Infosec Institute

Open Bug Bounty mentioned in the
Top 6 Bug Bounty programs of
2022 by the InfoSec Institute

The Hacker News

Open Bug Bounty named among the
Top 5 Bug Bounty programs of 2021
by The Hacker News

For security researchers
Report a Vulnerability
Submit, help fixing, get kudos.
For website owners
Start a Bug Bounty
Run your bounty program for free.
1,748,621 coordinated disclosures
1,434,533 fixed vulnerabilities
2,046 bug bounty programs, 3,986 websites
51,834 researchers, 1,704 honor badges

Perlego Bug Bounty Program

Perlego runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Perlego

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Perlego and researchers.

Bug bounty program allow private submissions only.

Bug Bounty Scope

The following websites are within the scope of the program:

*.perlego.com
*.perlego.com
*.perlego.com
*.perlego.com

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

- Always send a work PoC
- Attach screenshots and (optionally) video recordings
- Provide brief remediation guidelines
- In principle, any Perlego-owned web service that handles reasonably sensitive user data is
intended to be in scope. This includes virtually all the content in the *.perlego.com domain. Any
vulnerability found in third party services is excluded from the scope.
- Reports from vulnerability scanners without actual PoC are not considered

Testing Requirements:

Any design or implementation issue that substantially affects the confidentiality or integrity of
user data is likely to be in scope for the program. Common examples include:
- Cross-site scripting
- Cross-site request forgery
- Mixed-content script
- Authentication or authorization flaws
- Server-side code execution bugs

Note that the scope of the program is limited to technical vulnerabilities in Perlego-owned
browser extensions, mobile, and web applications; please do not try to sneak into Perlego
offices, attempt phishing attacks against our employees, and so on.

Out of concern for the availability of our services to all users, please do not attempt to carry out
DDoS attacks, leverage black hat SEO techniques, spam people, or do other similarly
questionable things. We also discourage the use of any vulnerability testing tools that
automatically generate very significant volumes of traffic.

Possible Awards:

Rewards for qualifying bugs range from $100 to $1,000+. We are a startup with limited funds
and we cannot afford to pay as much as the larger organisations do for the discovery of such
vulnerabilities.

- Server-side code execution, like Command injection, deserialization bugs, sandbox escapes: $1000+
- Unrestricted file system or database access: $1000+
- Logic flaw bugs leaking or bypassing significant security controls: $100 - $1000
- Execute code on the client: $100 - $1000
- Other valid security vulnerabilities, like CSRF, Clickjacking, Information leak, privilege escalation: $50 - $500

Special Notes:

- You must not disclose or discuss any found vulnerabilities anywhere to be eligible to receive and award
- Your testing must not violate any law, or disrupt or compromise any data that is not your own
-

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

 
Response Time  Information How quickly researchers get responses to their submissions.
Remediation Time  Information How quickly reported submissions are fixed.
Cooperation and Respect  Information How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched

 13.09.2024 atltransit.ga.gov
 13.09.2024 online.det.nsw.edu.au
 11.09.2024 hus.edu.vn
 11.09.2024 weblog.am
 10.09.2024 saugor.cantt.gov.in

  Latest Blog Posts

04.12.2023 by BAx99x
Unmasking the Power of Cross-Site Scripting (XSS): Types, Exploitation, Detection, and Tools
04.12.2023 by a13h1_
$1120: ATO Bug in Twitter’s
04.12.2023 by ClumsyLulz
How I found a Zero Day in W3 Schools
04.12.2023 by 24bkdoor
Hack the Web like a Pirate: Identifying Vulnerabilities with Style
04.12.2023 by 24bkdoor
Navigating the Bounty Seas with Open Bug Bounty

  Recent Recommendations

    13 September, 2024
    conchita76_740:
I want to thank AsiB_ug for discovering and helping to fix an XSS vulnerability on my website. Their expertise and quick action made a huge difference in improving the security of the site.
    12 September, 2024
    bmartus:
Jitin found and reported an XSS vulnerability with clear details and enabled us to fix it quickly. Thanks!
    12 September, 2024
    theaerodrome:
Thanks for reporting the XSS problem.
    5 September, 2024
    nevim:
Reported a valid XSS issue on our web and provided detailed and comprehensible report.
    4 September, 2024
    jcastle:
Thanks for identifying an XSS vulnerability. We were able to quickly address it because of your work.