Coordinated and Responsible Vulnerability Disclosure Free Bug Bounty Program 438,779 coordinated disclosures
235,475 fixed vulnerabilities
589 bug bounties with 1186 websites
11,906 researchers, 951 honor badges

Bekchy Bug Bounty Program

Bekchy runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Bekchy

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Bekchy and researchers.

Bug bounty program allow private submissions only.

Bug Bounty Scope

The following websites are within the scope of the program:

*.bekchy.com

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

Accepted Reports
- Cross Site Scripting (XSS)
- Open Redirect
- Cross Site Request Forgery (CSRF)
- Improper Access Control
- SQLi
- RCE
- XXE
- Cache Poisoning

Non-acceptable Reports
- Self XSS
- Information Disclouser
- Click Hijacking
- HTML Injection
- CORS
- CSRF/XSRF on unauthenticated pages (Login Page) or logout
- Lack of rate limiting on a particular API or other 'load testing' types of issues
- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags
- Denial-of-service vulnerabilities
- Stack traces
- Application or server error messages
- Use of out-of-date 3rd-party libraries without proof of exploitability
- Vulnerabilities in 3rd-party scripts used on New Relic websites
- Leaking information via the Referer header
- Missing X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, or X-XSS-Protection HTTP headers
- SPF, DMARC or other email configuration related issues
- Password or account recovery policies, such as reset link expiration or password complexity
- HTTP 404 codes/pages or other HTTP non-200 codes/pages
- Version number/banner disclosure on public facing websites
- Disclosure of known public files or directories, (e.g. robots.txt)
- Lack of DNSSEC
- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)
- HTTP TRACE or OPTIONS methods enabled
- Clickjacking on pages without authentication and/or sensitive state changes
- Vulnerabilities only affecting end of life browsers or platforms
- Self-XSS and issues exploitable only through Self-XSS
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Content spoofing/text injection
- Reports concerning agents with outdated packages with security vulnerabilities should be accompanied by an example showing how they'd be leveraged within the agent
- Attacks requiring a Man-in-the-Middle, with no other possible exploitation
- WordPress username enumeration
- Node sandbox escape to the Synthetics minion container (barring privileged access, see High above)

Testing Requirements:

- Do not delete any data if any vulnerability found

Possible Awards:

- Low Severity : $10
- Medium Severity : $10-$30
- High Severity : $30-$100
- Critical Severity : $100+

Special Notes:

Out of scope domains : cdn.bekchy.com

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

 
Response Time  How quickly researchers get responses to their submissions.
Remediation Time  How quickly reported submissions are fixed.
Cooperation and Respect  How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched

 22.09.2019 sonovente.com
 22.09.2019 xe.gr
 22.09.2019 paisdelosjuegos.com.ar
 21.09.2019 thermofisher.com
 21.09.2019 ewg.org
 21.09.2019 uvm.edu
 21.09.2019 123test.com
 21.09.2019 productreview.com.au
 21.09.2019 revistagq.com
 20.09.2019 ucertify.com

  Latest Blog Posts

18.09.2019 by Leon
SSRF | Reading Local Files from DownNotifier server
13.09.2019 by drok3r
Collection of information | Google Hacking and Dorks basic
09.09.2019 by DakkarKey
New and Powerful XSS scan tool - XSpear
05.09.2019 by MiguelSantareno
Wordpress basic auditing
05.09.2019 by MiguelSantareno
Payloads for all type off web attacks

  Recent Recommendations

    20 September, 2019
     pacotix:
Thanks for your finding! You have helped make our site more secure. Thanks for your great collaboration :)
    20 September, 2019
     ChipZ_de:
Gh05tPT has found an XSS vulnerability on one of our pages.

He is very helpful and responded very quickly. I really appreciate it. Thank you very much.
    20 September, 2019
     UUCSIRT:
Thank you for your vulnerability report!
/Hans Liss, Uppsala university
    20 September, 2019
     ashleyhindle:
Thank you so much for highlighting the vulnerability, it really helped!
    19 September, 2019
     YstreamTV:
Thanks for reporting the bug, can you recheck this, hope that is fixed.