Infosec Institute

Open Bug Bounty mentioned in the
Top 6 Bug Bounty programs of
2022 by the InfoSec Institute

The Hacker News

Open Bug Bounty named among the
Top 5 Bug Bounty programs of 2021
by The Hacker News

Platform update: please use our new authentication mechanism to securely use the Open Bug Bounty Platform.
For security researchers
Report a Vulnerability
Submit, help fixing, get kudos.
For website owners
Start a Bug Bounty
Run your bounty program for free.
1,722,299 coordinated disclosures
1,393,620 fixed vulnerabilities
2,014 bug bounty programs, 3,932 websites
48,643 researchers, 1,658 honor badges

Semabet UG Bug Bounty Program

Semabet UG runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Semabet UG

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Semabet UG and researchers.

Bug bounty program allow private and public submissions.

Bug Bounty Scope

The following websites are within the scope of the program:

semabet.ug
*.semabet.ug

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

We require that all researchers follow the following testing and reporting rules:

If you are able to expose PII (personally identifying information) as a result of your testing, please stop testing and submit the vulnerability and do not include PII in your report submission. This is for compliance reasons.
Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
Only interact with accounts you own or with the explicit permission of the account holder.
Perform research only within the scope set out below.
To the extent that you have accessed non-public My-Shop information in the course of your research, you do not maintain copies of any such information or share any such information with any third party.
You do not publicly disclose or share the vulnerability details without the written permission of Semabet

Testing Requirements:

Vulnerability reports which do not include careful manual validation - for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors without proof of exploitability - will be closed as Not Applicable.

The Semabet Bug Bounty program considers excluding vulnerability classes below:

Self-XSS
Tabnabbing
Clickjacking
Flash-based XSS
SPF/DKIM/DMARC issues
Cookie expiration
Cookie valid after logout
Issues related to rate limiting
Internal IP address disclosure
Reveal internal class information
Unauthenticated/logout/login CSRF
Cookie valid after password change/reset
Missing best practices in SSL/TLS configuration
Weak password policies & Password policies bypass
Attacks requiring MITM or physical access to a user's device
Any activity that could lead to the disruption of our service (DoS)
Previously known vulnerable libraries without a working Proof of Concept
Weak Captcha & Captcha bypass (excluded only for testing environments)
Login or Forgot Password page brute force and account lockout not enforced
Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Username enumeration on customer-facing systems (i.e. using server responses to determine whether a given account exists)
Vulnerabilities that only affect one browser will be considered on a case-by-case basis and may be closed as informative due to the reduced attack surface
Vulnerability reports that require a large amount of user cooperation to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)

Possible Awards:

Hall of Fame.
Your efforts play a crucial role in enhancing the security of our systems. While we don’t currently offer monetary rewards, we’re excited to recognize your achievements in our Hall of Fame. Your name will forever be associated with the positive impact you’ve made on our platform. Keep up the great work, and let’s continue working together to make the digital world safer for everyone!

Special Notes:

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. Violation of these requirements may result in permanent disqualification from the program.
Any activity determined to involve the intentional compromise of the privacy of our customers or employees or the intentional disruption of the operation of our products, services or IT infrastructure will result in permanent disqualification from the program.

Feedback

If you have suggestions for improving this program, please let us know at [email protected]

Other Submissions Handling

Website owner want to receive information about other vulnerabilities

Notifications:

[email protected]

General Requirements:

We require that all researchers follow the following testing and reporting rules:

If you are able to expose PII (personally identifying information) as a result of your testing, please stop testing and submit the vulnerability and do not include PII in your report submission. This is for compliance reasons.
Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
Only interact with accounts you own or with the explicit permission of the account holder.
Perform research only within the scope set out below.
To the extent that you have accessed non-public My-Shop information in the course of your research, you do not maintain copies of any such information or share any such information with any third party.
You do not publicly disclose or share the vulnerability details without the written permission of Semabet

Testing Requirements:

Vulnerability reports which do not include careful manual validation - for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors without proof of exploitability - will be closed as Not Applicable.

The Semabet Bug Bounty program considers excluding vulnerability classes below:

Self-XSS
Tabnabbing
Clickjacking
Flash-based XSS
SPF/DKIM/DMARC issues
Cookie expiration
Cookie valid after logout
Issues related to rate limiting
Internal IP address disclosure
Reveal internal class information
Unauthenticated/logout/login CSRF
Cookie valid after password change/reset
Missing best practices in SSL/TLS configuration
Weak password policies & Password policies bypass
Attacks requiring MITM or physical access to a user's device
Any activity that could lead to the disruption of our service (DoS)
Previously known vulnerable libraries without a working Proof of Concept
Weak Captcha & Captcha bypass (excluded only for testing environments)
Login or Forgot Password page brute force and account lockout not enforced
Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Username enumeration on customer-facing systems (i.e. using server responses to determine whether a given account exists)
Vulnerabilities that only affect one browser will be considered on a case-by-case basis and may be closed as informative due to the reduced attack surface
Vulnerability reports that require a large amount of user cooperation to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)

Possible Awards:

Hall of Fame.
Your efforts play a crucial role in enhancing the security of our systems. While we don’t currently offer monetary rewards, we’re excited to recognize your achievements in our Hall of Fame. Your name will forever be associated with the positive impact you’ve made on our platform. Keep up the great work, and let’s continue working together to make the digital world safer for everyone!

Special Notes:

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. Violation of these requirements may result in permanent disqualification from the program.
Any activity determined to involve the intentional compromise of the privacy of our customers or employees or the intentional disruption of the operation of our products, services or IT infrastructure will result in permanent disqualification from the program.

Feedback

If you have suggestions for improving this program, please let us know at [email protected]

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

 
Response Time  Information How quickly researchers get responses to their submissions.
Remediation Time  Information How quickly reported submissions are fixed.
Cooperation and Respect  Information How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched

 16.06.2024 portal.uoalhuda.edu.iq
 16.06.2024 evdekal.odu.edu.tr
 16.06.2024 dkdp.uobasrah.edu.iq
 16.06.2024 dprc.uobasrah.edu.iq
 16.06.2024 units.uoalhuda.edu.iq
 16.06.2024 users.uoalhuda.edu.iq
 16.06.2024 en.msc.uobasrah.edu.iq
 16.06.2024 deps.uoalhuda.edu.iq

  Latest Blog Posts

04.12.2023 by BAx99x
Unmasking the Power of Cross-Site Scripting (XSS): Types, Exploitation, Detection, and Tools
04.12.2023 by a13h1_
$1120: ATO Bug in Twitter’s
04.12.2023 by ClumsyLulz
How I found a Zero Day in W3 Schools
04.12.2023 by 24bkdoor
Hack the Web like a Pirate: Identifying Vulnerabilities with Style
04.12.2023 by 24bkdoor
Navigating the Bounty Seas with Open Bug Bounty

  Recent Recommendations

    4 June, 2024
    ThirdDoorMedia:
Researcher reported public Docker local env file, no security breach but this file should not be publicly available, thanks SYPltd.
    4 June, 2024
    ThirdDoorMedia:
Researcher reported public local env Docker file, no security breach but file should not be publicly available, thank you SYPltd.
    29 May, 2024
    jraymond:
It was the first time for us that we received a report about openbugbounty. The researcher reported a demo dockerfile on our website. No security breach but it's not "professionnal" to see this kind of file on a website.
Thank you SYPltd
    28 May, 2024
    MotionTM:
Thank you very much for your support and uncovering the vulnerabilities.
    28 May, 2024
    MotionTM:
Thank you very much for your support and uncovering the vulnerabilities.