Report a Vulnerability
Submit, help fixing, get kudos.
Start a Bug Bounty
Run your bounty program for free.
609,072 coordinated disclosures
392,163 fixed vulnerabilities
924 bug bounties with 1,853 websites
18,765 researchers, 1198 honor badges

Percona Bug Bounty Program

Percona runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Percona

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Percona and researchers.

Bug bounty program allow private submissions only.

Bug Bounty Scope

The following websites are within the scope of the program:

No verified websites yet

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

Percona reserves all legal rights in event of non compliance with the following General requirements and Testing requirements.

- You may test only against an account for which you are the owner.
- Account holders wishing to authorize a third party agent must first request authorization for testing from Percona and obtain this in writing prior to any testing taking place.

Reporting:

Reports should be sent to security {at} percona.com (replacing {at} with @ and removing the spaces);
we'll work with you to ensure we fully understand the scope of the issue reported and that it is addressed in a timely manner.

If you wish to send us an encrypted message please use our public gpg key (https://keybase.io/percona_security/pgp_keys.asc?fingerprint=88f513aa99b1d2ea8e0f86e70b6ab3a277060327).

Please ensure your report includes screenshots demonstrating the suspected vulnerability as well as a full description of the procedure required to reproduce the suspected vulnerability, if we can not reproduce your issue it will be disregarded please help ensure we have the required information to move forward with your report!

Thank You!

We sincerely appreciate your time and effort.

Testing Requirements:

Prohibited testing list:

Any tests which could lead to potential interruption of service such as DDoS or DoS attacks.
Fuzzing without prior authorization from Percona.

Uploading/distributing malicious payloads (e.g. browser exploitation, request redirection, phishing, webshells, etc.).

Testing which would yield unauthorized access, junk mail, spam, phishing and all other unsolicited mail.

Testing from any country presently under U.S. Sanctions.

Testing which would degrade the performance, reliability and/or availability of services.
Targeting individuals (e.g. Phishing, Spear phishing, social engineering, man in the middle, malicious hid devices, etc).

Possible Awards:

ad-hoc $ reward based on level of effort and criticality of issue,
T-Shirts, Stickers, other promotional branded items.

Other Submissions Handling

Website owner want to receive information about other vulnerabilities

Notifications:

You must contact security {at} percona.com (replacing {at} with @ and removing spaces) where we will coordinate with you on any issue you suspect to have discovered, alternatively you can also contact us via keybase, please request this in an email to security {at} percona.com (replacing {at} with @ and removing spaces) and we will provide you with an assigned point of contact to work on the issue reported.

PGP Key:

Show key

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFrd5LUBEACiO0rwzUPs8/tNJTytB2iBS1guh/QSys0VvM3r8ChwuTG/lA2o
K01KUuQA++8nHruRjfWr5zQAjv7vlLbG7SyMcURGKY4WpUTomTZwoMse4VSurjPw
UdzifWPDqMy9X3E9VQhOGIUt0XxNq+VYTnK+CEYc1SA+Ln5Qawn0a/2KyBUUypri
OX2lLdNndt6nsaPXSdHL/w2MT0tVXnW4OwmnndfHoXfdWZ0sNmaaF1N5fQqEZKVw
J3XQ3L5vcxsJ+/tH04mN3kZvwoTOYC9MZS3QTOXShkT6uQ49gjfpOu4JOuvrYaNi
3jJLHfMobxlOTGvJsMeaBD/KZJu4FQZOZLmbrHPNdW3YTuTk3hfFhCF8esYYcihh
uWK7SYdoWxIp2wptC9AUX9nj05VypsXa17c6I2R88JDOLVygMnUzlG4jjCxAxmaq
eUGXvaKg7ZJkEZioR9rO7XkZyya0F/yIs7hHpb8wA8DSKkHzvrSRvhBL9UTGOzSx
+e7MWbdLZveBC57FLQ+7apf+RMOngCBzD6ovIw9JIiyyo7bIMzyvhlqoeniWPX3M
8EobU6ik7DWU1fuSi3tbU5/G/5rME7uJ2uBhFViBHEL+6qLtNb3cUFV7QobVeQ7S
tYhL/lZsN6pdxbsA/X4+X1x13AFpxwMXgZCgOYqkXfmzuK/s8Aq11GS2FwARAQAB
tDZQZXJjb25hIFNlY3VyaXR5IFRlYW0gKDIwMTgtUTIpIDxzZWN1cml0eUBwZXJj
b25hLmNvbT6JAlQEEwEIAD4WIQSI9ROqmbHS6o4PhucLarOidwYDJwUCWt3ktQIb
AwUJB4YfgAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRALarOidwYDJ06xEACW
oezSXbLgEGKQRWf1pIviBMbIjZ6YEM1MhRl+HfTkpPGwUb7N8FBHxi8Kycq04Bed
w97q8Gv7fdMzlMqw19SWXQGrQmcylBVthTGlRRNAo4V4E3xi7OYwMN48HCaNDNTk
NSm7UZhPFgGaXAawrNPKkbldewEgyhOhHUzV/L7EelxRcjr043Ezc7J8hXyZsW6V
vKrqC1UbTTlbedOzwozyMqpwUn9PFWadIOX7hVPxSfEopuNylybSxm0T73906snB
Kkti+VKMqogdJt5TDl9Rq1U2o6RrQ8V9CYlFJ+JBXI4a8NXxi1HssJG7xHl9Hib6
CuFEnniNjuHxH1nFI9zBC0QS/1e0Zc4HK+PtGivi5+e41EE4NLk0SDCSgUyaDWvN
/Ld9DGxa4Z91/fWsyk2zQ+7P4BV2pO/M32IWwFIKVuj83NoQQQfQZd+0od/7qO2y
vpn8HSSy1a/gdcQQc9/SRgpSAG29rH6qwmHndo5ODBr51CDRahb2O65158oApsUi
frCstQa+dxZ/VmIAHHKZjRzKu/gSoWp6v7PkdBtPNo/aiETvUr8cN93n8saQwn+o
JXNkctNQv3+HBSacXvjfOcS24wIovVhRJtKmC6kzelq6SRVCEeOIPT6b2f2CH86D
2ygmVdr0BIianY8R9WGibpOOPytKesPwbyyGI9oqRIkCOQQTAQgAIxYhBP2PX47w
QxWoQfdGKVQiqiq2NtpaBQJa3eUWBYMHhh+AAAoJEFQiqiq2Ntpa7SoP/jFSpHpb
XuwPLmie47fiMKHMrasgLcyRwnpmRyIh8UAlplGSKssTC9kwVlHvtHGSUtRjd5US
GwBLe7YTAJNlIZsM2TWpdU8UlUnBdvtAWvGVFa9p/na7mY8AOBT/KvGvLKt7UodV
+eUsiQruaA7JzUqcV8U1OQ3T3IVFT3+hy+FaDA4GcBMvfB0p1VvHD0DGTKBUAf36
tvExb1KuJGyGcR7QIewr76NJ9DAN4hhlDZd1pajEqKZZqtw5wUWBqN+M0f4KLyWq
K943R4IskJ+k9qgmo3iWLiZsUkufcZqHBC5K1lrr3tqNudYTtxQQpoOzPbsBC7zB
YUNwEsBZLhil+em0rrZnlcSDzfbn/Coh553sau7j9dKC0Wgxp0QVMBNBXVaVevZl
VaDb016ovcACtipU+XvGMhg2qIof6YDJNfXRfA6k1HyHrBCyZ9bvEqKhZqWc/sVn
6caMCwttCsn9C6dtkooxeW7m/c52AujxAekHgP2G/WYDum5npPOkrAMkX/Rttsrj
cIOfzeszt1GC1HgxzeVI2uazlTTW1YYmLEFFBxOym+v/aXGQlbmq1XBydn6zYDg3
RMR2rdhDAm7MZjG3Hlwn+xE8bVoaZA1Pof2ij6k0avuRuexfuDhR6IQREOVTD+7M
GVKhWJZMjw9UTAQSr6WNX7W+FHMLtChjlRL7uQINBFrd5LUBEADVuhjORzdUlGDw
Ex46h3+g2mQ99suE0cLwzPhUnYm5OsD/CJucAJELfhKa9uKTVh3o+4Ze0dAOlA5P
lJYIg7/wHmUNIPPAGcoRoToust/6z718lFS7l9Ls3lwpuWHXl/kF8b93HPzIEbks
U9EeBkHYJYHicCieO6R6ouio50414ok8HBve6W21AyjpUQ1Li3HOqKJdvwebOn45
JL+LApeA2PhMvfQJbL5aKOuAOBCrfq9mVFOUXCxTRGD3hOZOfsBzr7IuXPiEM7p0
SyRkelqiz47HLdzPW1ssvU/RYXEONu7ZHXmCb5dgDr68o1Q5KsZDfR9LT5wCmtat
WTVwYeLENJRVltbhoRKQCLEz658zYUlFXh+foHO0zoYdunub+T23N1PvbhYbsJWZ
o2xhhg0gO+5YG62IRDNBV/YXYJtXaH8mYyv2EpyvU/LgyebAyfsoFbouS5lEVwRK
vzZ2DWPXOncADkjk5/+Iww19J9GWU4j/edcrvH+nmRgsQmsxxUGikRuRKi61zxFj
7MrMDhjkXExcaXXAgjKK3tbt4GEVjv4na/J5ahO+1m8RNDNfG30WYP5AUQOzS4VK
Gi2l4U8mFZ9GuctMxvrzmw8coWPOCqxiswFw3xz+BxeQJTL5H2KqBVZRNf/QyWBN
GLYDd8ftJjqu/mQhm+bALL21dbmwgwARAQABiQI8BBgBCAAmFiEEiPUTqpmx0uqO
D4bnC2qzoncGAycFAlrd5LUCGwwFCQeGH4AACgkQC2qzoncGAyc2Tg/9GOsPJGIt
zA7vbfbyH4iEKd5hdmDKvUx2TI/OAYxUjOvxa9oYKV4vTf8Wj6Mh9LMbOqYoGgSG
/c6ttyqgDPs7TPz3hBA8Z3CpUVXf3izvF3tYBqX8BEy8qiOw7AfXjIsZhIPM2AJH
TF7AHcf64HfQ0ypIphe7+dN6gi+kmmPKJpMSHLyDygy8pYqS2fQNctYTfIbNCP5u
jHeT1DhJNLsyaMFYXqgso1k53yMBNJLvHRD5yytWVeC8X7l3698nDIdcgGEB5JC2
571SSEb5Ai+/eOx+KcsQekRYvKAACJBHHwdoFPStravF2ZkcepHFMtnrFQKMMmy2
kGgic2RkuuhRGhCbSumbhUv9pYOsueTnBd058NVYOtiVvXbJqHZuANL2YqNXlyeO
WX0gh37sftZljfDA21bVBWEUBA90laHcbiX3Z3q7j/4rx8KcFW30iFcpG8+xZuTa
RRvymCIEn6q2ADyer4iDasYZAoeN47MrpawGaJn/pQHT9xuT6a5SSPFZHBPGlq4o
gw0P20flvnDjl5DmDItf26WQKjO2NDUZYv19wBDRuAkhgADOjZuhsJ7CXD0nuskU
CT+blIui0v7vhsy9ML7JpaQmeSK8F9bTNjAYxuNH+AkBYJ+OzH60BQpSYQwXew0W
DaChBG8sjjBBy3PJAN2XHV6XoRVqFZjhaJ0=
=rr0f
-----END PGP PUBLIC KEY BLOCK-----

General Requirements:

If you discover or suspect a serious vulnerability we require the following from yourself in order for our team to assess the issue being reported:

- Full URL
- Full method of SQLi suspected
- Screenshot of suspected information disclosed (if any)
- Cease your testing and await further instruction from our security team.

Testing Requirements:

Prohibited testing list:

Any tests which could lead to potential interruption of service such as DDoS or DoS attacks.
Fuzzing without prior authorization from Percona.

Uploading/distributing malicious payloads (e.g. browser exploitation, request redirection, phishing, webshells, etc.).

Testing which would yield unauthorized access, junk mail, spam, phishing and all other unsolicited mail.

Testing from any country presently under U.S. Sanctions.

Testing which would degrade the performance, reliability and/or availability of services.
Targeting individuals (e.g. Phishing, Spear phishing, social engineering, man in the middle, malicious hid devices, etc).

Possible Awards:

ad-hoc $ reward based on level of effort and criticality of issue,
T-Shirts, Stickers, other promotional branded items.

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

 
Response Time  Information How quickly researchers get responses to their submissions.
Remediation Time  Information How quickly reported submissions are fixed.
Cooperation and Respect  Information How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched

 27.10.2020 dict.cc
 27.10.2020 massey.ac.nz
 27.10.2020 tomtom.com
 27.10.2020 iyiou.com
 27.10.2020 nhc.noaa.gov
 26.10.2020 newhomesource.com
 26.10.2020 goo-net.com
 26.10.2020 rhbgroup.com
 26.10.2020 cdromance.com

  Latest Blog Posts

26.10.2020 by _r00t1ng_
Bypass Addslashes using Multibyte Character
26.10.2020 by _r00t1ng_
One Payload to Inject them all - MultiQuery Injection
26.10.2020 by _r00t1ng_
Routed SQL Injection
26.10.2020 by _r00t1ng_
DIOS the SQL Injectors Weapon
26.10.2020 by p4c3n0g3
How to find AngularJS XSS

  Recent Recommendations

@Timeweb     27 October, 2020
    Twitter Timeweb:
Thank you Rajesh for reporting vulnerabilities on our website, your quick and detailed response was very valuable to us!
@rlaager     26 October, 2020
    Twitter rlaager:
Thank you for reporting a SQL injection vulnerability and making the web safer.
@mako_o9999     23 October, 2020
    Twitter mako_o9999:
Gdattacker found a XSS problem on one of our websites and reported to us. We were able to solve the problem quickly. Thank you so much!
@BizzdoD     21 October, 2020
    Twitter BizzdoD:
Many thanks to Sithu for bringing a XSS vulnerability on our site to our attention. He was very courteous in communications and helped verify that our patch solved the problem properly. Thank you Sir for helping making the Internet a safer place.
@markholt     20 October, 2020
    Twitter markholt:
Many thanks to T4rlix who helped disclose an XSS vulnerability on our website. Very good to deal with, thank you very much for reporting.