Report a Vulnerability
Submit, help fixing, get kudos.
Start a Bug Bounty
Run your bounty program for free.
611,628 coordinated disclosures
393,143 fixed vulnerabilities
928 bug bounties with 1,860 websites
18,807 researchers, 1199 honor badges

Timeweb Bug Bounty Program

Timeweb runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Timeweb

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Timeweb and researchers.

Bug bounty program allow private submissions only.

Bug Bounty Scope

The following websites are within the scope of the program:


Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

In Scope Vulnerabilities:
-Remote Code Execution (RCE)
-SQL Injection
-Local-Remote File Inclusion (LFI/RFI)
-XML External Entity (XXE)
-Broken Authentication
-Sensitive Data Exposure
-Cross-Site Scripting (XSS)
-Security Misconfiguration (real example)
-Server Side Request Forgery (SSRF)
-Сross Site Request Forgery (CSRF)
-Insecure Direct Object References (IDOR)
-Privacy bypass
-Other Injections
-Implementation of bypassing financial instruments (charge of funds) removal of restrictions on paid operations and services

Out-of-scope vulnerabilities:
-Any XSS that can be done only within 1 account
-Any CSRF except for those that can be used in the chain, or except for those that have a real example, the operation of which affects critical resources (individual assessment of criticality for each report)
-Any interaction between connected accounts is considered as not critical and it's a responsibility of the customer
-Privilege escalation from secondary VH account to primary account
-Simplified registration and authorization, without confirmation of captcha, SMS and other best practices
-Any public information about employees and customers
-Vulnerabilities in third-party applications
-Lack of best security practices and protection mechanisms without evidence of vulnerability
-Recently (less than 30 days) disclosed 0day vulnerabilities
-Vulnerabilities affecting users of outdated browsers or platforms
-Social engineering, phishing, physical, or other fraud activities
-Publicly accessible login panels without proof of exploitation
-Reports that state that software is out of date/vulnerable without a proof of concept
-Vulnerabilities involving active content such as web browser add-ons
-Most brute-forcing issues
-Weak password policies
-Disclosure of information that does not pose a significant risk
-Denial of service
-Theoretical issues
-Missing HTTP security headers
-Infrastructure vulnerabilities, including:
--Certificates/TLS/SSL related issues
--DNS issues (i.e. MX records, SPF records, etc.)
--Server configuration issues (i.e., open ports, TLS, etc.)
-Open redirects
-Session fixation
-User account enumeration
-Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
-Descriptive error messages (e.g. Stack Traces, application or server errors)
-Self-XSS that cannot be used to exploit other users
-Logout CSRF
-CSRF in forms that are available to anonymous users (e.g. the contact form)
-OPTIONS/TRACE HTTP method enabled
-Host header issues without proof-of-concept demonstrating the vulnerability
-Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
-Content Spoofing without embedded links/HTML
-Reflected File Download (RFD)
-IDN Homographic Attacks

Testing Requirements:

Strictly prohibited:
-Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
-Make every effort not to damage or restrict the availability of products, services or infrastructure
-Avoid compromising any personal data, interruption or degradation of any service
-Don’t access or modify other user data, localize all tests to your accounts
-Perform testing only within the scope
-Attack corporate infrastructure
-Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam
-Don’t spam forms or account creation flows using automated scanners
-In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
-Only the first valid bug is eligible for the reward
-Don’t break any law and stay in the defined scope
-Comply with the rules of the program

Possible Awards:

Currently only Kudos

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

Response Time  Information How quickly researchers get responses to their submissions.
Remediation Time  Information How quickly reported submissions are fixed.
Cooperation and Respect  Information How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched


  Latest Blog Posts

26.10.2020 by _r00t1ng_
Bypass Addslashes using Multibyte Character
26.10.2020 by _r00t1ng_
One Payload to Inject them all - MultiQuery Injection
26.10.2020 by _r00t1ng_
Routed SQL Injection
26.10.2020 by _r00t1ng_
DIOS the SQL Injectors Weapon
26.10.2020 by p4c3n0g3
How to find AngularJS XSS

  Recent Recommendations

@MizoueShumpei     29 October, 2020
    Twitter MizoueShumpei:
Thank you very much for your help.
@adridder     28 October, 2020
    Twitter adridder:
Thank you for your help with this XSS vulnerability on our site. We appreciate the responsible reporting via openbugbounty.
@gaborvitez     28 October, 2020
    Twitter gaborvitez:
Ajaysen R found a reflected cross site scripting bug in one of our cgi scripts, this way he helped us improve the security of our website. He was really fast to react, working with him was really a pleasure. We are grateful for the issues he made us aware of.
@Jobe1986     28 October, 2020
    Twitter Jobe1986:
Thank you for your efforts and reporting the XSS vulnerability you found on my website.
@TConfetti     28 October, 2020
    Twitter TConfetti:
Vighnesh Gupta was responsive and professional in helping us remediate a bug on our website. Thank you for your insight, Vighnesh.