Report vulnerabilities at: security@shockbyte.com security@shockbyte.com security@shockbyte.com # Welcome to Shockbyte's Bug Bounty Program. Our bug bounty program is a reward-based initiative to individuals or groups who discover and report security vulnerabilities or bugs in our software, websites, or digital infrastructure. The purpose of bug bounty programs is to encourage security researchers, often referred to as "white hat" or ethical hackers, to identify and disclose potential weaknesses that could be exploited by malicious hackers. The scope of the Bug Bounty Program currently includes: - https://shockbyte.com - https://mc.shockbyte.com - https://panel.shockbyte.com ## How to report an issue? To report an issue, send an email to security@shockbyte.com, we will respond to you within timely manner. Please provide as much detail as possible. ## Out of scope - All other domains and sub-domains are out of the scope of this bug bounty program. - Issues that we are already aware of and/or are actively being resolved. ## What do we not accept - The following types of reports, we will not accept. This list is sourced from existing bug bounty programs. - Clickjacking on pages with no sensitive actions - Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions - Attacks requiring MITM or physical access to a user's device. - Previously known vulnerable libraries without a working Proof of Concept. - Comma Separated Values (CSV) injection without demonstrating a vulnerability. - Missing best practices in SSL/TLS configuration. - Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS - Rate limiting or bruteforce issues on non-authentication endpoints - Missing best practices in Content Security Policy. - Missing HttpOnly or Secure flags on cookies - Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.) - Vulnerabilities only affecting users of outdated or unpatched browsers (More than 2 stable versions behind the latest released stable version) - Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors). - Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis. - Tabnabbing - Open redirect - unless an additional security impact can be demonstrated - Issues that require unlikely user interaction ## Rules, notes and regulations - The security team decides the level of severity internally, we do this based on calculations using https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator. - You may not disclose vulnerabilities with third parties. - Abusing found vulnerabilities: - removes eligibility for compensation - will result in legal actions - Pay-out after will happen after triage, expected to be within 7 days - Pay-out will be using Wise.com - Rules, notes and regulations might be changed at any time. The following compensation is available for reporters who sucessfully report a vulnerability through the program - Critical $1500 USD - High $750 USD - Medium $250 USD - Low $100 USD Report vulnerabilities at: security@shockbyte.com security@shockbyte.com security@shockbyte.com