Sweed Web : Program info

IN SCOPE VULNERABILITIES: WEB VULNERABILITIES

Critical:

• Remote Code Execution (RCE) - The ability to execute arbitrary code on the server.
• Injection Attacks - SQL, XXE, and other methods to insert malicious code into system queries.
• Admin Account Takeover - Scenarios where an attacker can gain access to Admin Account

High:

• Business Logic Flaws - Situations where the system behaves incorrectly due to flawed rules or process design.
• Access Control Issues - Gaining unauthorized access to data or escalating privileges.
• Server-Side Request Forgery (SSRF) - Forcing the server to send requests to unintended destinations.
• PII Data Exposure - Obtaining or modifying PII data without permission.

Medium:

• User Account Takeover - Scenarios where an attacker can gain access to User Account
• File Inclusion - Loading or accessing files that should not be available (Local or Remote).
• Cross-Site Request Forgery (CSRF) - Performing actions on behalf of another user without their consent
• Cross-Site Scripting (XSS) - Injecting malicious scripts into web pages.

Low:

• Information Disclosure via Headers - Revealing unnecessary server or framework details in HTTP headers.
• User enumeration - Ability to identify existing accounts
• 2FA/PIN issues during login - Any bypasses or malfunctions of the second factor
• Password Reset issues - Any issues related to users resetting their own passwords

OUT OF SCOPE: WEB VULNERABILITIES

• Out-of-scope vulnerabilities - Resources not listed in Scope
• Third-party applications - Vulnerabilities in third-party services not listed in Scope
• Best practices remarks - Non-compliance with recommendations without a vulnerability
• Recent 0day < 30 days - Newly disclosed vulnerabilities
• Social engineering/phishing/physical access - Any attacks on people or physical infrastructure
• Outdated browsers/platforms - Issues reproducible only on old versions
• DoS/DDoS - Denial of Service attacks
• Active content vulnerabilities - For example, browser extensions
• Automated scanner reports - Findings generated automatically without manual verification
• Outdated software without PoC - Reports on outdated versions without attack demonstration
• Theoretical issues - Without practical demonstration
• Spam - SMS, e-mail, etc.
• Mixed HTTP/HTTPS content - Including scripts
• Password reset token manipulation - Without full exploitation
• Weak/bypassed CAPTCHA - Weak verification
• MitM/local attacks - Requires physical access or same network
• Content spoofing without links - No ability to attack the user
• Subdomain Takeover - Taking control of an unused subdomain belonging to the organization.
• Resource unavailability - Reports that a resource is unreachable (e.g., temporary downtime)
• Expose Google Maps API Key - Any issues related to expose Google Maps API Key
• Open Redirect - Redirecting users to unintended external sites without validation.
• Metric and telemetry Expose - Any issues related to expose any metric or telemetry data
• https://www.sweedpos.com/ - Any issues related to website https://www.sweedpos.com/

Bug Bounty Program - General Provisions

1. Automated Scanning Do not use web application scanners or other automated vulnerability detection tools that generate excessive load or significant traffic.

2. Service Availability Make every effort not to damage or restrict the availability of products, services, or infrastructure during testing.

3. Data Protection Avoid any actions that could compromise personal data, interrupt services, or degrade their performance.

4. Scope Compliance Conduct all research strictly within the defined Scope.

5. Prohibited Methods Do not exploit DoS/DDoS vulnerabilities, perform social engineering attacks, or send spam.

6. Automated Spam Do not use automated scanners to mass-submit forms or create accounts.

7. Vulnerability Chains If you discover a chain of related vulnerabilities, payment will only be made for the vulnerability with the highest severity.

8. Legal Compliance Do not break any laws and always operate within the defined testing boundaries.

9. Confidentiality Do not share details of discovered vulnerabilities with anyone other than the HackenProof Team or authorized employees of the company, unless you have explicit permission.

10. Non-Exploitable or Non-Impactful Issues If a vulnerability is identified but cannot be practically exploited or does not pose a real security threat, no reward will be issued.

11. Duplicate Findings Across Domains If identical vulnerabilities are discovered across different domains within the Scope (e.g., https://demo.sweedpos.com/logout/* and https://sales.sweedpos.com/logout/* ), such reports will be considered duplicates, and only the first valid submission will be rewarded.

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
• No vulnerability disclosure, including partial is allowed for the moment.
• Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must not be a former or current employee of us or one of its contractor.
• ONLY USE the EMAIL under which you registered your HackenProof account (in case of violation, no bounty can be awarded)
• Provide detailed but to-the point reproduction steps
• AI-generated reports without runable PoC are not accepted under this program.