JAF Development Webshop & CMS Bug Bounty Program

Bug Bounty Scope

The following websites are within the scope of the program:

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

General Requirements:

We are very interested in hearing about any potential security issues on our domain

https://at.jaf-development.com

from you. We are happy to thank everyone with a PayPal donation reward, who submits accurate reports which help us improve our web security.

* Please be patient and give us enough time to verify your report.
* Please do not share gathered information with third parties.
* Please provide enough information for us to be able to reproduce your findings. Send as a clear textual description, screenshots and/or PoC. There is no need to actually exploit the website, just describe how we can reproduce. We will then analyze the finding, before we approving it.


As the provided domain is a test/development copy of our live web page, and having an own stack, including database, we can offer testing for several types of vulnerabilities:
* Cross-Site Scripting (XSS)
* Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
* Authentication and Authorization Flaws
* Cross-Site Request Forgery (CSRF)
* Remote Code Execution (RCE)
* Code injections (HTML, JS, SQL, PHP, etc.)
* Insecure direct object references
* Directory Traversal
* Privilege Escalation

Testing Requirements:

There are some things we explicitly ask you not to do:
* If you run automated scans, choose low impact settings (limit requests per minute).
* Do not test using social engineering techniques (phishing, etc.)
* Do not perform DoS or DDoS attacks.
* Do not attack our customers & users, or use any stolen user credentials.

In scope:
https://at.jaf-development.com
This domain is our development instance of our live CMS & Web shop. It is an exact replica of the live page.

Out of scope:
All other companies and services acquired by united-domains are not in scope. That includes other hostnames or other subdomains not listed as in scope. For example there are several similar subdomains like https://de.jaf-development.com/. This has the same code page, so please just test the provided subdomain.

Possible Awards:

We are ready to reward you with a PayPal donation for your efforts to improve our web security as a thank you.

Depending on the vulnerability severity (0-10, Low-Critical) the reward will range between 10-100 USD.

We reserve the right to adjust the bounty amount and change the report's vulnerability level accordingly. We also have a total budget, once this is reached, we cannot make any more payout. However, of course we will announce this in advance.

Additional guidelines for rewards:
* Only the first reporter of a vulnerability can be rewarded
* Must be reported via OpenBugBounty.org
* No vulnerability disclosure

Please not that the following Vulnerabilities cannot be rewarded:
* Self XSS
* Missing cookie flags
* SSL/TLS best practices
* Mixed content warnings
* DoS or DDoS attacks
* Software version disclosure
* Stack traces or path disclosure
* Vulnerabilities affecting outdated browsers or platforms
* Reports from automated web vulnerability scanners that have not been validated
* Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC)