A bug bounty is a method offered by many websites and software developers that allows people to receive recognition and compensation after reporting bugs, especially those concerning exploits and vulnerabilities.

The main objective is to communicate with developers in order to improve the security of their software before hackers exploit it.

Our research and exploits will not be published publicly until the owner of the software authorizes or patches their services and applications.

The awards are based on severity by CVSS (Common Vulnerability Scoring Standard). Please note that these are general guidelines, and award decisions are open to discussion.
The severity score may also vary depending on the complexity of the anomaly, if an exploit is coded.

Integrity, confidentiality and availability are the most valuable vectors during the assessment.

Exploitation Metrics

Attack Vector (AV)

This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the Base score) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component.

  • Network
  • Adjacent Network
  • Local
  • Physical

Attack Complexity (AC)

The Attack Complexity metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. As described below, such conditions may require the collection of more information about the target, the presence of certain system configuration settings, or computational exceptions.

  • Low
  • High

Privilege Required (PR)

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

  • None
  • Low
  • High

User Interaction (UI)

This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

  • None
  • Required

Scope (S)

An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges. This consequence is represented by the metric Authorization Scope, or simply Scope. For more information see the CVSSv3 Specification (https://www.first.org/cvss/specification-document#i2.2).

  • Unchanged
  • Changed

Confidentiality (C)

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

  • None
  • Low
  • High

Integrity Impact (I)

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

  • None
  • Low
  • High

Availability Impact (A)

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the impacted component, this metric refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component.

  • None
  • Low
  • high

CVSS score range

Low (0.1-3.9)
Medium (4.0-6.9)
High (7.0-8.9)
Critical (9.0-10.0)

Rewards and Severity class

Low

$150average

Medium

$500average

High

$1500average

Critical

$2500average

The awards are based on severity by CVSS (Common Vulnerability Scoring Standard). Please note that these are general guidelines, and award decisions are open to discussion.
The severity score may also vary depending on the complexity of the anomaly.

A report is delivered by including, summary of bug, severity, steps to reproduce, proof of concept with any material (code, screenshot, log, malicious code, …)