Bug Bounty

It is important for us to keep user data safe, so we are ready to cooperate with people who search for vulnerabilities and reward them.

Reward

Hosting.XYZ ltd provides a reward for vulnerabilities found. The minimum amount of remuneration is 50$, maximum - 500$... The amount of the reward depends on the level of vulnerability, which is determined by how realistic it is to exploit the vulnerability:

  1. High level - up to 500$. Access to the central database, access to the source code, execution of arbitrary commands on the central server, execution of arbitrary commands on the hosting server from the root user, or access to an account without the participation of the account owner.
  2. Medium level - up to 250$. Attacks requiring the user to follow a specific link.
  3. Low level - up to 150$. Potential attacks that are difficult to execute or for which a large number of factors must coincide. Attacks that:
    • do not lead to privilege escalation;
    • do not lead to access to user data.
  4. All XSS attacks that require following a link are capped at 50$

Reports

To increase trust in the parties, the vulnerability reporting process follows the following algorithm:

  1. Write to e-mail inquiry regarding the possibility of filing a report. We will tell you that we are ready to accept the new vulnerability. We will do this only if we have no other vulnerabilities in our work. Since there may be a situation that someone has already reported the same vulnerability, and it turns out that you sent the vulnerability, but you will not receive a reward for it.
  2. After obtaining consent, you check the possibility of exploiting the vulnerability.
  3. Only submit one bug. You should not send a lot of bugs at once, as there are often cases when, when a vulnerability is closed, it is closed immediately in other places. After all, one line of code can be called from hundreds of places in the program.
  4. We study the impact and reality of exploiting the vulnerability.
  5. We fix the bug.
  6. We pay remuneration to PayPal, current account, card, WebMoney account. We do not have the ability to make payments in cryptocurrencies (Bitcoin and others), since we do not use them.

Conditions

  1. The program does not include third-party development, zero-day operating system vulnerabilities, errors in processor cores and other vulnerabilities that we cannot influence.
  2. The program applies only to the site ukraine.com.ua, auth.adm.tools and adm.tools.
  3. Do not use the found vulnerability to change information or gain unauthorized access to it. Use your account for testing.
  4. Please let us know as soon as possible if you have inadvertently changed data that should not be changed. Do not view, modify or save data that was obtained in the event of a vulnerability.
  5. Act with good intentions so as not to violate the privacy of other users, not to disable services.
  6. Act within the law.
  7. The reward goes to the first person to report the vulnerability.
  8. Publication of a vulnerability on the Internet prior to its resolution may result in the cancellation of the reward. We will not negotiate in response to threats (for example, we will not negotiate a payout amount under threat of concealing a vulnerability or threatening to disclose a vulnerability or any disclosure to the public).
  9. The speed of processing bugs depends on the severity of bugs and the workload of programmers and takes from 3 to 30 days.

Vulnerabilities for which no remuneration is paid

The following questions are outside the scope of our reward program:

  1. Our policy regarding the presence / absence of SPF / DMARC records.
  2. Password, email and account policies such as email ID verification, reset link expiration, password complexity.
  3. Lack of CSRF tokens (if there is no evidence of an actual, confidential user action that is not protected by a token).
  4. CSRF in / out.
  5. Attacks that require physical access to the user's device.
  6. There are no security headers that do not directly lead to a vulnerability.
  7. Lack of best practices (we need proof of security vulnerability).
  8. Placing malicious / arbitrary content on hosting.
  9. Self-XSS (we need proof of how XSS can be used to attack another user).
  10. We will accept reports of vulnerabilities in the operating system and third-party products, but we will not reward them.
  11. Host header injections if you can't show how they can lead to user data theft.
  12. Using a known vulnerable library (no proof of use).
  13. Reports from automated tools or scans.
  14. Vulnerabilities affecting users of outdated browsers or platforms.
  15. Social engineering of employees or contractors of Hosting Ukraine.
  16. The presence of the autocomplete attribute in web forms.
  17. Missing cookie flags for insensitive cookies.
  18. Reports of insecure SSL / TLS ciphers (unless you have a working proof of concept, not just a report from a scanner).
  19. Any report that discusses how to find out if a given username or email address has a hosting account.
  20. Any report on circumvention of our service restrictions.
  21. Vulnerabilities related to content spoofing (where you can only insert text or an image into a page) are out of scope. We will accept and remediate a spoofing vulnerability where an attacker can enter an image or rich text (HTML), but this is not eligible for a reward. Introducing clean text is out of scope.
  22. Setting up multiple accounts using the same email address is also out of scope.
  23. Risk of phishing due to unicode / punycode or RTLO issues.
  24. The ability to determine whether a user is registered on the hosting, if his e-mail is known.
  25. Vulnerability related to the fact that we disabled DMARC. It is not a vulnerability that third-party servers ignore SPF records and accept letters from third-party services (including gmail).
  26. Any kind of flood and bruteforce, DOS and DDOS attacks on a site is out of scope. If you are testing the rate limit, then we have it set within 300 requests in 5 minutes.
  27. XSS token theft with spoofing _return_url will not lead to anything, since the signature contains the domain specified in _return_url and the token stolen in this way will not work.
  28. The presence on GitHub of FTP passwords with addresses * .ftp.ukraine.com.ua belongs to the vulnerabilities of our clients. We do not use FTP protocol to publish program code.
  29. Any theoretical attacks that do not work on our site.
  30. Attacks in which the attacker knows in advance the username, password and two-factor authorization code.
  31. Attacks in which the attacker knows the login and password from the mail to which the hosting account is registered or has access to the user's phone. 07/15/2021
  32. Attacks in which the attacker has physical access to the victim's computer or control of the victim's computer. 07/15/2021
  33. Attacks in which the victim of the attack is the attacker himself or for the attack you need full access to the account on which the attack is made (attacking yourself does not make sense). 09/08/2021.
  34. Lack of security headers COEP, COOP, CORS, CORB, Referrer-policy, Content-Security-Policy, HSTS . 29/08/2021
  35. Cookie-prefix, SameSiteCookie 29/08/2021
  36. Availability of information about the software that is used. 08/29/2021

Final provisions

  1. You are responsible for paying any taxes related to awards.
  2. We may change the terms of this program or terminate it at any time. We will not retroactively apply any changes to these program terms.
  3. Hosting.XYZ ltd employees and their family members are not eligible for remuneration.
  4. Hosting.XYZ ltd can provide you with free access to products. This access is for testing purposes only and may be revoked at any time with or without prior notice.