Bug Bounty Bug Bounty Bug Bounty

🐞 What is a bug bounty?

Bug bounty is an open competition to find vulnerabilities in a product. There are several approaches to testing services. The standard one - when testers from the team test the service themselves before its release. Also, the second, unusual one is bug bounty. This is a contest where hackers and programmers are offered to find bugs and vulnerabilities in a service for a fee. It works like this:

1. The company announces a contest, to find problems and vulnerabilities in its project.
2. Announces approximate price ranges for different levels of vulnerabilities and bugs;
3. Testers, programmers, and white hat hackers are in charge of finding problems in the product and sending them to the company;
4. The company rewards for successfully finding vulnerabilities, bugs, and problems in its software;

👨‍💻 Why would we do that?

Bug Bounty is an opportunity for us to make our products even better and show that our services are reliable. Every day our project expands and scales, which requires constant debugging and tracking of all processes. We are often approached by our users, who are related to the IT sphere, and on a voluntary basis they tell us about these or those bugs. By systematizing these processes, we will be able to reward everyone who helps us become better.

🏆 Rewards

It is quite difficult to define strict limits and remuneration prices, as vulnerabilities and bugs can be of different nature and cause different severity of damage to the service. However, we have tried to develop a scale that will allow you to estimate your labor costs according to their importance.

In the case of frod, the reward depends on the scalability of the particular method of such fraud, the ease of use and the level of damage caused. Decisions on the level of criticality are made in conjunction with our developers. This may take some time, up to 2-4 weeks on average.

🚫 Exceptions

AvanChange does not pay remuneration for:

• A ford that requires massive and simultaneous actions by a large number of users;
• slow brute force using multiple accounts is not within the scope of the contest;
• social engineering by AvanChange employees;
• Disclosure of public user information;
• issues and vulnerabilities that are based on the version of the product in use, without demonstrating exploitation;
• zero-day error messages in TLS
• reports on insecure SSL/TLS ciphers with no demonstration of exploitation;
• absence of SSL and other BCPs (best current practice);
• problems of lack of security mechanisms without demonstration of exploitation that could affect user data. For example, lack of CSRF tokens, Clickjacking, etc...;
• Reflected download, same site scripting and other attacks with questionable impact on service security;
• Lack of CSP policies on the domain or insecure CSP configuration;
• XSS and CSRF that require additional actions from the user. Rewards are paid only if they affect sensitive user data and are triggered immediately when a user navigates to a specially generated page without requiring additional user action;
• XSS that requires the injection or spoofing of some header such as Host, User-Agent, Referer, Cookie, etc.
• Content spoofing, content injection or text injection with no proven security impact;
• presence or absence of SPF and DKIM records;
• attacks that require physical access to the user's device;

📊 Statistics

🏁 I want to get involved - where do I start?

We have no strict requirements for bug bounty participants. Anyone can try their hand and get rewarded for it! When vulnerabilities are identified, please make a report document describing the vulnerabilities themselves and methods of exploitation. You can send the report to code@vanchange.com.