WhiteMarket Web: Program info

In-Scope Vulnerabilities

You can report any vulnerabilities related to these issues:

• any balance manipulations (like having less than 0 on the balance, changing balance without depositing, using non-authorised assets);
• trading or purchasing tampering (swapping items, trading with no funds or negative balance, using non authorized assets, etc.);
• unauthorized access to servers (vulnerabilities that leads to RCE);
• changing item parameters on market or their prices (as well as other parameters and interruptions in Steam data communication);
• gaining access to other users’ accounts (and being able to affect it);
• XSS vulnerabilities (script execution needs to be proved);
• revealing confidential data (leaks, IDORs, etc.).

Out-of-Scope Vulnerabilities

However, there are some issues that can’t be included in our Bug Bounty program and therefore are not subject to a reward. Such as:

• reports generated and/or used with scanners and other automated tools;
• attacks that require gaining access to auser’s device;
• best practices in SSL/TLS configuration;
• spoofing content/inserting text (unless it can modify HTML/CSS or you show an attack vector);
• best practices in Content Security Policy, email (such as missing SPF/DKIM/DMARC records, etc.).
• Reports that state that software is out of date/vulnerable without a proof of concept

• When reporting an issue, you need to provide a detailed report and steps to reproduce it. Without it, the report is not eligible for a reward;
• You can’t share any information about the bugs you found;
• Phishing is prohibited;
• If you and other users reported the same vulnerability, we will reward the person who did it first (and completed all the requirements);
• If a more significant vulnerability is found, the reward can be increased;
• Even if you fulfilled all the rules of our Bug Bounty and submitted a report, we reserve the right to make the final decision on the reward.

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
• No vulnerability disclosure, including partial is allowed for the moment.
• Please do NOT publish/discuss bugs