BugBase
Bounty Range
$100 - $500
external program
BugBase
Welcome to our bug bounty program, where we reward those who find our mistakes before our customers do. Think you've found a bug? Great, we can't wait to add your name to our 'hall of fame' (or shame, depending on the severity).
We take security seriously at BugBase, and we're committed to protecting our community. If you discover a potential security issue in our service, please report it to us immediately so that we can take appropriate action to resolve the issue.
To help us address the issue as quickly as possible, please provide us with as much information as possible about the issue, including details on how it was discovered and the potential impact it could have.
Our bug bounty program is specifically for reporting potential security vulnerabilities. If you want to report a functional bug, need assistance with a submission, or have a general query, please visit our contact page for assistance.
We ask that you give us a reasonable amount of time to resolve the issue before disclosing it to the public or any third parties. We also request that you make a good faith effort to avoid causing any harm or damage to our service or violating the privacy of our users while investigating the issue.
We're flattered that you want to test the limits of our security, but please try to contain your excitement and follow the rules.
Please don't use any scanners or tools on our systems, we only want to see your creative hacking skills in action. And don't worry, our security team knows how to run tools like nuclei and nessus. Show us what you've got!
Please keep in mind that it's important not to discuss any vulnerabilities until they have been fixed. If you want to provide proof of concept such as video make sure to set the privacy settings to private so that the vulnerability is not publicly disclosed.
Note: All or any POCs should be tried and tested on our sandbox domain testing.bugbase.in to avoid spam on our main website. Please note if any report to test POCs are sent to our main website (bugbase.in), they will be marked as spam
Please provide detailed reports with clear textual description of the report along with steps to reproduce the vulnerability.
You must include attachments such as screenshots or PoC code as necessary.
Include a clear attack scenario. How will this affect us exactly?
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
It is important to prioritize the quality of reported vulnerabilities over the quantity. We encourage researchers to thoroughly research and validate any potential vulnerabilities before reporting them to us, in order to ensure that any issues identified are addressed promptly and effectively. By focusing on the quality of the reports, you can help us to ensure that our systems are secure as possible.
You must be the first reporter of the vulnerability.
You must follow our disclosure and reporting guidelines as outlined above.
You must not be in violation of any national, state, or local laws or regulations that would prevent us from processing your rewards or payments.
The amount of the reward will be determined on a case-by-case basis, taking into account the severity and impact of the vulnerability.
We will not pay a reward for:
Vulnerabilities that have been previously reported or are already known to us.
Vulnerabilities that are disclosed to a third party before being reported to us.
Vulnerabilities reported by current or former employees within the past three months.
Any subdomains of bugbase.in unless mentioned "in-scope"
All testing and staging environments are out of scope for this program.
While external services or software that are not managed or controlled by Bugbase are generally considered out of scope for our bug bounty program, we are still interested in hearing about vulnerabilities that may have an impact on our systems or users such as those that could potentially leak personal identifiable information (PII) of our customers. We will consider such vulnerabilities for a reward on a case-by-case basis.
The following categories of reports are considered out of scope for our program and will not be rewarded:
Reports that simply enumerate already claimed user and program handles will not be eligible for a reward, as they do not reveal any sensitive information. This applies regardless of whether the associated profiles are public or private.
Spamming other users with automated Bugbase emails or notifications (e.g. abusing the forgot password form).
We will consider awarding bounties for public zero-day vulnerabilities on a case-by-case basis, provided that an official patch has been available for less than one month. This allows us time to apply patches and address the issue before it is publicly disclosed.
Previously known vulnerable libraries without a working Proof of Concept.
Discovering a subdomain takeover vulnerability without actually taking control of the subdomain is considered out of scope for our bug bounty program and is not eligible for a reward
Information Disclosure without significant and executable impact.
Information leakage, data cached in search engines or the web archive.
Self XSS and XSS without impact.
Password and account recovery policies.
Session Management, such as: session timeout, session hijacking, etc.
Clickjacking on pages with no sensitive actions.
Cross-Site Request Forgery (CSRF) on forms with no sensitive actions or without a realistic exploitation scenario.
Attacks requiring MITM or physical access to a user's device.
Comma Separated Values (CSV) injection without demonstrating vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS) or self-DoS issues (as in, only the person doing the action is denied service).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Rate limiting or brute force issues on non-authentication endpoints.
Missing best practices in Content Security Policy.
Missing HTTP Only or Secure flags on cookies.
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions prior to the latest released stable version]
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors).
Tab nabbing
Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.
Issues that require unlikely user interaction.
Bugbase will not pursue legal action against individuals who accidentally and in good faith violate our policies, nor we will file a complaint for circumventing technological measures used to protect the scope of our systems as part of ethical hacking activities.
If legal action is taken against you by a third party, and you have followed our guidelines, we will take steps to make it known that your actions were conducted with our approval and in compliance with our policies.
The bugs are out there, and we're counting on you to track them down. Let the hunt commence!
| Asset | Type |
|---|---|
| https://bugbase.ai | Web |
| Severity | Bounty |
|---|---|
| Critical | $500 |
| High | $250 |
| Medium | $100 |
| Low | $0 |