Vulnerabilities & Bugs
At Bponi we take security very seriously. If you believe that you have found a security vulnerability on
Bponi, we encourage you to let us know straight away. We will investigate all legitimate reports and do our best
quickly fix the problem.
We have given out rewards for reported bugs and vulnerabilities but these are discretionary and provided on a
case by case basis.
We ask that:
- You give us reasonable time to investigate and mitigate an issue that you report before making any
information about the report public or sharing such information with others.
- You make a good faith effort to avoid white hat violations and disruptions to others, including (but not
limited to) destruction of data and interruption or degradation of our services.
- You do not exploit a security issue that you discover for any reason.
- You do not violate any other applicable laws or regulations.
- You do not send us reports of trivial or well known issues (such as XML-RPC or Clickjacking
In scope vulnerability examples
Report a bug that could compromise the integrity of user data, circumvent the privacy protections of user data,
or enable access to a system within our infrastructure.
Example of such bugs are:
- Cross-Site Scripting (XSS)
- Sql Injection/ XXE / RCE
- Server Side Request Forgery (SSRF)
- Cross-Site Request Forgery (CSRF/XSRF)
- Broken Authentication (including OAuth bugs)
- Broken Session flaws
- Remote Code Execution
- Privilege Escalation
- Provisioning Errors
- Business Logical flaws
- Payment Related Issues
- Misuse/Unauthorized use of our APIs
Out of scope vulnerabilities
Some of the reported issues, which carry low impact, may not qualify. Although we review them on a case-by-case
basis, here are some of the common low-risk issues which typically do not earn a monetary reward or goodies:
- Bugs requiring exceedingly unlikely user interaction (Social engineering)
- Spam or social engineering techniques (e.g. SMS Bombing, Forget password page, signup OTPs)
- Any kind of Phishing/Spoofing attacks (e.g. Email spoofing, Capturing login credentials with fake login
- Denial-of-service attacks
- Login - Logout cross-site request forgery
- Presence of banner or version information
- Error messages (e.g. Application/Server/Database) and Stack trace void of sensitive data
- Clickjacking on pages without sensitive content, authentication, or state changing actions
- OPTIONS / TRACE HTTP methods enabled
- Missing HTTP Security Headers (e.g. Strict-Transport-Security - HSTS)
- Missing Cookie Flags (e.g. HttpOnly, secure etc)
- Host Header Injection
- Broken Links (e.g. 404 Not Found page)
- Known public files or directories disclosure (e.g. robots.txt, css/images etc)
- Browser ‘autocomplete’ enabled
- HTML / Text Injection
- Forced Browsing to non-sensitive information (e.g. help pages)
- Certificates/TLS/SSL related issues (e.g. BREACH, POODLE)
- DNS issues (e.g. Missing CName, SPF records etc.)
- End of Life Browsers / Old Browser versions (e.g. internet explorer 6)
- Weak CAPTCHA or CAPTCHA bypass using browser addons
- Coupon Misuse
- Brute force on forms (e.g. Contact us page)
- Brute force on “Login with password” page
- Account lockout not enforced
- Any vulnerabilities limited to sandbox, staging environments which cannot be reproducible on production
- CSV injection
- Any kind of vulnerabilities that requires installation of web browser add-ons in victim's machine
- Rate limit bypass by using multiple / duplicate accounts
- Vulnerabilities which Bponi determines as accepted risk will not be eligible for cash reward or goodies or
listing on the Hall of Fame
- Bug which Bponi is already aware of or those already classified as ineligible
Terms and Conditions
By participating, you agree to comply with Bponi’s Terms and Conditions which are as follows:
- Abide by all the applicable laws of the land. Bponi would not be responsible for any non-adherence to the
laws of the land on your part.
- You should make all effort to avoid Privacy violations, destruction of data, interruption & degradation
of our service during your research. In case of any breach, Bponi reserves the right to take legal action.
- Eligibility for rewards and determination of the recipients and amount of reward is left up to the
discretion of Bponi.
- Bponi reserves the right to discontinue the Bug Bounty Program at any time without notice.
- You may only exploit, investigate, or target vulnerabilities against your own account. Testing should not
violate any law, or disrupt or compromise any data or access data that does not belong to you.
- All payments will be made in Bangladeshi Currency (BDT).
Changes to Program Terms
The Security Bug Bounty Program, including its policies, is subject to change or cancellation by Bponi at any
time, without notice. As such, Bponi may amend these Program Terms and/or its policies at any time by posting a
revised version on
our website. By continuing to participate in the Security Bug Bounty Program after Bponi posts any such changes,
you implicitly agree to comply with the updated Program Terms.
In the event you breach any of these Program Terms or the terms and conditions of Bponi Security Bug Bounty
program, Bponi may immediately terminate your participation in the Security Bug Bounty Program and disqualify
you from receiving any
We shall not issue rewards to individuals who do not follow the guidelines of our Vulnerability Program and
depending upon the action of an individual, we could take strict legal action.
Please send all reports to: firstname.lastname@example.org Please note that we receive a high volume of
reports, therefore we can only reply to the first reporter of a significant issue.
Bponi is located at __
— Your friends at Bponi
Last Updated: Jun 01, 2019