Coordinated and Responsible Vulnerability Disclosure Free Bug Bounty Program 419,924 coordinated disclosures
228,381 fixed vulnerabilities
567 bug bounties with 1107 websites
11,361 researchers, 932 honor badges

Unikrn Bug Bounty Program

Unikrn runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Unikrn

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Unikrn and researchers.

Bug bounty program allow private submissions only.

Bug Bounty Scope

The following websites are within the scope of the program:

*.unikrn.com

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:


# Scope Exclusions (are not eligible for a reward)
* DNS related or HTTP(S) Header related reports
* Reports relating to self-DoS issues (as in, only the person doing the action is denied service)
* Reports relating to self-Exploit issues (as in, only the logged in person doing the action is exploited in a non sticky fashion)
* Reports of the same issue in an alias domain - if there already is a open report for the same issue on another domain
* Server/Software version disclosure
* login csrf / logout csrf
* Email spoofing (Dmarc/SPF/DKIM)
* Reflected file download
* Clickjacking on emtpy or stage sites (read: must have high real world impact)
* Flaws affecting out-of-date browsers and plugins
* Publicly accessible login panels or html, js,..
* CSP Policy Weaknesses
* TabNabbing Rel=“noopener”
* HTTP Public Key Pinning
* We use s3 buckets to temporary store files people provided. This files expire and should never transition into anything we deliver as files. As long as you can not show a report where this is the case (we deliver this file or url to someone who did not upload this file) its not relevant. The usecase then is not different to an attacker creating his own s3 bucket and linking people to the file he uploaded (if you have reasons to disagree with this assessment please open an report about it)
* Vulnerabilities in 3rd party libraries without working exploit against our apps/servers
* Recently disclosed 0-day vulnerabilities
* Vulnerabilities on sites hosted by third parties, unless they lead to a vulnerability on our scoped domains
* Bugs that have not been responsibly investigated and reported or are directly copy and paste from automated scann reports
* Bugs already known to us, or already reported by someone else (reward goes to first reporter)
* Issues that aren't reproducible
* Issues that we can't reasonably be expected to do anything about

Testing Requirements:

* If you report on a network attack please provide a CURL command line (if possible)
* Researchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect
* If you exploit something using a custom crafted request (and it does not affect an api), please describe a real world user impact visiting with a browser
* Please allow 3 business days for us to respond before sending another question on it
* Make sure to correctly classify the report severity. Refrain from reporting an severity above medium, if the report has medium or limited impact towards real users of a unikrn service

Possible Awards:

To show our appreciation of responsible security researchers, Unikrn offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion.

Special Notes:

Unikrn built the most technologically advanced sportsbook for esports. We run the best fully-regulated and licensed esports bookmaker on the planet. No technology is perfect, and Unikrn believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Other Submissions Handling

Website owner want to receive information about other vulnerabilities

Notifications:

You can send them to [email protected]

PGP Key:

Show key

https://unikrn.com/unikrn.asc

General Requirements:


# Scope Exclusions (are not eligible for a reward)
* DNS related or HTTP(S) Header related reports
* Reports relating to self-DoS issues (as in, only the person doing the action is denied service)
* Reports relating to self-Exploit issues (as in, only the logged in person doing the action is exploited in a non sticky fashion)
* Reports of the same issue in an alias domain - if there already is a open report for the same issue on another domain
* Server/Software version disclosure
* login csrf / logout csrf
* Email spoofing (Dmarc/SPF/DKIM)
* Reflected file download
* Clickjacking on emtpy or stage sites (read: must have high real world impact)
* Flaws affecting out-of-date browsers and plugins
* Publicly accessible login panels or html, js,..
* CSP Policy Weaknesses
* TabNabbing Rel=“noopener”
* HTTP Public Key Pinning
* We use s3 buckets to temporary store files people provided. This files expire and should never transition into anything we deliver as files. As long as you can not show a report where this is the case (we deliver this file or url to someone who did not upload this file) its not relevant. The usecase then is not different to an attacker creating his own s3 bucket and linking people to the file he uploaded (if you have reasons to disagree with this assessment please open an report about it)
* Vulnerabilities in 3rd party libraries without working exploit against our apps/servers
* Recently disclosed 0-day vulnerabilities
* Vulnerabilities on sites hosted by third parties, unless they lead to a vulnerability on our scoped domains
* Bugs that have not been responsibly investigated and reported or are directly copy and paste from automated scann reports
* Bugs already known to us, or already reported by someone else (reward goes to first reporter)
* Issues that aren't reproducible
* Issues that we can't reasonably be expected to do anything about

Testing Requirements:

* If you report on a network attack please provide a CURL command line (if possible)
* Researchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect
* If you exploit something using a custom crafted request (and it does not affect an api), please describe a real world user impact visiting with a browser
* Please allow 3 business days for us to respond before sending another question on it
* Make sure to correctly classify the report severity. Refrain from reporting an severity above medium, if the report has medium or limited impact towards real users of a unikrn service

Possible Awards:

To show our appreciation of responsible security researchers, Unikrn offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion.

Special Notes:

Unikrn built the most technologically advanced sportsbook for esports. We run the best fully-regulated and licensed esports bookmaker on the planet. No technology is perfect, and Unikrn believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

 
Response Time  How quickly researchers get responses to their submissions.
Remediation Time  How quickly reported submissions are fixed.
Cooperation and Respect  How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched

 21.08.2019 metacritic.com
 21.08.2019 manaus.am.gov.br
 21.08.2019 pikdo.com
 20.08.2019 milb.com
 20.08.2019 dealabs.com
 20.08.2019 jobbkk.com
 20.08.2019 wine-searcher.com
 20.08.2019 beforward.jp
 20.08.2019 dartmouth.edu
 20.08.2019 funda.nl

  Latest Blog Posts

19.08.2019 by ismailtsdln
IBM - Cross site Scripting [XSS]
15.08.2019 by thevivekkryadav
HOW I WAS BYPASSED CLOUDFLARE WAF
13.08.2019 by Renzi25031469
XSSCon - XSS Tool @Kitploit
13.08.2019 by Cur1S3
I Found a multiple xss on https://clickmeeting.com
13.08.2019 by ZIKADS
xss at anghami.com

  Recent Recommendations

    21 August, 2019
     SelectLine_GmbH:
Thank you, Rooghz, for pointing out a vulnerability on one of our websites.
    20 August, 2019
     runlevelone:
Thank you for the reported vulnerability! I thought I had those XSS pitfalls covered, but aparently not.
    20 August, 2019
     fukubacchi:
Thanks for reporting the issue and the vulnerability details!!!
    19 August, 2019
     maxiorel:
Thanks for reporting the problem and the vulnerability details.
    18 August, 2019
     darshilsabhaya:
thanks sir