We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at ServiceRocket. Every day new security issues and attack vectors are created. ServiceRocket strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.

Targets

*demo1.trainingrocket.com NOTE: For testing purposes, please use test credit card numbers from https://stripe.com/docs/testing

You can create a user account at https://demo1.trainingrocket.com/login.html When creating a user account, please use the following format "[email protected] example: [email protected]" if you outside of demo1.trainingrocket.com, you are out of scope.

Rules

This bounty follows Bugcrowd’s standard disclosure terms.

This bounty requires explicit permission to disclose the results of a submission.

The following finding types are specifically excluded from the bounty:

• Descriptive error messages (e.g. Stack Traces, application or server errors).
• Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
• HTTP 404 codes/pages or other HTTP non-200 codes/pages.
• Banner disclosure on common/public services.
• Disclosure of known public files or directories, (e.g. robots.txt).
• Clickjacking and issues only exploitable through clickjacking.
• Self-XSS and issues exploitable only through Self-XSS.
• CSRF on forms that are available to anonymous users (e.g. the contact form).
• Logout Cross-Site Request Forgery (logout CSRF).
• Presence of application or web browser ‘autocomplete’ or ‘save password

Policy source: https://bugcrowd.com/servicerocket