Open Bug Bounty selected among the
Top 5 Bug Bounty programs to watch
by The Hacker News

All Open Bug Bounty emails are sent only from openbugbounty.org domain being digitally signed. All others are fake. Learn more.
For security researchers
Report a Vulnerability
Submit, help fixing, get kudos.
For website owners
Start a Bug Bounty
Run your bounty program for free.
1,209,211 coordinated disclosures
823,050 fixed vulnerabilities
1,571 bug bounty programs, 3,121 websites
28,054 researchers, 1,432 honor badges

MIDAS Bug Bounty Program

MIDAS runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of MIDAS

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between MIDAS and researchers.

Bug bounty program allow private and public submissions.

Bug Bounty Scope

The following websites are within the scope of the program:

midas.network
pentest.mid.as
mid.as

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

No technology is perfect, and here at MIDAS we believe that working with skilled security researchers across the globe is crucial in identifying weaknesses in our software and infrastructure.
If you believe you've found a security issue within our software or infrastructure, please let us know as soon as possible. We actively encourage and welcome private and coordinated and responsible disclosures.

We'll work alongside researchers who disclose potential issues to us in a private/responsible manner, to address any security concerns/vulnerabilities in a timely manner.

As our security team are English speaking, we request that all reports be disclosed to us in English.

Testing Requirements:

Your initial report to us should include:
- Sufficient details of the vulnerability to allow it to be understood and reproduced by our developers and security team.
- HTTP requests and responses, HTML snippets, screenshots or any other supporting evidence.
- Redact any personal data before reporting.
- Proof of concept code (if available).
- The impact of the vulnerability.
- Any references or further reading that may be appropriate.
- Recommendations on how the issue could be mitigated or resolved.

The following are considered "in scope":
- mid.as (our main public website)
- pentest.mid.as (a hosted test MIDAS system, similar to that used by our hosted customers)
- midas.network (our dedicated service status site, and origin of our CDN)

The following are considered "out of scope":
- Vulnerabilities in 3rd party components or services
- Any of our customer's "hosted" MIDAS systems.

Researchers should;
1. Ensure that any testing is legal and authorized, and within the Scope set out above.
2. Respect the privacy of others, including our customers.
3. Not engage in activities which may impact our customers ability to access to our services, including but not limited to DoS/DDoS-style attacks.
4. Refrain from spamming or social engineering activities.
5. Not make physical attempts against MIDAS property or data centers.
6. Make reasonable efforts to contact our security team.
7. Not demand payment or other rewards as a condition of providing information on security vulnerabilities, or in exchange for not publishing the details or reporting them to industry regulators.

Possible Awards:

We may, at our sole discretion, provide a monetary reward or "bug bounty" to the security researcher.
Whether a monetary reward is offered and any amount will be based upon a number of factors, including - but not limited to - the potential likelihood and severity of the reported issue occurring/being exploited, as well as the researcher's cooperation and adherence to these guidelines.

For issues we consider to be very small/minor/negligible, it's unlikely that we'll be able to offer a monetary reward.

Regardless of whether a monetary reward is offered, we will happily acknowledge and credit the researcher accordingly on our dedicated page: https://security.midas.network/credits

Special Notes:

Full reporting guidelines may be viewed at https://security.midas.network/reporting

Other Submissions Handling

Website owner want to receive information about other vulnerabilities

Notifications:

https://security.midas.network/contact

General Requirements:

No technology is perfect, and here at MIDAS we believe that working with skilled security researchers across the globe is crucial in identifying weaknesses in our software and infrastructure.
If you believe you've found a security issue within our software or infrastructure, please let us know as soon as possible. We actively encourage and welcome private and coordinated and responsible disclosures.

We'll work alongside researchers who disclose potential issues to us in a private/responsible manner, to address any security concerns/vulnerabilities in a timely manner.

As our security team are English speaking, we request that all reports be disclosed to us in English.

Testing Requirements:

Your initial report to us should include:
- Sufficient details of the vulnerability to allow it to be understood and reproduced by our developers and security team.
- HTTP requests and responses, HTML snippets, screenshots or any other supporting evidence.
- Redact any personal data before reporting.
- Proof of concept code (if available).
- The impact of the vulnerability.
- Any references or further reading that may be appropriate.
- Recommendations on how the issue could be mitigated or resolved.

The following are considered "in scope":
- mid.as (our main public website)
- pentest.mid.as (a hosted test MIDAS system, similar to that used by our hosted customers)
- midas.network (our dedicated service status site, and origin of our CDN)

The following are considered "out of scope":
- Vulnerabilities in 3rd party components or services
- Any of our customer's "hosted" MIDAS systems.

Researchers should;
1. Ensure that any testing is legal and authorized, and within the Scope set out above.
2. Respect the privacy of others, including our customers.
3. Not engage in activities which may impact our customers ability to access to our services, including but not limited to DoS/DDoS-style attacks.
4. Refrain from spamming or social engineering activities.
5. Not make physical attempts against MIDAS property or data centers.
6. Make reasonable efforts to contact our security team.
7. Not demand payment or other rewards as a condition of providing information on security vulnerabilities, or in exchange for not publishing the details or reporting them to industry regulators.

Possible Awards:

We may, at our sole discretion, provide a monetary reward or "bug bounty" to the security researcher.
Whether a monetary reward is offered and any amount will be based upon a number of factors, including - but not limited to - the potential likelihood and severity of the reported issue occurring/being exploited, as well as the researcher's cooperation and adherence to these guidelines.

For issues we consider to be very small/minor/negligible, it's unlikely that we'll be able to offer a monetary reward.

Regardless of whether a monetary reward is offered, we will happily acknowledge and credit the researcher accordingly on our dedicated page: https://security.midas.network/credits

Special Notes:

Full reporting guidelines may be viewed at https://security.midas.network/reporting

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

 
Response Time  Information How quickly researchers get responses to their submissions.
Remediation Time  Information How quickly reported submissions are fixed.
Cooperation and Respect  Information How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched

 27.05.2022 campus.cin.edu.ar
 27.05.2022 pv.nubip.edu.ua
 27.05.2022 thestartmagazine.com
 27.05.2022 centarnekretnine.me
 27.05.2022 botanicgardens.gov.lk
 27.05.2022 rosana.sp.gov.br
 27.05.2022 hlevakha.gov.ua
 27.05.2022 barreirinhas.ma.gov.br

  Latest Blog Posts

15.02.2022 by sepkatpro
Ultimate XSS Polyglot
11.11.2021 by mistry4592
The Most used Chrome Extensions are Used For Penetration Testing.
08.10.2021 by NNeuchi
How I Found My First Bug Reflected Xss On PIA.GOV.PH(Philippine Information Agency)
26.08.2021 by PyaePhyoThu98
eG Manager v7.1.2: Improper Access Control lead to Remote Code Execution (CVE-2020-8591)
14.07.2021 by Open Bug Bounty
Interview With Open Bug Bounty

  Recent Recommendations

@salmankhan2016     26 May, 2022
    Twitter salmankhan2016:
thanyou security_helper5
@securityhelper5     26 May, 2022
    Twitter securityhelper5:
thank you for report
@astroseekcom     23 May, 2022
    Twitter astroseekcom:
Thank you for XSS report vulnerability
@TiagoGuedesEGo1     20 May, 2022
    Twitter TiagoGuedesEGo1:
Ritikjangra made us aware of several security vulnerabilities that represented security flaws of several degrees and needed to be rectified.

It was a pleasure working with you and I hope we can work again in the future, Thank you!
@TiagoGuedesEGo1     18 May, 2022
    Twitter TiagoGuedesEGo1:
988mayankk made us aware of several security vulnerabilities that represented security flaws of several degrees and needed to be rectified.

It was a pleasure working with you and I hope we can work again in the future, Thank you!