BitDelta: Program info

IN-SCOPE – WEB VULNERABILITIES

We are interested in the following vulnerabilities:

• Business logic issues
• Payments manipulation
• Remote code execution (RCE)
• Injection vulnerabilities (SQL, XXE)
• File inclusions (Local & Remote)
• Access Control Issues (IDOR, Privilege Escalation, etc.)
• Leakage of sensitive information
• Server-Side Request Forgery (SSRF)
• Cross-Site Request Forgery (CSRF)
• Store Cross-Site Scripting (XSS)
• Directory traversal
• Other vulnerabilities with a clear potential loss

OUT OF SCOPE – WEB VULNERABILITIES

Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:

• Vulnerabilities in third-party applications
• Assets that do not belong to the company
• Recently (less than 45 days) disclosed 0day vulnerabilities
• Vulnerabilities affecting users of outdated browsers or platforms
• Social engineering, phishing, physical, or other fraud activities
• Publicly accessible login panels without proof of exploitation
• Reports that state that software is out of date/vulnerable without a proof of concept
• Reports that generated by scanners or any automated or active exploit tools
• Vulnerabilities involving active content such as web browser add-ons
• Most brute-forcing issues without clear impact
• Denial of service (DoS/DDoS)
• Theoretical issues
• Moderately Sensitive Information Disclosure
• Spam (sms, email, etc)
• Missing HTTP security headers
• Infrastructure vulnerabilities, including:
  • Certificates/TLS/SSL-related issues
  • DNS issues (i.e. MX records, SPF records, DMARC records etc.)
  • Server configuration issues (i.e., open ports, TLS, etc.)
• Open redirects
• Session fixation
• User account enumeration
• Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
• Descriptive error messages (e.g. Stack Traces, application or server errors)
• Self-XSS that cannot be used to exploit other users
• Login & Logout CSRF
• Weak Captcha/Captcha Bypass
• Lack of Secure and HTTPOnly cookie flags
• Username/email enumeration via Login/Forgot Password Page error messages
• CSRF in forms that are available to anonymous users (e.g. the contact form)
• OPTIONS/TRACE HTTP method enabled
• Host header issues without proof-of-concept demonstrating the vulnerability
• Content spoofing and text injection issues without showing an attack vector without being able to modify HTML/CSS
• Content Spoofing without embedded links/HTML
• Reflected File Download (RFD)
• Mixed HTTP Content
• HTTPS Mixed Content Scripts
• No rate limit issues (without clear security impact)
• Manipulation with Password Reset Token
• MitM and local attacks

OUT OF SCOPE – MOBILE VULNERABILITIES

• Attacks requiring physical access to a user's device
• Vulnerabilities that require root/jailbreak
• Vulnerabilities requiring extensive user interaction
• Exposure of non-sensitive data on the device
• Reports from static analysis of the binary without PoC that impacts business logic
• Lack of obfuscation/binary protection/root(jailbreak) detection
• Bypass certificate pinning on rooted devices
• Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
• Sensitive data in URLs/request bodies when protected by TLS
• Path disclosure in the binary
• OAuth & app secret hard-coded/recoverable in IPA, APK
• Sensitive information retained as plaintext in the device’s memory
• Crashes due to malformed URL Schemes or Intents sent to exported Activity/Service/Broadcast Receiver (exploiting these for sensitive data leakage is commonly in scope)
• Any kind of sensitive data stored in-app private directory
• Runtime hacking exploits using tools like but not limited to Frida/ Appmon (exploits only possible in a jailbroken environment)
• Shared links leaked through the system clipboard
• Any URIs leaked because a malicious app has permission to view URIs opened.
• Exposure of API keys with no security impact (Google Maps API keys etc.)

• Check the list of domains that are in scope for the Bug Bounty program.
• Make a good faith effort to avoid privacy violations, destruction of data interruption, or degradation of our businesses, including Denial of Services attacks.
• Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
• Please do not publicly disclose any vulnerabilities without our consent. We will not approve Public Disclosure requests until the vulnerability has been resolved.
• Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
• Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address.
• Submit only one vulnerability per submission unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.
• In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.
• By submitting a bug, you agree to be bound by the rules.

• As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
• No vulnerability disclosure, including partial, is allowed for the moment.
• Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports, which help us improve the security. However, only those who meet the following eligibility requirements may receive a monetary reward:

• You must be the first vulnerability reporter.
• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through hackenproof.com
• You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.
• You must not be a former or current employee of us or one of its contractors.
• ONLY USE YOUR HackenProof ADDRESS (in case of violation, no bounty can be awarded)
• Provide detailed but to-the-point reproduction steps