FitBurn Web & Mobile: Program Info

Triaged by HackenProof
FitBurn

Ended 158 days ago

FitBurn will disrupt the fitness industry with the world’s first burn-to-earn revolutionary fitness lifestyle application. It allows you to earn money in the form of our Calorie tokens (CAL) by holding a gamified T-Shirt NFT.

In Scope

Target Type Severity Reward
https://www.fitburn.ai
Web Critical Bounty
https://apps.apple.com/in/app/fitburn/id6444105607
iOS Critical Bounty
https://play.google.com/store/apps/details?id=io.fitburn.mobile
Android Critical Bounty

IN-SCOPE VULNERABILITIES (WEB, MOBILE)

  • We are interested in the following vulnerabilities:
  • Business logic issues
  • Payments manipulation
  • Remote code execution (RCE)
  • Injection vulnerabilities (SQL, XXE)
  • File inclusions (Local & Remote)
  • Access Control Issues (IDOR, Privilege Escalation, etc)
  • Leakage of sensitive information
  • Server-Side Request Forgery (SSRF)
  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)
  • Directory traversal
  • Other vulnerability with a clear potential loss
  • Missing HTTP security headers
  • Infrastructure vulnerabilities, including: gaining access to aws infrastructure
  • Login & Logout CSRF
  • Brute-forcing issues with clear impact
  • Vulnerabilities involving active content such as web browser add-ons

We are also interested:

  • Best practice issues
  • Theoretical vulnerabilities

OUT OF SCOPE: WEB VULNERABILITIES

  • Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:
  • Vulnerabilities in third-party applications
  • Assets that do not belong to the company
  • Recently (less than 30 days) disclosed 0day vulnerabilities
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Social engineering, phishing, physical, or other fraud activities
  • Publicly accessible login panels without proof of exploitation
  • Reports that state that software is out of date/vulnerable without a proof of concept
  • Reports that generated by scanners or any automated or active exploit tools
  • Denial of service (DoS/DDoS)
  • Moderately Sensitive Information Disclosure
  • Spam (sms, email, etc)
  • Infrastructure vulnerabilities, including:
  • Certificates/TLS/SSL-related issues;
  • DNS issues (i.e. MX records, SPF records, DMARC records etc.);
  • Server configuration issues (i.e., open ports, TLS, etc.)
  • Open redirects
  • Session fixation
  • User account enumeration
  • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • Weak Captcha/Captcha Bypass
  • Lack of Secure and HTTPOnly cookie flags
  • Username/email enumeration via Login/Forgot Password Page error messages
  • CSRF in forms that are available to anonymous users (e.g. the contact form)
  • OPTIONS/TRACE HTTP method enabled
  • Host header issues without proof-of-concept demonstrating the vulnerability
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Content Spoofing without embedded links/HTML
  • Reflected File Download (RFD)
  • Mixed HTTP Content
  • HTTPS Mixed Content Scripts
  • Manipulation with Password Reset Token
  • MitM and local attacks
  • Self-XSS that cannot be used to exploit other users
  • Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
  • Make every effort not to damage or restrict the availability of products, services, or infrastructure
  • Avoid compromising any personal data, interruption, or degradation of any service
  • Don’t access or modify other user data, localize all tests to your accounts
  • Perform testing only within the scope
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
  • Don’t spam forms or account creation flows using automated scanners
  • In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
  • Don’t break any law and stay in the defined scope
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
  • Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
  • No vulnerability disclosure, including partial is allowed for the moment.
  • Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must not be a former or current employee of us or one of its contractor.
  • ONLY USE YOUR HackerProof ADDRESS (in case of violation, no bounty can be awarded)
  • Provide detailed but to-the point reproduction steps