Bug Bounty
LinkPay.io Bug Bounty Program Terms
The scope for LinkPay.io's Bug Bounty Program is focused on securing the data of our users and company assets. Therefore, our approach is to evaluate any given report based on the specific security impact for users. Issues that do not have an information security-related impact will be closed. Below we describe the various security impact categories that are in-scope, examples of admissible vulnerability types, and domains that could potentially have meaningful security impact.
By submitting a report or otherwise disclosing a vulnerability to us (making a "Submission"), you are indicating that you have read and agree to follow the rules set forth on this page ("Program Terms").
Ground Rules
Do:
• Do abide by these Program Terms.
• Do be patient & make a good faith effort to provide clarifications to any questions we may have about your submission.
• Do be respectful when interacting with our team, and our team will do the same.
• Do perform testing only using accounts that are your own personal/test accounts. By default, we expect your report to clearly reference your @wearehackerone.com email address.
• Do exercise caution when testing to avoid negative impact to data or services.
• Do respect privacy & make a good faith effort not to change or destroy LinkPay.io or personal data.
• Do stop whenever you are unsure if your test case may cause, or have caused, destructive data or systems damage with testing a vulnerability; report your initial finding(s) and request authorization to continue testing.
Do NOT:
• Do not leave any system in a more vulnerable state than you found it.
• Do not use or interact with accounts you do not own.
• Do not brute force credentials or guess credentials to gain access to systems or accounts.
• Do not change passwords of any account that is not yours or that you do not have explicit permission to change. If ever prompted to change a password of an account you did not register yourself or an account that was not provided to you, stop and report the finding immediately.
• Do not perform denial of service (DoS) attacks or related tests that would cause availability interruptions or degradation of our services.
• Do not publicly disclose a vulnerability submission without our explicit review and consent.
• Do not engage in any form of social engineering of LinkPay.io employees, customers, or partners.
• Do not engage or target any specific LinkPay.io employees, customers, or partners during your testing.
• Do not access, extract, or download personal or business information beyond that which is minimally necessary for your Proof-of-Concept purposes.
• Do not do anything that would cause destruction of LinkPay.io data or systems.
Good Faith Disclosures and Safe Harbor
You must act in good faith when investigating and reporting vulnerabilities to us. Acting in good faith means that you will:
• Follow the rules outlined in this policy: This includes the Program Terms, LinkPay.io Terms of Use, and any terms and conditions for LinkPay.io's in-scope domains. If there is any inconsistency between these Program Terms and any of LinkPay.io's other terms, these Program Terms will control.
• Respect our users' privacy: You should only interact with LinkPay.io accounts you own or with explicit permission from the account holder. The intent of the program is designed to hunt for vulnerabilities in our products and services. If you encounter user information during the course of your research: o Stop at that point in your testing where you have an adequate proof of concept for submission purposes. Actions taken beyond this are not authorized. o Report the Submission with a complete proof of concept immediately to our security team so we can investigate.
o Keep user information confidential; Do not save, copy, store, transfer, disclose, or otherwise retain the information.
o Work with us if we have any further requests.
Extortion: You should never illegally or in bad faith leverage the existence of a vulnerability or access to sensitive or confidential information, such as making extortionate demands or ransom requests. If you find a vulnerability, report it to us with no conditions attached.
Test with care: You should never leave a system or users in a more vulnerable state than when you found them. This means that you should not engage in testing or related activities that degrades, damages, or destroys information within our systems, or that may impact our users, such as denial of service, social engineering or spam. If you have made a good faith effort to abide by these Program Terms, we will not initiate or recommend legal action against you, and if a third party initiates legal action, we will make it known that your activities were conducted pursuant to the Bug Bounty Program. Failure to act in good faith will result in immediate disqualification from the Bug Bounty Program and ineligibility for receiving any benefit of the Bug Bounty Program. If at any point while researching a vulnerability, you are unsure whether you should continue, immediately engage with our security team.
Eligibility to Participate
To be eligible to participate in our Bug Bounty Program, you must:
• Be at least 18 years of age if you test using a LinkPay.io account.
• Not be employed by LinkPay.io or any of its affiliates or an immediate family member of a person employed by LinkPay.io or any of its affiliates.
• Not be a resident of, or make Submissions from, a country against which the United States has issued export sanctions or other trade restrictions.
• Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to the Bug Bounty Program.
• Not be using duplicate HackerOne accounts.
If (i) you do not meet the eligibility requirements above; (ii) you breach any of these Program Terms or any other agreements you have with LinkPay.io or its affiliates; or (iii) we determine that your participation in the Bug Bounty Program could adversely impact us, our affiliates or any of our users, employees or agents, we, in our sole discretion, may remove you from the Bug Bounty Program and disqualify you from receiving any benefit of the Bug Bounty Program.
Out-of-Scope
Certain vulnerabilities are considered out-of-scope for the Bug Bounty Program. Those out-of-scope vulnerabilities include, but are not limited to:
• Vulnerabilities not involving product or coding flaws, but solely relying upon possession of stolen or compromised credentials or authentication obtained by ATO or credential stuffing, and by enumeration with pre-defined and known list of UUIDs.
• Vulnerabilities dependent on Phishing in a DNS domain that is not in one of our primary service domains.
• Most vulnerabilities that rely on a runtime context within a sandbox, lab, staging, testing or non-production environment.
• Vulnerabilities involving stolen or compromised credentials.
• Open redirect resulting in a low security impact. In the event you are able to chain with other vulnerabilities (e.g., steal tokens, SSRF, etc.), please let us know.
• Credential stuffing or physical access to a device.
• Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls.
• Man-in-the-Middle attacks except in mobile applications.
• Account enumeration with a pre-defined and known list of UUIDs.
• Invite/Promo code enumeration.
• Ability to send push notifications/SMS messages/emails without the ability to change content.
• Information disclosures related to existence of accounts: Account oracles, the ability to submit a phone number, email, UUID and receive back a message indicating an account exists.
• Reports against LinkPay.io services that state that a particular software component is of a specific version, and is vulnerable without an accompanying proof-of-concept.
• Vulnerabilities only affecting users using outdated, unpatched, or unsupported browsers, mobile application, mobile operating system, and end-point client software, including the versions of our applications currently in the app stores.
• Stack traces, path disclosure, and directory listings.
• CSV injection vulnerabilities.
• Best practices concerns without a demonstrable information assurance issue and proof-of-concept.
• Ability to take over social media pages (Twitter, Facebook, LinkedIn, etc.). • Negligible security severity.
• Speculative reports about theoretical damage -- please always provide a proof-of-concept.
• Vulnerabilities that cannot be used to exploit other users or LinkPay.io (e.g., self-xss or having a user paste JavaScript into the browser console).
• Vulnerabilities as reported by automated scanning and/or enumeration tools without additional analysis, validation, or reasoning as to how such Submissions have a demonstrable information assurance impact and vulnerability.
• Distributed or denial of service attacks (DDoS/DoS) and/or reports on rate limiting issues.
• Content injection or content spoofing issues.
• Cross-site Request Forgery (CSRF) with minimal security implications or lack of information assurance issues (e.g., Logout CSRF, etc.).
• Missing cookie flags on non-authentication cookies.
• Submissions that require physical access to a victim's computer/device for successful exploitation.
• SSL/TLS protocol scan reports reporting purported vulnerable protocol versions or handshakes.
• Banner grabbing issues (figuring out what web server we use, etc.).
• Open ports or services without an accompanying proof-of-concept demonstrating a vulnerability or bonafide information assurance issues.
• Physical or social engineering attempts (this includes phishing attacks against LinkPay.io employees).
• Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation.
• Dangling IPs.
• Subdomain takeovers - please demonstrate that you are able to take over the page by leaving a non-offensive message, such as your username.
• Reports on third-party products, services, or applications not owned by LinkPay.io.
Account & Financial Fraud
Certain types of account fraud are in-scope provided that part of the attack chain relies on exploiting the workflow logic caused by technical product and services vulnerabilities, coupled with additional operational security loopholes for a hybrid end-to-end exploit. Vulnerabilities associated with fraud will be reviewed on a case-by-case basis and must be determined to be related to a technical product vulnerability to be considered in-scope. Fraud unrelated to product security issues is not handled by the bug bounty program and should be reported to [email protected].
Calculating Security Impact
Understanding the security impact of a given report is crucial for assessing the severity and potential exploitation risk. Below are some categories to consider when evaluating security impact:
Multiplying Factors:
• Sensitivity of user data exposed: When a vulnerability exposes user data, the sensitivity of the type of information exposed influences the security impact.
• Scale of exposure: Understanding the scale of exposure and how many potential victims exist if the vulnerability is exploited.
• Severity of forged actions: The severity of actions an attacker can forge on behalf of the user, such as changing payment information or account settings.
• Forging communication from LinkPay.io: Ability to send communication appearing to be from LinkPay.io to a victim, such as in-app notifications.
Mitigating Factors:
• Requires user interaction: Exploits that require user interaction to be successful.
• Authorized relationship: Scenarios involving an authorized relationship or explicit permission from the victim.
• Requires brute forcing: Exploits requiring brute forcing of values, with difficulty based on the type of value.
• Existence of rate limiting: Rate limiting that inhibits large-scale exploitation.
• Physical access: Exploits requiring physical access to a device.
• Noticeable to the victim: Exploits that are immediately noticeable to the victim, such as password changes.
• Account put into arrears or banned: Exploits that result in the attacker's account being banned or in arrears.
• Social engineering: Exploits requiring social engineering to be successful.
• Requires privileged network position: Exploits requiring a privileged network position (e.g., MITM attacks).
• Requires multiple accounts: Exploits requiring the ability to create multiple accounts.
Confidentiality
Any information you receive or collect about us, our affiliates, or any of our users, employees, or agents in connection with the Bug Bounty Program ("Confidential Information") must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose, or distribute any such Confidential Information, including without limitation any information regarding your Submission, without our prior written consent. You must get written consent by submitting a disclosure request through the HackerOne platform.
Report Quality
High-quality submissions allow our team to understand the issue better and engage the appropriate teams to fix it. The best reports provide enough actionable information to verify and validate the issue without requiring follow-up questions.
Guidelines for a high-quality report:
• Check the scope page before you begin writing your report to ensure the issue you are reporting is in scope for the program.
• Provide clear details for our team to reproduce the issue, including screenshots where applicable.
• Include your understanding of the security impact of the issue.
• Video proof-of-concepts (PoCs) will only be considered with a completed report. Stand-alone video proof-of-concepts will automatically be closed.
• A vulnerability must be verifiable and reproducible to be considered in scope.
• All reports must demonstrate security impact to be considered for a bounty reward.
• Known vulnerabilities or submissions leading back to the same root cause will be classified as a duplicate finding.
Report States
We strive to be consistent with how we close reports. Below are the details for each state:
• Spam: A report with no useful information.
• Needs more info: Not enough actionable information in the report to triage.
• Not applicable: No reproducible security vulnerability or explicitly out-of-scope per our guidelines.
• Duplicate: A vulnerability that has previously been found either internally or via HackerOne.
• Informative: A reproducible issue with negligible security impact or an issue with a product that doesn't affect our service/software.
• Triaged: A valid report or a report that needs more investigation from an internal team.
• Resolved: A verified vulnerability that has been fixed.
Bounty Amounts
Reports that require an attacker to be authenticated, including accounts they can sign up for, will have the Privileges Required metric set to Low (PR ) when calculating the CVSS severity score. Previous bounty amounts are not considered precedent for future bounty amounts, as the security impact of the same issue can vary over time. Bounty awards are not additive and are subject to change as our internal environment evolves.
Rights and Licenses
We may modify the Program Terms or cancel the Bug Bounty Program at any time. By making a Submission, you represent and warrant that the Submission is original to you and you have the right to submit the Submission. By making a Submission, you give us the right to use your Submission for any purpose.
Appendix: Bounty Price List
The following table outlines the types of vulnerabilities and the corresponding severity levels that are eligible for bounty rewards under the LinkPay.io Bug Bounty Program. The exact amount of the bounty will be determined based on the specific security impact of the reported vulnerability.
Vulnerability Type Common Severity Range
IDOR Low - Critical
Information Disclosure Low - Critical
Server-Side Request Forgery Medium - Critical XSS (Cross-Site Scripting) Medium - High
Unauthorized Requests Low - Critical Monetary Impact Low - Critical Phishing Low - High
Safety-Related Issues Low - Critical
Subdomain Takeover Medium - High
Broken URL Links Low 3rd Party Info Disclosures Case by Case
Reward Policy Exceptions
Certain report types may receive rewards without calculating a CVSS 3.1 score. The fixed rewards for these report types will be determined on a case-by-case basis.
• Subdomain Takeover
• *Broken URL Links on .linkpay.io
• 3rd Party Information Disclosures (e.g., Prezi, Trello, Google Docs, etc.)
Additional Reward Policy
• Previous bounty amounts are not considered a precedent for future bounty amounts.
• Bounty awards are not additive and are subject to change as our internal environment evolves.
• The bounty amount is determined by the security impact of the issue, considering the scale of exposure and various mitigating and multiplying factors.
• If multiple reports for the same issue are received, only the earliest valid report that meets requirements and provides enough actionable information to identify the issue may be considered for a bounty.