way. This will disqualify you from receiving a bounty.
In general, the following would not meet the threshold for inclusion:
Vulnerabilities on sites hosted by third-parties unless they lead to a vulnerability on the main website / application
Denial of service
Social engineering
Spamming
Homographs, RTLO, or other types of UI issues
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Click-jacking, or issues only exploitable via click-jacking
Disclosure of known public files or directories (.htaccess, robots.txt, etc)
Third-party vulnerabilities (e.g. Wordpress) that have recently become publicly known will generally be out of scope for a period of 30 days from the public release of an official patch or workaround.
Missing or misconfigured security headers which do not lead directly to a vulnerability
Overly verbose responses (errors, banners, etc.), which cannot be directly used in an exploit
Software version disclosure without proof of exploitability
Reports from automated tools or scans
Lack of certificate pinning, or HSTS
TLS/SSL version, configuration, weak ciphers or expired certificates
Lack of Secure, or HTTPOnly flags on cookies
Lack of, or weak, Captcha, or rate-limiting
Tap-jacking
Tab-nabbing
SPF/DKIM/DMARC related issues, including missing SPF records on subdomains
Scenarios that require unlikely user interaction and/or outdated OS or software version
Self-XSS
Login/Logout CSRF
Unrestricted file uploads without a clear impact, beyond resource consumption, DoS, undesirable content, etc.
Third-party API Keys/Secrets embedded in mobile applications, without a clear impact, as many third-parties require this for their own client attribution purposes.
The ability to obtain multiple promotional items by opening multiple accounts
Most GPS spoofing related issues
Attacks against corporate IT infrastructure (e.g. firewalls and their software)
Attacks against employees (phishing, stealing laptops, physical security issues, etc.)
Host header injection without a clearly exploitable condition
Mobile client issues requiring a rooted device and/or outdated OS version
Attacks requiring MITM or physical access to a user's device.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Program Updates and Licenses
We may modify the Program Terms or cancel our Bug Bounty Program at any time in our sole and absolute discretion.
As a condition of participation in the our Bug Bounty Program, you hereby grant Eureka and its affiliates a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable and exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Eureka in connection therewith, for any purpose. You should not send us any Submission that you do not wish to license to us. You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission.
Domains
*.pairs.lv
*.pairs.tw
*.pairs-korea.com
*.pairs.kr
*.eure.jp
