Wirth Horn Bug Bounty Program

Bug Bounty Scope

The following websites are within the scope of the program:

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

General Requirements:

We are interested in hearing about any potential security issues on the websites, web services and products we release. Please report only issues that have an actual security impact in a realistic scenario. This does not mean you need to fully exploit issues, just provide the information you have, and we will analyze your report and draw conclusions on the impact.

* Please send a clear description of the report along with a guidline to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
* You must avoid tests that could cause degradation or interruption of the websites and services. Thus limit your requests per second.
* You must not leak, manipulate, or destroy any user data.

Qualifying Vulnerabilities:
* Cross Site Scripting (XSS)
* Cross Site Request Forgery (CSRF)
* Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
* Authentication and Authorization Flaws
* Remote Code Execution (RCE)
* Code injections (HTML, JS, SQL, PHP, etc.)
* Insecure direct object references
* CORS
* Directory Traversal
* Privilege Escalation

Testing Requirements:

Vulnerabilities should be verified as authentic, and not simply automated results of pen-tests.

* Do not run automated scans without checking with us first.
* Do not test using social engineering techniques (phishing, vishing, etc.)
* Do not perform DoS or DDoS attacks.
* Do not attack our end users, or engage in trade of stolen user credentials.

Possible Awards:

Currently, we have no active reward program for reported vulnerabilities. We will post a recommendation to researcher's profile if desired.