Report a Vulnerability
Submit, help fixing, get kudos.
Start a Bug Bounty
Run your bounty program for free.
491,788 coordinated disclosures
268,292 fixed vulnerabilities
661 bug bounties with 1,339 websites
13,623 researchers, 1032 honor badges

Bekchy Bug Bounty Program

Bekchy runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Bekchy

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Bekchy and researchers.

Bug bounty program allow private submissions only.

Bug Bounty Scope

The following websites are within the scope of the program:

*.bekchy.com

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

Accepted Reports
- Cross Site Scripting (XSS)
- Open Redirect
- Cross Site Request Forgery (CSRF)
- Improper Access Control
- SQLi
- RCE
- XXE
- Cache Poisoning

Non-acceptable Reports
- Self XSS
- Information Disclouser
- Click Hijacking
- HTML Injection
- CORS
- CSRF/XSRF on unauthenticated pages (Login Page) or logout
- Lack of rate limiting on a particular API or other 'load testing' types of issues
- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags
- Denial-of-service vulnerabilities
- Stack traces
- Application or server error messages
- Use of out-of-date 3rd-party libraries without proof of exploitability
- Vulnerabilities in 3rd-party scripts used on New Relic websites
- Leaking information via the Referer header
- Missing X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, or X-XSS-Protection HTTP headers
- SPF, DMARC or other email configuration related issues
- Password or account recovery policies, such as reset link expiration or password complexity
- HTTP 404 codes/pages or other HTTP non-200 codes/pages
- Version number/banner disclosure on public facing websites
- Disclosure of known public files or directories, (e.g. robots.txt)
- Lack of DNSSEC
- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)
- HTTP TRACE or OPTIONS methods enabled
- Clickjacking on pages without authentication and/or sensitive state changes
- Vulnerabilities only affecting end of life browsers or platforms
- Self-XSS and issues exploitable only through Self-XSS
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Content spoofing/text injection
- Reports concerning agents with outdated packages with security vulnerabilities should be accompanied by an example showing how they'd be leveraged within the agent
- Attacks requiring a Man-in-the-Middle, with no other possible exploitation
- WordPress username enumeration
- Node sandbox escape to the Synthetics minion container (barring privileged access, see High above)

Testing Requirements:

- Do not delete any data if any vulnerability found

Possible Awards:

- Low Severity : $10
- Medium Severity : $10-$30
- High Severity : $30-$100
- Critical Severity : $100+

Special Notes:

Out of scope domains : cdn.bekchy.com

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

 
Response Time  How quickly researchers get responses to their submissions.
Remediation Time  How quickly reported submissions are fixed.
Cooperation and Respect  How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched

 20.01.2020 baku.ws
 20.01.2020 cqu.edu.au
 20.01.2020 espn.in
 20.01.2020 sahibinden.com
 20.01.2020 singularityhub.com
 20.01.2020 outlookindia.com
 20.01.2020 suratkabar.id
 20.01.2020 wzayef.com
 20.01.2020 11street.my

  Latest Blog Posts

16.01.2020 by Open Bug Bounty
Brief Recap of Open Bug Bounty’s Record Growth in 2019
12.01.2020 by JCQ_47
WAF Cloudflare Bypass XSS at Nexusmods.com
08.01.2020 by devl00p
Top 100 Open Redirect dorks
08.01.2020 by Rando02355205
XSS WAF Bypassed
31.12.2019 by Open Bug Bounty
Happy bug hunting in 2020, let’s make Web secure with Open Bug Bounty!

  Recent Recommendations

    20 January, 2020
     PaulMar23292621:
Miguel showed us several information disclosure issues with our site. Thank you very much Miguel!
    18 January, 2020
     damnitjim:
Thanks for taking the time to report the weaknesses and really appreciate the wapiti tool that you've developed.
    17 January, 2020
     gexsi_search:
Many thanks for your support!
    17 January, 2020
     smay84:
Thank you for your quick response and helpful information.
    17 January, 2020
     RohitIn20189381:
Great job on finding that XSS.