Coordinated and Responsible Vulnerability Disclosure Free Bug Bounty Program 469,095 coordinated disclosures
251,216 fixed vulnerabilities
621 bug bounties with 1244 websites
12,659 researchers, 978 honor badges

Unikrn Bug Bounty Program

Unikrn runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Unikrn

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Unikrn and researchers.

Bug bounty program allow private submissions only.

Bug Bounty Scope

The following websites are within the scope of the program:

*.unikrn.com

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:


# Scope Exclusions (are not eligible for a reward)
* DNS related or HTTP(S) Header related reports
* Reports relating to self-DoS issues (as in, only the person doing the action is denied service)
* Reports relating to self-Exploit issues (as in, only the logged in person doing the action is exploited in a non sticky fashion)
* Reports of the same issue in an alias domain - if there already is a open report for the same issue on another domain
* Server/Software version disclosure
* login csrf / logout csrf
* Email spoofing (Dmarc/SPF/DKIM)
* Reflected file download
* Clickjacking on emtpy or stage sites (read: must have high real world impact)
* Flaws affecting out-of-date browsers and plugins
* Publicly accessible login panels or html, js,..
* CSP Policy Weaknesses
* TabNabbing Rel=“noopener”
* HTTP Public Key Pinning
* We use s3 buckets to temporary store files people provided. This files expire and should never transition into anything we deliver as files. As long as you can not show a report where this is the case (we deliver this file or url to someone who did not upload this file) its not relevant. The usecase then is not different to an attacker creating his own s3 bucket and linking people to the file he uploaded (if you have reasons to disagree with this assessment please open an report about it)
* Vulnerabilities in 3rd party libraries without working exploit against our apps/servers
* Recently disclosed 0-day vulnerabilities
* Vulnerabilities on sites hosted by third parties, unless they lead to a vulnerability on our scoped domains
* Bugs that have not been responsibly investigated and reported or are directly copy and paste from automated scann reports
* Bugs already known to us, or already reported by someone else (reward goes to first reporter)
* Issues that aren't reproducible
* Issues that we can't reasonably be expected to do anything about

Testing Requirements:

* If you report on a network attack please provide a CURL command line (if possible)
* Researchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect
* If you exploit something using a custom crafted request (and it does not affect an api), please describe a real world user impact visiting with a browser
* Please allow 3 business days for us to respond before sending another question on it
* Make sure to correctly classify the report severity. Refrain from reporting an severity above medium, if the report has medium or limited impact towards real users of a unikrn service

Possible Awards:

To show our appreciation of responsible security researchers, Unikrn offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion.

Special Notes:

Unikrn built the most technologically advanced sportsbook for esports. We run the best fully-regulated and licensed esports bookmaker on the planet. No technology is perfect, and Unikrn believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Other Submissions Handling

Website owner want to receive information about other vulnerabilities

Notifications:

You can send them to [email protected]

PGP Key:

Show key

https://unikrn.com/unikrn.asc

General Requirements:


# Scope Exclusions (are not eligible for a reward)
* DNS related or HTTP(S) Header related reports
* Reports relating to self-DoS issues (as in, only the person doing the action is denied service)
* Reports relating to self-Exploit issues (as in, only the logged in person doing the action is exploited in a non sticky fashion)
* Reports of the same issue in an alias domain - if there already is a open report for the same issue on another domain
* Server/Software version disclosure
* login csrf / logout csrf
* Email spoofing (Dmarc/SPF/DKIM)
* Reflected file download
* Clickjacking on emtpy or stage sites (read: must have high real world impact)
* Flaws affecting out-of-date browsers and plugins
* Publicly accessible login panels or html, js,..
* CSP Policy Weaknesses
* TabNabbing Rel=“noopener”
* HTTP Public Key Pinning
* We use s3 buckets to temporary store files people provided. This files expire and should never transition into anything we deliver as files. As long as you can not show a report where this is the case (we deliver this file or url to someone who did not upload this file) its not relevant. The usecase then is not different to an attacker creating his own s3 bucket and linking people to the file he uploaded (if you have reasons to disagree with this assessment please open an report about it)
* Vulnerabilities in 3rd party libraries without working exploit against our apps/servers
* Recently disclosed 0-day vulnerabilities
* Vulnerabilities on sites hosted by third parties, unless they lead to a vulnerability on our scoped domains
* Bugs that have not been responsibly investigated and reported or are directly copy and paste from automated scann reports
* Bugs already known to us, or already reported by someone else (reward goes to first reporter)
* Issues that aren't reproducible
* Issues that we can't reasonably be expected to do anything about

Testing Requirements:

* If you report on a network attack please provide a CURL command line (if possible)
* Researchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect
* If you exploit something using a custom crafted request (and it does not affect an api), please describe a real world user impact visiting with a browser
* Please allow 3 business days for us to respond before sending another question on it
* Make sure to correctly classify the report severity. Refrain from reporting an severity above medium, if the report has medium or limited impact towards real users of a unikrn service

Possible Awards:

To show our appreciation of responsible security researchers, Unikrn offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion.

Special Notes:

Unikrn built the most technologically advanced sportsbook for esports. We run the best fully-regulated and licensed esports bookmaker on the planet. No technology is perfect, and Unikrn believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

 
Response Time  How quickly researchers get responses to their submissions.
Remediation Time  How quickly reported submissions are fixed.
Cooperation and Respect  How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched

 19.11.2019 agadir24.info
 19.11.2019 ethiojobs.net
 19.11.2019 my-search.com
 19.11.2019 mobilecountyal.gov
 19.11.2019 dealmoon.com
 19.11.2019 lyricstranslate.com
 19.11.2019 unu.edu
 19.11.2019 thepiratebay10.org
 19.11.2019 theweathernetwork.com

  Latest Blog Posts

30.10.2019 by Nep_1337_1998
Denial of Service vulnerability in script-loader.php (CVE-2018-6389)
17.10.2019 by 0xrocky
Stored XSS
17.10.2019 by geeknik
The "S" in IOT is for Security
16.10.2019 by Fadavvi
Best XSS Vectors
01.10.2019 by Renzi25031469
#Security 100%

  Recent Recommendations

    17 November, 2019
     Project84823360:
4N_CURZE did a great job locating and letting us know about vulnerabilities. He was detailed, professional and provided exceptional turnaround time. It was our pleasure to work with him! Thanks again.
    15 November, 2019
     hyperext_uk:
@Cyberanteater very kindly alerted us about a git vunerability on one of our websites which we promptly fixed. This also prompted us to audit all our other projects.

Much appreciated.
Steve
    15 November, 2019
     dalitso47152461:
Thanks for bringing the issue to our attention. The info you provided was very helpful and instrumental in getting a fix in place.
    14 November, 2019
     cloudrexx:
Thank you very much for making us aware of the issue and providing us a high quality vulnerability report which helped us identify the source of the vulnerability right away.
    14 November, 2019
     pofope1:
Thanks for your report. Please check we have patched it. :)