Coordinated and Responsible Vulnerability Disclosure Free Bug Bounty Program 469,233 coordinated disclosures
251,355 fixed vulnerabilities
623 bug bounties with 1247 websites
12,669 researchers, 978 honor badges

Fondy Bug Bounty Program

Fondy runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Fondy

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Fondy and researchers.

Bug bounty program allow private and public submissions.

Bug Bounty Scope

The following websites are within the scope of the program:

*.fondy.eu

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

We assess the criticality of security issues with Common Vulnerability Scoring System v3 (https://www.first.org/cvss/calculator/3.0):
None 0.0
Low 0.1 – 3.9
Medium 4.0 – 6.9
High 7.0 – 8.9
Critical 9.0 – 10.0

As usual practice for rewards programs, we ask you to use common sense when looking for security bugs. Expect us to eliminate the vulnerability within a reasonable time. Avoid compromising data of other users and accounts, try to use only your personal or dummy data to search for vulnerabilities.

We do not reward vulnerabilities related to:
– denial of service (DDOS)
– spam or social engineering
– vulnerabilities in third-party applications and services used in Fondy
– software version disclosure
– self-xss
– missing security flags on non-sensitive cookies
– caused a change or damage to the data of real Fondy users

Testing Requirements:

The list of domains that are participating in the reward program:
* .fondy.eu
* .fondy.ua
* .fondy.ru
* .cloudipsp.com
* .cipsp.net

As with most security reward programs, there are some limitations:
– we reward only the first person who informed us about the problem
– publicly disclosed problems for which sufficient time has not waited for elimination are not rewarded
– your safety research must not violate the law

Possible Awards:

Bug bounty reward program paused due to the high number of duplicated reports. The program will be restarted after major issues fixed.

Other Submissions Handling

Website owner want to receive information about other vulnerabilities

Notifications:

If you think you have found a bug in Fondy security, contact us at [email protected] and attach a detailed report on the problem found. We will respond as quickly as possible to your message. We ask you not to disclose the problem until it is fixed by Fondy specialists.

PGP Key:

Show key

https://docs.fondy.eu/docs/page/fondy-public-pgp-key/

General Requirements:

We assess the criticality of security issues with Common Vulnerability Scoring System v3 (https://www.first.org/cvss/calculator/3.0):
None 0.0
Low 0.1 – 3.9
Medium 4.0 – 6.9
High 7.0 – 8.9
Critical 9.0 – 10.0

As usual practice for rewards programs, we ask you to use common sense when looking for security bugs. Expect us to eliminate the vulnerability within a reasonable time. Avoid compromising data of other users and accounts, try to use only your personal or dummy data to search for vulnerabilities.

We do not reward vulnerabilities related to:
– denial of service (DDOS)
– spam or social engineering
– vulnerabilities in third-party applications and services used in Fondy
– software version disclosure
– self-xss
– missing security flags on non-sensitive cookies
– caused a change or damage to the data of real Fondy users

Testing Requirements:

The list of domains that are participating in the reward program:
* .fondy.eu
* .fondy.ua
* .fondy.ru
* .cloudipsp.com
* .cipsp.net

As with most security reward programs, there are some limitations:
– we reward only the first person who informed us about the problem
– publicly disclosed problems for which sufficient time has not waited for elimination are not rewarded
– your safety research must not violate the law

Possible Awards:

Bug bounty reward program paused due to the high number of duplicated reports. The program will be restarted after major issues fixed.

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

 
Response Time  How quickly researchers get responses to their submissions.
Remediation Time  How quickly reported submissions are fixed.
Cooperation and Respect  How fairly and respectfully researchers are being treated.

Researcher's comments

    17 July, 2019
    aqibshah:
@programmanager I have reported a vulnerability via email id. Kindly check it

  Latest Patched

 20.11.2019 netbarg.com
 20.11.2019 honda-tech.com
 20.11.2019 audiworld.com
 20.11.2019 clublexus.com
 20.11.2019 rennlist.com
 20.11.2019 mbworld.org
 20.11.2019 cnbctv18.com
 20.11.2019 climate.hawaii.gov
 20.11.2019 corvetteforum.com
 20.11.2019 adultwork.com

  Latest Blog Posts

30.10.2019 by Nep_1337_1998
Denial of Service vulnerability in script-loader.php (CVE-2018-6389)
17.10.2019 by 0xrocky
Stored XSS
17.10.2019 by geeknik
The "S" in IOT is for Security
16.10.2019 by Fadavvi
Best XSS Vectors
01.10.2019 by Renzi25031469
#Security 100%

  Recent Recommendations

    19 November, 2019
     sbcsirt:
Dear fakessh,

Thank you for discovering the vulnerability of our website.
We were able to immediately fix this vulnerability thanks to your report.
We appreciate your kindness.

Best regards,
SoftBank CSIRT
    17 November, 2019
     Project84823360:
4N_CURZE did a great job locating and letting us know about vulnerabilities. He was detailed, professional and provided exceptional turnaround time. It was our pleasure to work with him! Thanks again.
    15 November, 2019
     hyperext_uk:
@Cyberanteater very kindly alerted us about a git vunerability on one of our websites which we promptly fixed. This also prompted us to audit all our other projects.

Much appreciated.
Steve
    15 November, 2019
     dalitso47152461:
Thanks for bringing the issue to our attention. The info you provided was very helpful and instrumental in getting a fix in place.
    14 November, 2019
     cloudrexx:
Thank you very much for making us aware of the issue and providing us a high quality vulnerability report which helped us identify the source of the vulnerability right away.