Report a Vulnerability
Submit, help fixing, get kudos.
Start a Bug Bounty
Run your bounty program for free.
637,258 coordinated disclosures
405,719 fixed vulnerabilities
959 bug bounties with 1,903 websites
19,195 researchers, 1211 honor badges

Hackberry Bug Bounty Program

Hackberry runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Hackberry

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Hackberry and researchers.

Bug bounty program allow private and public submissions.

Bug Bounty Scope

The following websites are within the scope of the program:

*.hackberry.xyz

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

To comply with the suits, we have a small requirement of you being 18 years old or mature enough in your own country to hack.

When you are testing Hackberry and its assets, we trust you to not disclose any finding before we resolve the issue.

All reports must be in English.

Testing Requirements:

While we hate the rules, there are a few things that can be dangerous for our contributors and community. So we expect you to honor the following rules:

1. No phishing or direct interaction with any user, contributor or staff (core team).
2. No spamming. This includes any kind of content on GitHub (issues, pull requests, emails).

Possible Awards:

With every successful bug report, you get featured in our pwn4ge.txt which is accessible via all of our tools and website.

Special Notes:

We are a team who makes open source software and looking for core team members. If you can help by writing code, writing documentation, maintaining community, please message us on https://twitter.com/hackberry_xyz.

Other Submissions Handling

Website owner want to receive information about other vulnerabilities

Notifications:

Mail your report to admin [at] hackberry [dot] xyz

Intrusive vulnerabilities must be encrypted with the provided public key before reporting.

PGP Key:

Show key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Keybase OpenPGP v2.0.80
Comment: https://keybase.io/0xcrypto

xsFNBFxlYnkBEADAezSn+l7VLgGNLmJoy1BWUHxz3I1/gTJ1rR+w75qQWMbhvfJB
IEwkd0o36gvFXho9CM3P0vEah2MgIEknmCOYTCvSF0E53HpwGk75j4RQb6x2TX/r
A7GC9BhsB40jzgSeqi23aC1zWJzF1Vaff4IR3BT7AIc8DJ2qwEkwa2jFZOmjJtuY
vot3MbahDBhSe1YnC6+FiuyXZ2hKTJ3smVZErwYhLusHE2zkWNVJ+K5zxL6RaETG
TyZBcn0CkoL4vdYkkzBof6FhB7WragqA8J8P7g2n1zqo8Vsmr3QECkl47p5rBSml
GkL6zMw07zdWpK3kG2jx1dAKZT01Hmm93d+defQulVQt5O/z5bQus5L2KHvFU92G
Lnr9Oa8/kXNrbYqstThdmUtQj5UVA8jH7IDDaJoMQsBlU2a5kMsOcyGSbOule8Ey
SNuxNEyKbiTgZNJK9VVUrUdj7HZZT+EgqOOLth/UoerAHLbk+2U0Bso72opmZStF
vB6+AHuScBTC93+l3y9QiGRhX5ITzX7wBIK2+BZtq4V/fhCYwX0iotRHqXJ7eFr8
rWW0O5FznaYE8vIId5OKqKLFdf2JyxC0SkMfRHdTBBAYs63ycI9HSXi+2gAnA9uc
ygMketm2S2IRO2/isGbM+zXXhV/viIDAEFaJ5W+F6rhU2BvTXhKEbXybEwARAQAB
zS1WaWtyYW50IFNpbmdoIENoYXVoYW4gPHZpa3JhbnRjb2RlQGdtYWlsLmNvbT7C
wXQEEwEKAB4FAlxlYnkCGwMDCwkHAxUKCAIeAQIXgAMWAgECGQEACgkQnmhEcv8M
UdSDHA//fiopQ2TPclNu+eP0bYyuLe5C702UuioCRn31YoYP7NYsOpS6wKPCywXD
ZKOBNu+6u/iHzCM31Nu9yvJSMlzLkliEyq2tJXDLcDqp5oirxZcGux2y2qB72EB4
O7vcfZik4cdqlzPF1MkomyOkJcJ6VN5x7lv9UiD67lOPSvYXROmLmb0DYWHmRDXj
4Da3rvmNxJTdlcbxUwf1SEXmWbW2DOexuVC7ALwb4r+j4N3dgdcX3nE9EH/2Vtj4
bwpsX885lwMBJdszp/hZ6XWuwXNHTkQP7/lAAQPwj/8L3Ag5SaETyx60aDYUkm/k
G2zwAfJ7IaD6mGYYcV3OxtPwL8D8q9QA5YCxz10+7JrSO4D4LwyiWt15GH1P5EI3
6dgH9F512PXzdBeeH2oJ23DIAXSllKkoLQ1LHkiiIlpjf2F4q77Z5mRX8PT6+ffH
lb/2zPScHyxxT62tuPDASqioNZpQQy55z6JajH17N+fyxSUnPShRpu2/VmffAfLZ
vsz1Xaq4zTs7irmTrhlBCiLuLcxt+/d1Q+lbTARZA24YHnPk3crpV8loe3WmbWMS
Fw7yMdWBaTjZSTbEQ3xNMVIVinks+i4VrkkswO6pFfRYLPB/7H3iHrAptNQ6a2bK
r3D2l6ALktFK9/Qs6OfrFPPnBjgG00EuqZ/WFCN5MAqiYhDkbnPNLFZpa3JhbnQg
U2luZ2ggQ2hhdWhhbiA8MHgwMGNyeXB0b0BnbWFpbC5jb20+wsFxBBMBCgAbBQJc
ZWJ5AhsDAwsJBwMVCggCHgECF4ADFgIBAAoJEJ5oRHL/DFHU44IQAKnYRmuHOGIO
2KxJLe3sermFXVXjhpivkoiRZrJnYlnQtthzSJMrrW+Ee+RAg9aKF1awAPF02YNO
mb9bP4vG8eeqzpdms13fkLJTfvnwSyvz++jKcKM+rYeATdHlOgP7J6XNrMw8LP6V
lQZBKmmavWkp6i0PgzrIBFYhComGsSaXKAgnm5aokGNsLYHGHKTX67HhQnqClpja
Uxu8qALNB5bb5SJ7XLbLp8iN6FWyi0UaHoYZvqZJnyM+GTXFY5T7ALEG6GcYjrOE
zzwojhknjYojWDi4qqQI0RTCOKTSt7YmU5X3a6p9WZwr760dUBZcihjzqCy3Qs77
S6A6fJ7Oa4qlT0iBt3ZN23sZbThlQS9AfVkPdIzVoh5z3VqlC8qg0vCLCza4ARt7
EiGsNGC6XvboFXDZMMJ+I2Mju4CalhHpP5mSaS71XKpWbJ6M0h/K61Uelp7JbJDI
q3dBeFStSLse19yUvRMzz6P/CaqpV41wBOfpsoulD2cn3+Nm9R0V42JV/Iq/XCxJ
cPQuVhX6KFrRFxcAU44gJqCpCtNBQHWuyOkpQTTpZlrsZ58DPOQVdh6L8kcZZs07
0Y3AdUwE/E/EaRHaYCvlD7sp5I+gJMdVNC+KTaQFeFj/U8ovy6N+VffIue8r/+Kx
V0i4hTLgDU+vRqZQGxhpyPfgLnMV8s+ezSVWaWtyYW50IFNpbmdoIENoYXVoYW4g
PHZpQHN0aXJwb3QuY28+wsFxBBMBCgAbBQJcZWJ5AhsDAwsJBwMVCggCHgECF4AD
FgIBAAoJEJ5oRHL/DFHUrEMP/0QW60p6Lb/O0woMj/+h27cnkcNBIsyKyohOTkLo
hEQ9pTbZ1Rg/WlN36MrC3isl4edrZ6LTxJNpkDV2NiC5320JUF0k/iufRXw08MY4
IozMu5bN9e1qOOOyya08YipDnqbZC2IfUSQy1hwQvkybH4+EadcacqrM9x0nK/Fr
GbAAB9JiVb6RA4CSyEKFVm28SAff0+iZyDrbAG9i/mBNgZ4y5SJqWLhWIKunpyMD
QMlx6yJFMXjmqNsIktkqDoJ+2V92Z2w2N/dNQpdB3hsNJTyo7dtyqTnaqq812bQf
X6s6iw23a4bLpXLl9Ofr6le2WPk50P4Q1VFvJ3TMXaLlebGEStYADct7qRYYa0aC
BtW8e/sBxshlpFhayW7S8n/NBnK1fOuRbwJXMASJHrYu7tUSqy6Ay72GnZhw2xXx
+l0JXgmvznsmTmghPWsGZRtmkUrz0buSawHBv9Ua7iVvYt+6B25PH1y+Q/436haH
5KkAQbZWPcjEakMX2VHn0/GNJqwB1LQni0W4W6N4t//69P93Bl8YCh1jAWScWH+L
Ilk1QcBRLAPul5vW9pWa5XoeXIdEcoJ5ox/q8Xk1AG36jU6ewS2WasPjzH1c8ilJ
ogxKm7Fk8ZuPv3174wHgNlKnhBAQTkYAml8dP5/BWlA+OHyxd1eb/7U+f67RnYAM
dZ1YzsBNBFxlYnkBCADBVC5dalSKOEhf6oUQCLqvhAU2y6G6LbB/C6hLqOmblAgc
g4L3RVoVDUk0jkbEWOvL9e34V8JkBbnAxx35d6xzYVSPot3+ShJ1f3lKpV1ly36d
YMp0rjtak6UDEqxtg6JmiKpEOvko674Gr0M7R5xc/4z8EMrqXClFgxS4fZfzuIJc
/Bbs6OeuocgV8B8YZp+KKmpKxpFxOrG6KCGpphT6xWFUYl/0VIrGCPyjuUBCD+33
cEOjMHiXYquP1T6rpwUbd1fZ9HXDT4yICidOwUQMpxuWW02l+TxrMuSbHRG6GCq3
UDezDJMTQOR94uTK6YdGpkWdAwyjdCof535AI5/NABEBAAHCwoQEGAEKAA8FAlxl
YnkFCQ8JnAACGwwBKQkQnmhEcv8MUdTAXSAEGQEKAAYFAlxlYnkACgkQRTkKbnPP
dU9f/Qf+NaDPktVXjJRt541Xxg4D7a0X80r56SwFbxFX00YvgYQ7cK8/tw80lPqR
m1WKiQdWicB1MgeoH5UodONvjoF7AVzwhYaausV2VkVwXgOTYTfftEFXT1kWIhLY
fHdzwcHRuxz66q6L9QYe9r5UY5XrWLmKWbUYn4V3o1qtry2PNlH3LUp8soCLm05q
t+G8P8np9oDH/AeYs124YkP0vm8liy/3Zygb4K2m3c4kSb0klY52ZWhRmTu6jxxp
Iwxlk4TxjgI/7sBS6GqL23ZaKjAj9mR+FRI9TR1nEy3SeEE91kU/o8iGbtuq51Zx
4fM9gVIpi5SWh8Q8MZKGEDkRuy4eJ/g7D/wKYehaphfGqJyDaIq+yc8bJxSEYbQ3
GVQREUTX9UIxsE7R/L4hRMge2451gbrBh+DgoEjUab0FrLhBw0e2DIwp+bHfIplR
77t5kqxAmcVas7E+DrzcaQeE3ag2x2GqYu3I6t5tnWGXIYWRytK0CFro780vhoJn
E8wq9Pv9kEwUeCJU416Xm1E+01l45Q8OEORrqykIhlDDjeVNnM+nGDECdOL3ddYE
Jmmlnq8tG4s6CJ14iUFFRgBauNitWZltDOZ2VqzGyeGvtNhgYp/XyjhFdUuhQWwF
v54vhunX+Tt7haR8yNUwRgqkHkOLj31C2Ahau2oIBAts+gKzdg9pmPJR8FJybAov
PD/s85MiYUljth5MdGJDtwAXqSZhVmx/4oAJs4nM6F2HMAosb5MGfkqsX5ZPZOeW
7HQHyDmgeBGdlidbjy7JiuDa7DwImCSyZB+It77dGmf0g9b6wIBTtjYk2EzWlQPV
kgXIhgR6WKiQBHctXmmdTSKCdoNXM/y17izutNxhgOWiFABSOlFx11NXC9OZe75x
iiJGRLbr75Pa541NyMtCihLHyF//TCQy9duntxGKyEf3MwY+M+rFaCJmIZXbXuCn
BJBXl2gzDkoTfO4ZVlHMj0YE44VL7p1F/7uqp29TKn/dBo0aIIKa+HzwLispNp4M
f9j8I8T20x2Ytc7ATQRcZWJ5AQgAvv54D7t24CMT02qnfhVD16FJJxmMlxxvTQq3
4PjFRE9n9FlG1r501BUPnyJXLhXfXKE/77T+5FCAgAcn5orQbMgXp8jIGOTjs9sF
2mzoa00c9s0LutnuJCrOT2qPkzdEGZjjwjE0nfPN/I64zUfVIQW6NFeOWegEFtUK
zzCgHR4LQrDVc5emmJnXVt28n47IKIk4TZy9MzENkJZCPrIIHlTOuRKS3O96W7Be
nipPCJZ4xnkFedMjezqFqWnG0uDhY84pr7rcAhXAqa5q8I4+1rrRzZL0gUDQtKbw
lYnpjx62gXGs1n0svYsVK70RVRRk3k6fYm7YYIIh72FPKZ8eJwARAQABwsKEBBgB
CgAPBQJcZWJ5BQkPCZwAAhsiASkJEJ5oRHL/DFHUwF0gBBkBCgAGBQJcZWJ5AAoJ
EDcFct0bPDWYPoAH/3nneeT8VOn92WELxd6deTfjZ5D7e1lP8G/OkaGKOocNVBQb
VDVypfU9NYyfZOe4LArVrBEfF4mVkFp6DaQoBgAWKEmc6ANMY6IOjVdsqLXmY8xc
3WBj2qvdOvgDsrGwENqNYte91+7p3xHT+vrje90REyTdiTMEiqMLBMLKQwwIGNdR
k6OJWYBIDiBcnTXJneIvwa/48LlhF9dqslSbelc8TTrDiEliUeTUPHI5UjXGTqkn
RkNuE+T7xEcuXfUVx9HxmNIKo6T/IK23tcpxGovCfuDmlXa0P0BQx1UIHUBwdDzl
BxapOv0ByfYuZ6xcI3pPjqtonl/uvfqG72kUPjaftA/+O5P4c7wyYQT/0OTs1d+W
QzHU+PYi1Q3OKFV9eumh1xZWyvmvcssy9Oo2jo5Xx4L7uPgDD+b0sHZzK4jBny5a
A++K88yJByFhWYsSO9AZf26WGQZYsc9dp8RnQFvUERrCYHJsiBlWD9EgSA5wVhw1
QdwxlJ6++DT96r754XlKREq4RVENF2ZHdnuKfzSWftJD4HIdqsrEA35AOM4pNVn+
3FQu9NOqEHsSUTbEazRh72yi8VZD8/2tSo2VBGYmz0X89VVn5LAF3FAIR6kICmFw
Qcefi8lt36rn0ibAkcIObDKmXXcvw6WmwGjbGqLJXtMn2/q4BBjCd1PwbX620Oi5
7/ayssM2cE0mSdA210PtluQixfN/ojqukbKOg+grdI2rJiuWp0z9zUow7keXCIQQ
tjVSpnh1QyrNiDjDa43vGY0Mh4RehdOIhtoMK4Tw5eracYiuSwXwhEUu76sYZhC5
nbC4jrqaL6ahu+r1XHKRs0jKIK+w/2VYMpDMWnxnT/UlhiMkEB9DEiBV9NKr4dkG
hIyHOyM/e3ayMaI9yzyOHEaZTNOGrvd/Ok73sH2wbme8q7hvGjA8cyfUIkE4xdEy
Pey3NInTPLUr9ADzZySOa8npZgW1cZW3VjS7ZD9EHJcw1o9ihYg2zR+BUQ7z6W0A
wHXXzzJSBx5TlujflrH5Jak=
=CP7E
-----END PGP PUBLIC KEY BLOCK-----

General Requirements:

The non-intrusive testing rules also apply on intrusive testing.

Testing Requirements:

We make open source software and most of our products are expected to run on a user's device itself. As a hint, we have the following assets:

1. GitHub Organization https://github.com/hackberry-xyz/
2. Website hosted on GitHub using Netlify https://hackberry.xyz
3. Personal Blogs of contributors:
* https://vi.hackberry.xyz hosted on GitHub using Netlify
4. Email provided by Zoho Mail
5. Discord Server
6. There might be some other assets related to projects hosted on https://github.com/hackberry-xyz/*

While not all of the above are in-scope, information leaks and misconfiguration are in-scope on all assets.

Some projects are in development in private repositories. They are in scope but presently we cannot provide any access to them.

There might be some projects that run in a decentralized way which can create a possibility of remote attacks directly to the user. These are critical cases and we are looking for such vulnerabilities. Such findings are rewarded the highest.

## Scope
Most of our stuff is in development and presently we are only allowing testing on the following assets:

1. GitHub Organization including repositories https://github.com/hackberry-xyz/ (This excludes dev, develop or any other development branches.)
2. Website: https://hackberry.xyz
3. Core Team's blog:
* https://vi.hackberry.xyz
4. Email service configuration (Zoho runs its own bug bounty program)

## Out of Scope
The following are out of scope except information leaks in the following assets:
1. Testing Third Party Services ie. GitHub, Zoho, Discord, Netlify, PyPI, Python (Most of them run their own bug bounty program and only possible vulnerabilities on these can be misconfiguration or information leaks)
2. Third Party libraries (any library used in any project. you can report the vulnerability and we will try our best to get it fixed in the library itself. If the vulnerability in third party gets fixed, we might provide our awards as well. But they are still owned by someone else and applying a policy on them is not in our hands.)
3. Non Security issues (Non security issues should be reported as a GitHub issue in respective repository. Including our website which is also openly available on GitHub.)
4. Dev/Develop or any other development branches (If you find any issue including any security issue, report them on GitHub issues in respective repository. Note that information leaks in these branches must be reported using this vulnerability reporting channel only.)
5. Core Team's subdomain which are not in-scope (We provide a subdomain and an email to our core contributors if they ask for. They are free to use them in any way. If they want, they can be included for testing.)

Possible Awards:

There is no money in Hackberry so we cannot reward you. But critical issues might get monetary rewards with the personal fund of 0xcrypto (core-team/contributors are not obliged in any way).

With every successful bug report, you get featured in our pwn4ge.txt which is accessible via all of our tools and website. We will not only put your name on it, we will post a short diss message of your choice as well (if it is legal to post on twitter, it is legal here as well).

Further, we assure free licenses of all of our paid products (if we build any in the future) to security researcher who reports any intrusive vulnerability.

Special Notes:

Before reporting, please consider:

1. Security risk and impact,
2. Ownership of asset.

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

 
Response Time  Information How quickly researchers get responses to their submissions.
Remediation Time  Information How quickly reported submissions are fixed.
Cooperation and Respect  Information How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched

 24.11.2020 e-monsite.com
 24.11.2020 8899.click
 24.11.2020 mundoprimaria.com
 24.11.2020 dsebd.org
 24.11.2020 healthychildren.org
 24.11.2020 mania.kr
 24.11.2020 giz.de
 24.11.2020 angop.ao
 23.11.2020 bestprice.gr
 23.11.2020 motor-fan.jp

  Latest Blog Posts

26.10.2020 by _r00t1ng_
Bypass Addslashes using Multibyte Character
26.10.2020 by _r00t1ng_
One Payload to Inject them all - MultiQuery Injection
26.10.2020 by _r00t1ng_
Routed SQL Injection
26.10.2020 by _r00t1ng_
DIOS the SQL Injectors Weapon
26.10.2020 by p4c3n0g3
How to find AngularJS XSS

  Recent Recommendations

@Guide_Astuces     24 November, 2020
    Twitter Guide_Astuces:
Thank you for reporting the bug and helping me to fix it. Much appreciated. I recommend this security specialist.
@vintage_griffin     23 November, 2020
    Twitter vintage_griffin:
Thank you Cyber_India for identifying and letting us know of an improperly secured server status page.
@iCoccyx     23 November, 2020
    Twitter iCoccyx:
Thank you RAVI for your quick reply and to report my problem. Good job ! You made the web better !
@SolidInnovation     18 November, 2020
    Twitter SolidInnovation:
Ankur discovered an XSS vulnerability on our site and contacted us. Thanks for finding this for us! Your valuable contribution has helped make our website more secure.
@AsictSoc     18 November, 2020
    Twitter AsictSoc:
Dear gdattacker,

the SOC of Politecnico di Milano would like to thank you for disclosing us a XSS vulnerability on our infrastructure.