This engagement is an on-going bounty against a hosted vulnerability intelligence platform. The application processes over 50 million vulnerabilities daily on behalf of its customers against threat, exploit and breach data collected across 150+ countries across the internet.

Targets

The target services for this bounty is the Risk I/O application. You'll need an account to get started, sign up at www.risk.io. The domains in scope for this bounty: [yourdomain].risk.io

In order to be eligible for a reward, you must stay within your specific subdomain. Vulnerabilities reported outside of this domain will not be eligible for a reward.

The following finding types are specifically excluded from the bounty:

• Descriptive error messages (e.g. Stack Traces, application or server errors).
• Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
• HTTP 404 codes/pages or other HTTP non-200 codes/pages.
• Banner disclosure on common/public services.
• Disclosure of known public files or directories, (e.g. robots.txt).
• Clickjacking and issues only exploitable through clickjacking.
• Self-XSS and issues exploitable only through Self-XSS.
• CSRF on forms that are available to anonymous users (e.g. the contact form).
• Logout Cross-Site Request Forgery (logout CSRF).
• Presence of application or web browser ‘autocomplete’ or ‘save password

Policy source: https://bugcrowd.com/riskio