Unikrn Bug Bounty Program

Bug Bounty Scope

The following websites are within the scope of the program:

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

General Requirements:

# Scope Exclusions (are not eligible for a reward)
* DNS related or HTTP(S) Header related reports
* Reports relating to self-DoS issues (as in, only the person doing the action is denied service)
* Reports relating to self-Exploit issues (as in, only the logged in person doing the action is exploited in a non sticky fashion)
* Reports of the same issue in an alias domain - if there already is a open report for the same issue on another domain
* Server/Software version disclosure
* login csrf / logout csrf
* Email spoofing (Dmarc/SPF/DKIM)
* Reflected file download
* Clickjacking on emtpy or stage sites (read: must have high real world impact)
* Flaws affecting out-of-date browsers and plugins
* Publicly accessible login panels or html, js,..
* CSP Policy Weaknesses
* TabNabbing Rel=“noopener”
* HTTP Public Key Pinning
* We use s3 buckets to temporary store files people provided. This files expire and should never transition into anything we deliver as files. As long as you can not show a report where this is the case (we deliver this file or url to someone who did not upload this file) its not relevant. The usecase then is not different to an attacker creating his own s3 bucket and linking people to the file he uploaded (if you have reasons to disagree with this assessment please open an report about it)
* Vulnerabilities in 3rd party libraries without working exploit against our apps/servers
* Recently disclosed 0-day vulnerabilities
* Vulnerabilities on sites hosted by third parties, unless they lead to a vulnerability on our scoped domains
* Bugs that have not been responsibly investigated and reported or are directly copy and paste from automated scann reports
* Bugs already known to us, or already reported by someone else (reward goes to first reporter)
* Issues that aren't reproducible
* Issues that we can't reasonably be expected to do anything about

Testing Requirements:

* If you report on a network attack please provide a CURL command line (if possible)
* Researchers are more likely to earn a larger reward by demonstrating how a vulnerability can be exploited to maximum effect
* If you exploit something using a custom crafted request (and it does not affect an api), please describe a real world user impact visiting with a browser
* Please allow 3 business days for us to respond before sending another question on it
* Make sure to correctly classify the report severity. Refrain from reporting an severity above medium, if the report has medium or limited impact towards real users of a unikrn service

Possible Awards:

To show our appreciation of responsible security researchers, Unikrn offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion.

Special Notes:

Unikrn built the most technologically advanced sportsbook for esports. We run the best fully-regulated and licensed esports bookmaker on the planet. No technology is perfect, and Unikrn believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Other Submissions Handling