Bug Bounty Program

Working together for a safer internet

 

Stackry is committed to working with security experts across the globe to stay up-to-date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we welcome working with you. Please let us know about it and we’ll make every effort to quickly correct the issue.

Rules of Engagement

Program Rules

While we want our hackers to perform at their best, we also want to ensure that there is minimal disruption to our business. As research is being performed, please ensure the following:

  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
  • We cannot reward or do business with any individual on any U.S sanction lists or any individual residing in any country on any U.S. sanctions lists. This includes residents of Cuba, Sudan, North Korea, Iran or Syria.
  • Severity level is based on the scoring model described below; exceptions are granted at the sole discretion of the Stackry engineering team.

Testing Rules

  • Do not attempt to access private customer information
  • Never attempt to view, modify, or damage data belonging to others. If you need to test a vulnerability, create an account
  • Do not send reports from automated tools without verifying a working PoC
  • Please provide your IP address in the bug report

Response Targets

Stackry will make a best effort to meet the following response targets for hackers participating in our program:

  • Time to first response (from report submit) – 2 business days
  • Time to triage (from report submit) – 2 business days
  • Time to bounty (from triage) – 1 business days (Max 2 weeks)
  • Time to resolution – 30 days

All times are in business days

Non-Qualifying Vulnerabilities and Exclusions:

  • Session token in url. We know about the session token in the URL in some image calls on the site.
  • Password reset tokens are invalidated after first-use not last issued
  • There is a value in a config file called api_key — it is not related to security, it’s merely a brand identifer
  • Sign-up not validating addresses (it is rate-limited)
  • Name & Server Version disclosure
  • Missing http security headers
  • Missing cookie flags on non-sensitive cookies
  • Missing rate-limits on authenticated services unless the service can impact more than the authenticated user
  • Denial of service, distributed denial of service, or other availability attacks unless they are a result of code execution
  • Physical attacks against any Stackry office or data center
  • Social engineering, for example phishing or calling, of any Stackry employee, contractor or agent
  • Please don’t send us vulnerability scanner output. If it’s a real bug, you must provide steps to reproduce and/or a proof of concept. Any automated reports submitted will be closed without being triaged.
  • Vulnerable version of libraries (for example ‘jquery’) without demonstrable attack vector
  • Web Browser XSS Protection is not enabled
  • Similar weaknesses/reports will not be paid out as separate bounties. For example, XSS in multiple parameters in the same endpoint
  • Google Maps API – Any report regarding Google Maps API will be closed as informative.
  • Circumventing server-side rate limits using burst requests if they don’t exceed the number of running servers
  • Reports of user credentials found in an online database of compromised username/password pairs, unless the compromise was due to a Stackry system vulnerability, will be closed as informative

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Classification and Rewards

Our rewards are based on severity scale factor from P1 through P5. Please note these are general guidelines, and reward decisions are up to the discretion of Stackry.com. As a benchmark for scoring we use the following taxonomy Bugcrowd Vulnerability Rating Taxonomy although it is only a general guideline.

Note: Reward payments made via Paypal only.

 

PriorityImpactExamplesReward
P1 – CriticalVulnerabilities that cause a privilege escalation from unprivileged to admin or allow for remote execution, financial theft, etc.
  • Remote Code Execution
  • Vertical Authentication Bypass
  • XML External Entities Injection with significant impact
  • SQL Injection with significant impact
$2,000+
P2 – HighVulnerabilities that affect the security of the platform including the processes it supports
  • Lateral authentication bypass
  • Stored XSS with significant impact
  • CSRF with significant impact
  • Direct object reference with significant impact
  • Internal SSRF
$1,000+
P3 – MediumVulnerabilities that affect multiple users and require little or no user interaction to trigger
  • Reflective XSS with impact
  • Direct object reference
  • URL redirect
  • CSRF with impact
$500+
P4 – LowVulnerabilities that affect singular users and require interaction or significant prerequisites (MitM) to trigger
  • SSL misconfigurations with little impact
  • SPF configuration problems
  • XSS with limited impact
  • CSRF with limited impact
$100+
P5 – Acceptable RiskNon-exploitable vulnerabilities in functionality. Vulnerabilities that are by design or are deemed acceptable business risk to the customer
  • Debug information
  • Use of CAPTCHAs
  • Code obfuscation
  • Rate limiting, etc.
Not typically eligible for a reward

Bug reports should be made via email to Stackry Support.