WhiteMarket Web: Program Info

Triaged by HackenProof

WhiteMarket is a P2P platform where you can sell and buy CS:GO skins, items and more. Sell and Buy CSGO skins for crypto and real money.

In Scope

Target Type Severity Reward
Web Critical Bounty

In-Scope Vulnerabilities

You can report any vulnerabilities related to these issues:

  • any balance manipulations (like having less than 0 on the balance, changing balance without depositing, using non-authorised assets);
  • trading or purchasing tampering (swapping items, trading with no funds or negative balance, using non authorized assets, etc.);
  • unauthorized access to servers (vulnerabilities that leads to RCE);
  • changing item parameters on market or their prices (as well as other parameters and interruptions in Steam data communication);
  • gaining access to other users’ accounts (and being able to affect it);
  • XSS vulnerabilities (script execution needs to be proved);
  • revealing confidential data (leaks, IDORs, etc.).

Out-of-Scope Vulnerabilities

However, there are some issues that can’t be included in our Bug Bounty program and therefore are not subject to a reward. Such as:

  • reports generated and/or used with scanners and other automated tools;
  • attacks that require gaining access to auser’s device;
  • best practices in SSL/TLS configuration;
  • spoofing content/inserting text (unless it can modify HTML/CSS or you show an attack vector);
  • best practices in Content Security Policy, email (such as missing SPF/DKIM/DMARC records, etc.).
  • Reports that state that software is out of date/vulnerable without a proof of concept
  • When reporting an issue, you need to provide a detailed report and steps to reproduce it. Without it, the report is not eligible for a reward;
  • You can’t share any information about the bugs you found;
  • Phishing is prohibited;
  • If you and other users reported the same vulnerability, we will reward the person who did it first (and completed all the requirements);
  • If a more significant vulnerability is found, the reward can be increased;
  • Even if you fulfilled all the rules of our Bug Bounty and submitted a report, we reserve the right to make the final decision on the reward.
  • Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
  • No vulnerability disclosure, including partial is allowed for the moment.
  • Please do NOT publish/discuss bugs