Infosec Institute

Open Bug Bounty mentioned in the
Top 6 Bug Bounty programs of
2022 by the InfoSec Institute

The Hacker News

Open Bug Bounty named among the
Top 5 Bug Bounty programs of 2021
by The Hacker News

Platform update: please use our new authentication mechanism to securely use the Open Bug Bounty Platform.
For security researchers
Report a Vulnerability
Submit, help fixing, get kudos.
For website owners
Start a Bug Bounty
Run your bounty program for free.
1,703,071 coordinated disclosures
1,356,483 fixed vulnerabilities
1,975 bug bounty programs, 3,891 websites
45,714 researchers, 1,643 honor badges

Emercury Bug Bounty Program Bug Bounty Program

Emercury Bug Bounty Program runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Emercury Bug Bounty Program

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Emercury Bug Bounty Program and researchers.

Bug bounty program allow private submissions only.

Bug Bounty Scope

The following websites are within the scope of the program:

panel.emercury.net

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

The requirement for the security check is to find and report high-severity security breaches.
The tests should be done on this domain: https://panel.emercury.net/
You'll need to create a new account here: https://panel.emercury.net/registration.php

Testing Requirements:

* Any vulnerability found must be reported no later than 24 hours after discovery.
* You are not allowed to disclose details about the vulnerability anywhere else.
* You must avoid tests that could cause degradation or interruption of our service.
* You must not leak, manipulate, or destroy any user data.
* You are only allowed to test against accounts you own yourself.
* The use of automated tools or scripted testing is not allowed.

Possible Awards:

The standard reward is $50.

To qualify for a reward under this program, you should:

* Be the first to report a vulnerability.
* Include attachments such as screenshots or proof of concept code as necessary.
* Send a clear textual description of the report along with steps to reproduce the vulnerability.
* Disclose the vulnerability report directly and exclusively to us.

A good bug report should include the following information at a minimum:

* List the URL and any affected parameters
* Describe the browser
* Describe the perceived impact.
How could the bug potentially be exploited?
Any video or screenshot can be helpful.

Special Notes:

Any activity that would disrupt, damage, or adversely affect any third-party data or account is not allowed.

Please do not mass-create accounts to perform testing. Also, do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.

The following are strictly prohibited:
* Denial of Service attacks.
* Automated tools or scans, botnet, compromised site, end-clients, or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.

Additionally, the following vulnerabilities will not be considered for bounty:
* Cross-site request forgery (CSRF)
* Cross domain leakage
* Information disclosure
* Software version disclosure
* XSS attacks via POST or headers
* Self-XSS
* Missing SPF or DMARC records
* HttpOnly and Secure cookie flags
* SSL/TLS related (such as HSTS, GET over HTTP, Password sent in HTTP)
* Session timeout
* Session Hijacking (cookie reuse)
* Missing X-Frame or X-Content headers
* Account enumeration
* Click-jacking
* Rate-limiting
* Confirmation Email (anything related with)

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

 
Response Time  Information How quickly researchers get responses to their submissions.
Remediation Time  Information How quickly reported submissions are fixed.
Cooperation and Respect  Information How fairly and respectfully researchers are being treated.

Researcher's comments

kevin7     21 September, 2023
    kevin7:
I was found a medium vulnerability in domain is it. Anyone contact me security team
MIKL_BUGZ     19 January, 2023
    MIKL_BUGZ:
where to report no url no email no contact ?? i have found very serious bug but where are you and also no reponse

  Latest Patched

 18.03.2024 agustiniano.edu.ar
 18.03.2024 armfox.am
 18.03.2024 delaur.am
 18.03.2024 money.udn.com
 17.03.2024 vtc.gov.tw
 17.03.2024 angra.rj.gov.br
 17.03.2024 sporthotel.am

  Latest Blog Posts

04.12.2023 by BAx99x
Unmasking the Power of Cross-Site Scripting (XSS): Types, Exploitation, Detection, and Tools
04.12.2023 by a13h1_
$1120: ATO Bug in Twitter’s
04.12.2023 by ClumsyLulz
How I found a Zero Day in W3 Schools
04.12.2023 by 24bkdoor
Hack the Web like a Pirate: Identifying Vulnerabilities with Style
04.12.2023 by 24bkdoor
Navigating the Bounty Seas with Open Bug Bounty

  Recent Recommendations

    16 March, 2024
    TorutheRedFox:
Thanks for the help with the XSS vulnerability. It was a quick fix.
    12 March, 2024
    fsousa:
Pooja found an XSS vulnerability in one of our websites and ethically reported it to us, providing all the information required for us to fix the site.
All the communication was so fast, almost real time!
We thank you very much for the time and knowledge shared with us!
    7 March, 2024
    ramram:
Reported an XSS vulnerability in our website.
    7 March, 2024
    jasongiss:
Thank you for your responsible and helpful disclosure.

We really appreciated that you followed up shortly afterwards and suggested a better implementation of our fix.

I'm very impressed with your approach - thank you!
    27 February, 2024
    GTCoSWeb:
Dipu1a helped notify us of a possible link exposure so we could remedy it quickly to avoid any issues.