MASG Bug Bounty Program

Bug Bounty Scope

The following websites are within the scope of the program:

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

General Requirements:

Proof of Concept (PoC): Submissions must include a clear and replicable Proof of Concept. This can be in the form of a detailed textual explanation or a script that demonstrates the vulnerability without causing harm.

Screenshots: Please provide screenshots that document the vulnerability. These should capture the steps taken to identify the issue and highlight the potential impact.

Remediation Options: Alongside the vulnerability report, propose potential remediation measures or mitigations. We appreciate detailed suggestions tailored to our WordPress-hosted environment.

Server and Application-Level Testing: Ensure that your testing covers both server-side and application-level issues, taking into account the nuances of our WordPress infrastructure. This includes, but is not limited to, plugin vulnerabilities, theme weaknesses, and core WordPress security checks.

Confidentiality: Any information about discovered vulnerabilities must remain confidential between the reporter and our organization until we have resolved the issue.

Testing Requirements:

No Social Engineering: Do not employ any form of social engineering against our employees, customers, or infrastructure.

Non-Destructive Testing: Your testing must be non-intrusive and non-destructive. Please refrain from uploading shells, writing to the database, or altering content.

Throttled Scanning: Automated scanning tools must be configured to a low intensity to prevent any disruption to our services.

No Disruption of Service: Do not perform actions that could lead to denial-of-service conditions, degradation of user experience, or any form of service disruption.

Possible Awards:

For vulnerabilities that meet our program guidelines, we offer financial rewards ranging from $50 to $100. The exact amount will be determined based on the severity and impact of the vulnerability identified. We are also open to arranging an ongoing engagement with security researchers to perform routine testing of our digital assets.

Special Notes:

Our platform is hosted on WordPress, which comes with its specific set of common vulnerabilities that we are particularly interested in addressing. We expect researchers to have a nuanced approach to testing WordPress installations, including themes, plugins, and core functionality. Researchers should prioritize identifying vulnerabilities that could lead to unauthorized data access, privilege escalation, or server compromise. Your findings will contribute significantly to our continuous effort to secure our digital presence and protect our users.