Bekchy Bug Bounty Program

Bug Bounty Scope

The following websites are within the scope of the program:

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

General Requirements:

Accepted Reports
- Cross Site Scripting (XSS)
- Open Redirect
- Cross Site Request Forgery (CSRF)
- Improper Access Control
- SQLi
- RCE
- XXE
- Cache Poisoning

Non-acceptable Reports
- Self XSS
- Information Disclouser
- Click Hijacking
- HTML Injection
- CORS
- CSRF/XSRF on unauthenticated pages (Login Page) or logout
- Lack of rate limiting on a particular API or other 'load testing' types of issues
- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags
- Denial-of-service vulnerabilities
- Stack traces
- Application or server error messages
- Use of out-of-date 3rd-party libraries without proof of exploitability
- Vulnerabilities in 3rd-party scripts used on New Relic websites
- Leaking information via the Referer header
- Missing X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, or X-XSS-Protection HTTP headers
- SPF, DMARC or other email configuration related issues
- Password or account recovery policies, such as reset link expiration or password complexity
- HTTP 404 codes/pages or other HTTP non-200 codes/pages
- Version number/banner disclosure on public facing websites
- Disclosure of known public files or directories, (e.g. robots.txt)
- Lack of DNSSEC
- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)
- HTTP TRACE or OPTIONS methods enabled
- Clickjacking on pages without authentication and/or sensitive state changes
- Vulnerabilities only affecting end of life browsers or platforms
- Self-XSS and issues exploitable only through Self-XSS
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Content spoofing/text injection
- Reports concerning agents with outdated packages with security vulnerabilities should be accompanied by an example showing how they'd be leveraged within the agent
- Attacks requiring a Man-in-the-Middle, with no other possible exploitation
- WordPress username enumeration
- Node sandbox escape to the Synthetics minion container (barring privileged access, see High above)

Testing Requirements:

- Do not delete any data if any vulnerability found

Possible Awards:

- Low Severity : $10
- Medium Severity : $10-$30
- High Severity : $30-$100
- Critical Severity : $100+

Special Notes:

Out of scope domains : cdn.bekchy.com