Whitehat

Vulnerabilities & Bugs

At Bponi we take security very seriously. If you believe that you have found a security vulnerability on Bponi, we encourage you to let us know straight away. We will investigate all legitimate reports and do our best to quickly fix the problem.

We have given out rewards for reported bugs and vulnerabilities but these are discretionary and provided on a case by case basis.

We ask that:

  1. You give us reasonable time to investigate and mitigate an issue that you report before making any information about the report public or sharing such information with others.
  2. You make a good faith effort to avoid white hat violations and disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services.
  3. You do not exploit a security issue that you discover for any reason.
  4. You do not violate any other applicable laws or regulations.
  5. You do not send us reports of trivial or well known issues (such as XML-RPC or Clickjacking (X-Frame-Options)).

In scope vulnerability examples

Report a bug that could compromise the integrity of user data, circumvent the privacy protections of user data, or enable access to a system within our infrastructure.

Example of such bugs are:

  1. Cross-Site Scripting (XSS)
  2. Sql Injection/ XXE / RCE
  3. Server Side Request Forgery (SSRF)
  4. Cross-Site Request Forgery (CSRF/XSRF)
  5. Broken Authentication (including OAuth bugs)
  6. Broken Session flaws
  7. Remote Code Execution
  8. Privilege Escalation
  9. Provisioning Errors
  10. Business Logical flaws
  11. Payment Related Issues
  12. Misuse/Unauthorized use of our APIs

Out of scope vulnerabilities

Some of the reported issues, which carry low impact, may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues which typically do not earn a monetary reward or goodies:

  1. Bugs requiring exceedingly unlikely user interaction (Social engineering)
  2. Spam or social engineering techniques (e.g. SMS Bombing, Forget password page, signup OTPs)
  3. Any kind of Phishing/Spoofing attacks (e.g. Email spoofing, Capturing login credentials with fake login page)
  4. Denial-of-service attacks
  5. Login - Logout cross-site request forgery
  6. Presence of banner or version information
  7. Error messages (e.g. Application/Server/Database) and Stack trace void of sensitive data
  8. Clickjacking on pages without sensitive content, authentication, or state changing actions
  9. OPTIONS / TRACE HTTP methods enabled
  10. Missing HTTP Security Headers (e.g. Strict-Transport-Security - HSTS)
  11. Missing Cookie Flags (e.g. HttpOnly, secure etc)
  12. Host Header Injection
  13. Broken Links (e.g. 404 Not Found page)
  14. Known public files or directories disclosure (e.g. robots.txt, css/images etc)
  15. Browser ‘autocomplete’ enabled
  16. HTML / Text Injection
  17. Forced Browsing to non-sensitive information (e.g. help pages)
  18. Certificates/TLS/SSL related issues (e.g. BREACH, POODLE)
  19. DNS issues (e.g. Missing CName, SPF records etc.)
  20. End of Life Browsers / Old Browser versions (e.g. internet explorer 6)
  21. Weak CAPTCHA or CAPTCHA bypass using browser addons
  22. Coupon Misuse
  23. Brute force on forms (e.g. Contact us page)
  24. Brute force on “Login with password” page
  25. Account lockout not enforced
  26. Any vulnerabilities limited to sandbox, staging environments which cannot be reproducible on production environment
  27. CSV injection
  28. Any kind of vulnerabilities that requires installation of web browser add-ons in victim's machine
  29. Rate limit bypass by using multiple / duplicate accounts
  30. Vulnerabilities which Bponi determines as accepted risk will not be eligible for cash reward or goodies or listing on the Hall of Fame
  31. Bug which Bponi is already aware of or those already classified as ineligible

Terms and Conditions

By participating, you agree to comply with Bponi’s Terms and Conditions which are as follows:

  1. Abide by all the applicable laws of the land. Bponi would not be responsible for any non-adherence to the laws of the land on your part.
  2. You should make all effort to avoid Privacy violations, destruction of data, interruption & degradation of our service during your research. In case of any breach, Bponi reserves the right to take legal action.
  3. Eligibility for rewards and determination of the recipients and amount of reward is left up to the discretion of Bponi.
  4. Bponi reserves the right to discontinue the Bug Bounty Program at any time without notice.
  5. You may only exploit, investigate, or target vulnerabilities against your own account. Testing should not violate any law, or disrupt or compromise any data or access data that does not belong to you.
  6. All payments will be made in Bangladeshi Currency (BDT).

Changes to Program Terms

The Security Bug Bounty Program, including its policies, is subject to change or cancellation by Bponi at any time, without notice. As such, Bponi may amend these Program Terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the Security Bug Bounty Program after Bponi posts any such changes, you implicitly agree to comply with the updated Program Terms.

Program Termination

In the event you breach any of these Program Terms or the terms and conditions of Bponi Security Bug Bounty program, Bponi may immediately terminate your participation in the Security Bug Bounty Program and disqualify you from receiving any bounty payments.

Legal points

We shall not issue rewards to individuals who do not follow the guidelines of our Vulnerability Program and depending upon the action of an individual, we could take strict legal action.

Please send all reports to: security@bponi.com Please note that we receive a high volume of reports, therefore we can only reply to the first reporter of a significant issue.

Bponi is located at __

— Your friends at Bponi

Last Updated: Jun 01, 2019