WhiteMarket is a P2P platform where you can sell and buy CS:GO skins, items and more. Sell and Buy CSGO skins for crypto and real money.
In Scope
| Target | Type | Severity | Reward |
|---|---|---|---|
*.white.market |
Web | Critical | Bounty |
In-Scope Vulnerabilities
You can report any vulnerabilities related to these issues:
- any balance manipulations (like having less than 0 on the balance, changing balance without depositing, using non-authorised assets);
- trading or purchasing tampering (swapping items, trading with no funds or negative balance, using non authorized assets, etc.);
- unauthorized access to servers (vulnerabilities that leads to RCE);
- changing item parameters on market or their prices (as well as other parameters and interruptions in Steam data communication);
- gaining access to other users’ accounts (and being able to affect it);
- XSS vulnerabilities (script execution needs to be proved);
- revealing confidential data (leaks, IDORs, etc.).
Out-of-Scope Vulnerabilities
However, there are some issues that can’t be included in our Bug Bounty program and therefore are not subject to a reward. Such as:
- reports generated and/or used with scanners and other automated tools;
- attacks that require gaining access to auser’s device;
- best practices in SSL/TLS configuration;
- spoofing content/inserting text (unless it can modify HTML/CSS or you show an attack vector);
- best practices in Content Security Policy, email (such as missing SPF/DKIM/DMARC records, etc.).
- Reports that state that software is out of date/vulnerable without a proof of concept
- When reporting an issue, you need to provide a detailed report and steps to reproduce it. Without it, the report is not eligible for a reward;
- You can’t share any information about the bugs you found;
- Phishing is prohibited;
- If you and other users reported the same vulnerability, we will reward the person who did it first (and completed all the requirements);
- If a more significant vulnerability is found, the reward can be increased;
- Even if you fulfilled all the rules of our Bug Bounty and submitted a report, we reserve the right to make the final decision on the reward.
- Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
- No vulnerability disclosure, including partial is allowed for the moment.
- Please do NOT publish/discuss bugs