Uzbey is currently offline for some new developments. At this time we are not accepting any bug submissions. Thank you {F151011}

We are interested and appreciate any vulnerability discovered on https://staging.uzbey.com. The staging site has been created for this sole purpose - for you to break it.

Please refrain from ANY testing of the live site. The sites in terms of code are identical, therefore the need to test the live site should not be there. Please feel free to create a real account on Uzbey.com, but again please do not perform any security testing on this domain.

Unfortunately we cannot offer any bounties at this time, as much as we would like too. However a Wall of Fame is rewarded to those who qualify.

Automated Scanning is STRICTLY prohibited

Scope

We are generally looking for the following types of vulnerabilities:

• SQL Injection
• Remote Code Execution
• Cross-Site Request Forgery
• Directory Traversal
• Cross-Site Scripting
• Information Disclosure
• Logical Issues

However any time you spend looking at http://bugbountyhq.com is extremely appreciated . You may also report other types of vulnerabilities and will recognize your effort in another way, as long as the reports are within the scope of our program.

Exclusions

• Clickjacking (without an attack vector and/or a working POC)
• Missing Security Headers (eg. HSTS, CSP)
• Missing Secure Flags on Cookies
• Autocomplete Enabled
• Social Engineering Techniques
• BEAST/CRIME
• SSL issues (weak ciphers/key-size)
• CSRF without any security impact
• Weak SSL Cipher
• User Enumeration
• TRACE/OPTIONS Enabled
• Rate Limiting (unless it constitutes a significant risk)

Please don't send us Qualys SSL Labs (https://www.ssllabs.com) reports, such reports will never be considered