'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Bug bounty 
This program is active now
Program info
HackenProof is a Bug Bounty and Vulnerability Coordination Platform. We connect our customers with the global hacker community to uncover security issues in their products. By running custom-tailored bug bounty programs we help our customers significantly reduce the risk of losing their data to cybercriminals.
In scope
Out of scope
| Target | Type | Severity | Reward |
|---|---|---|---|
Main website https://hackenproof.com | Web | Critical | Bounty |
Target
Main website
https://hackenproof.com
TypeWeb
Severity Critical
RewardBounty
| Target | Type | Severity | Reward |
|---|---|---|---|
blog.hackenproof.com
| Web | None | Swag |
Target
blog.hackenproof.com
- Our Blog
TypeWeb
Severity None
RewardSwag
Focus Area
In-Scope Vulnerabilities
We are interested in next web vulnerabilities:
- Business Logic
- Remote code execution (RCE)
- Database vulnerability, SQLi
- Cross Site Scripting (XSS)
- Privilege escalation
- Sensitive data exposure (IDOR, etc.)
- Authentication bypass
- Obtaining sensitive information
- Password attacks
- Cross-Site Request Forgery (CSRF)
- Server Side Request Forgery (SSRF)
Out-of-Scope Vulnerabilities
In general, the following vulnerabilities do not correspond to the severity threshold:
- Known problems: 2FA session issues
- UI and UX bugs and spelling or localization mistakes.
- Descriptive error messages (e.g. Stack Traces, application or server errors)
- Open redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing auth tokens, we do still want to hear about them
- Vulnerabilities in third-party applications
- Publicly accessible login panels without proof of exploitation.
- Reports that state that software is out of date/vulnerable without a proof of concept.
- Host header issues without proof-of-concept demonstrating the vulnerability.
- HTTP codes/pages or other HTTP non-codes/pages.
- Fingerprinting/banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking/Tapjacking and issues only exploitable through clickjacking/tapjacking.
- CSRF in forms that are available to anonymous users (e.g. the contact form).
- Login & Logout CSRF
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure/HTTPOnly flags on non-security-sensitive Cookies.
- OPTIONS HTTP method enabled
- Lack of Security Speed bump when leaving the site.
- Weak Captcha
- Broken links (including social media)
- Content injection issues.
- HTTPS Mixed Content Scripts
- Content Spoofing without embedded links/html
- Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console).
- Reflected File Download (RFD).
- Best practices concerns.
- Highly speculative reports about theoretical damage. Be concrete.
- Missing HTTP security headers, specifically, For e.g.
- Missing rate limit in forms, fields
- Cookie reusing
- Strict-Transport-Security
- X-Frame-Options
- X-XSS-Protection
- Host Header
- X-Content-Type-Options
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
- Content-Security-Policy-Report-Only
- Infrastructure vulnerabilities, including:
- Certificates/TLS/SSL related issues
- DNS issues (i.e. mx records, SPF records, DMARC records, etc.)
- Server configuration issues (i.e., open ports, TLS, etc.)
- Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers will not be honored, including Internet Explorer all versions
- Vulnerabilities involving active content such as web browser add-ons
- XSS issues that affect only outdated browsers (like Internet Explorer)
- Issues that require physical access to a victim’s computer.
- Physical or social engineering attempts (this includes phishing attacks against employees).
- Recently disclosed 0day vulnerabilities.
- Microsites with little to no user data
- Most brute forcing issues
- Denial of service
- Spamming!
- Session fixation
Program Rules
- Avoid compromising any personal data, interruption or degradation of any service .
- Don’t access or modify other user data, localize all tests to your accounts.
- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam.
- In case you find chain vulnerabilities we pay only for vulnerability with the highest severity.
- Only the first valid bug is eligible for reward.
- Don’t disclose publicly any vulnerability until you are granted permission to do so.
- Don’t break any law and stay in the defined scope.
- Comply with the rules of the program.
- Don't spam forms/fields
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission.
Rewards Range of bounty$50 - $1,500
Severity
Critical$1,200 - $1,500
High$700 - $900
Medium$200 - $300
Low$50 - $100
'%3e%3cpath%20d='M3%2021H24V24H0V0H3V21ZM6.75%2019.5C6.44587%2019.5006%206.14477%2019.4396%205.8649%2019.3205C5.58502%2019.2015%205.33219%2019.027%205.12167%2018.8075C4.91115%2018.588%204.74731%2018.3281%204.64006%2018.0435C4.5328%2017.7589%204.48436%2017.4555%204.49766%2017.1517C4.51095%2016.8478%204.58571%2016.5498%204.71741%2016.2757C4.84911%2016.0015%205.03502%2015.7569%205.2639%2015.5567C5.49279%2015.3564%205.7599%2015.2046%206.0491%2015.1105C6.3383%2015.0164%206.64358%2014.9818%206.9465%2015.009L9.3645%2010.9785C9.1434%2010.639%209.0181%2010.246%209.00182%209.84115C8.98554%209.43629%209.07888%209.03455%209.272%208.67835C9.46512%208.32215%209.75084%208.02471%2010.099%207.81743C10.4472%207.61016%2010.8448%207.50074%2011.25%207.50074C11.6552%207.50074%2012.0528%207.61016%2012.401%207.81743C12.7492%208.02471%2013.0349%208.32215%2013.228%208.67835C13.4211%209.03455%2013.5145%209.43629%2013.4982%209.84115C13.4819%2010.246%2013.3566%2010.639%2013.1355%2010.9785L15.5535%2015.009C15.6682%2014.9987%2015.7836%2014.9977%2015.8985%2015.006L19.8915%208.019C19.6046%207.59868%2019.4686%207.0935%2019.5058%206.58594C19.543%206.07837%2019.7511%205.59841%2020.0963%205.22442C20.4415%204.85043%2020.9032%204.60449%2021.4062%204.52678C21.9091%204.44906%2022.4236%204.54415%2022.8655%204.79653C23.3075%205.0489%2023.6508%205.44364%2023.8395%205.91631C24.0281%206.38897%2024.051%206.91163%2023.9043%207.39896C23.7576%207.88628%2023.45%208.30948%2023.0317%208.59945C22.6135%208.88942%2022.1093%209.02903%2021.6015%208.9955L17.6085%2015.9825C17.8379%2016.319%2017.9717%2016.7114%2017.9956%2017.118C18.0195%2017.5245%2017.9326%2017.9299%2017.7442%2018.291C17.5558%2018.652%2017.2729%2018.9552%2016.9258%2019.1681C16.5786%2019.381%2016.1802%2019.4957%2015.7729%2019.4999C15.3657%2019.5041%2014.965%2019.3978%2014.6134%2019.1922C14.2619%2018.9865%2013.9728%2018.6893%2013.7769%2018.3323C13.581%2017.9753%2013.4857%2017.5717%2013.5011%2017.1648C13.5165%2016.7578%2013.6421%2016.3627%2013.8645%2016.0215L11.4465%2011.991C11.3158%2012.0031%2011.1842%2012.0031%2011.0535%2011.991L8.6355%2016.0215C8.85679%2016.3611%208.98226%2016.7541%208.99864%2017.159C9.01503%2017.564%208.92172%2017.9659%208.72858%2018.3222C8.53544%2018.6785%208.24963%2018.9761%207.90137%2019.1834C7.5531%2019.3907%207.1553%2019.5001%206.75%2019.5Z'%20fill='%23050505'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2777_6507'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Stats Total rewards$24,047
Bugs found858
Categories 
Types SLA (Service Level Agreement)
Time within which the program's triage team must respond
Response TypeBusiness days
First Response2d
Triage Time3d
Reward Time3d
Resolution Time10d