Details

Skinport is a marketplace for digital in-game items from famous games like CS:GO, Dota 2, Rust and Team Fortress 2. Customers can sell and buy their items on our website. We are using the Platform Steam to trade (trade offer) these digital assets.

We look forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degra

Testing Scope

You may test only with Skinport account(s) for which you are the account owner.
You must create an account with your HackerOne email alias to be eligible for bounty.

All researchers on HackerOne have an email alias in the format [email protected], which automatically forwards to your real email address.

If you would like to create additional test accounts, add a plus (“+”) sign and any combination of words or numbers after your username. For example: [email protected]. This enables you to test different attack vectors / account levels without targeting other users or creating multiple HackerOne profiles.

Response Targets

Skinport will make a best effort to meet the following response targets for hackers participating in our program:

Time to triage (from report submit) - 5 business days
Time to bounty decision (from report submit) - 15 business days
Time to issue resolved (from report submit) - 31 business days

Exclusions

While researching, we'd like to ask you to refrain from:

Spamming
Social engineering (including phishing) of Skinport staff or contractors
Any physical attempts against Skinport property or data centers
Manipulating on accounts not owned by you
Withdrawal of unfairly received CS:GO skins from the site
Stealing and disclosure of Skinport user's private information
Distributed network/request flooding and another resources exhaustion attacks. Automated scanning tools must be limited to 5 request per second (300 requests per minute) to one target host summing up all tools and threads running in parallel and must not exceed 5 parallel requests at the same time (5 threads).

Disclosure Policy

As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organisation.
Follow HackerOne's disclosure guidelines. dation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Skinport and our users safe!

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degra

Testing Scope

You may test only with Skinport account(s) for which you are the account owner.

You must create an account with your HackerOne email alias to be eligible for bounty.

All researchers on HackerOne have an email alias in the format [email protected], which automatically forwards to your real email address.

Exclusions

While researching, we'd like to ask you to refrain from:

Spamming

Social engineering (including phishing) of Skinport staff or contractors

Any physical attempts against Skinport property or data centers

Manipulating on accounts not owned by you

Withdrawal of unfairly received CS:GO skins from the site

Stealing and disclosure of Skinport user's private information

Distributed network/request flooding and another resources exhaustion attacks. Automated scanning tools must be limited to 5 request per second (300 requests per minute) to one target host summing up all tools and threads running in parallel and must not exceed 5 parallel requests at the same time (5 threads).

Disclosure Policy

As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organisation.

Follow HackerOne's disclosure guidelines. dation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Safe Harbor

Thank you for helping keep Skinport and our users safe!