Bug Bounty

It is important for us to keep user data safe, so we are ready to cooperate with people who search for vulnerabilities and reward them.

Reward

Hosting.XYZ LTD provides a reward for vulnerabilities found. The minimum amount of remuneration is 50$, maximum - 500$. The amount of the reward depends on the level of vulnerability, which is determined by how realistic it is to exploit the vulnerability:

  1. High level - up to 500$. Access to the central database, access to the source code, execution of arbitrary commands on the central server, execution of arbitrary commands on the hosting server as root, or access to the account without the participation of the account owner.
  2. Medium level - up to 250$. Attacks that require the user to click on a specific link.
  3. Low level - up to 150$. Potential attacks that are difficult to execute or for which a large number of factors must coincide. Attacks that:
    • Do not result in privilege escalation.
    • Do not result in access to user data.
  4. All XSS attacks that require following a link are capped at 50$.
  5. Vulnerabilities found in alpha and beta versions of services are limited to 150$. (29/11/2022)

Reports

To increase confidence in the parties, the process of filing a vulnerability report is carried out according to the following algorithm:

  1. Write to email inquiry regarding the possibility of filing a report. We will tell you that we are ready to accept the new vulnerability. We will do this only if we have no other vulnerabilities in our work. Since there may be a situation that someone has already reported the same vulnerability, and it turns out that you sent the vulnerability, but you will not receive a reward for it.
  2. After obtaining consent, you check the possibility of exploiting the vulnerability.
  3. Only submit one bug. You should not send a lot of bugs at once, as there are often cases when, when a vulnerability is closed, it is closed immediately in other places. After all, one line of code can be called from hundreds of places in the program.
  4. We study the impact and reality of exploiting the vulnerability.
  5. We fix the bug.
  6. We pay remuneration to PayPal, current account or card. We do not have the ability to make payments in cryptocurrencies (Bitcoin and others), as we do not use them.

Conditions

  1. The program does not include third-party development, zero-day operating system vulnerabilities, errors in processor cores and other vulnerabilities that we cannot influence.
  2. The program applies only to the site ukraine.com.ua, auth.adm.tools and adm.tools.
  3. Do not use the found vulnerability to change information or gain unauthorized access to it. Use your account for testing.
  4. Please let us know as soon as possible if you have inadvertently changed data that should not be changed. Do not view, modify or save data that was obtained in the event of a vulnerability.
  5. Act with good intent so as not to violate the privacy of other users, do not disable services.
  6. Act within the law.
  7. The reward goes to the first person to report the vulnerability.
  8. Publication of a vulnerability on the Internet prior to its resolution may result in the cancellation of the reward. We will not negotiate in response to threats (for example, we will not negotiate a payout amount under threat of concealing a vulnerability or threatening to disclose a vulnerability or any disclosure to the public).
  9. The speed of processing bugs depends on the severity of bugs and the workload of programmers and takes from 3 to 30 days.

Vulnerabilities for which no remuneration is paid

The following questions are outside the scope of our reward program:

  1. Our policy regarding the presence / absence of SPF / DMARC records.
  2. Password, email and account policies such as email ID verification, reset link expiration, password complexity.
  3. Lack of CSRF tokens (if there is no evidence of an actual, confidential user action that is not protected by a token).
  4. Attacks that require physical access to the user's device. As well as attacks related to the interception of traffic.
  5. There are no security headers that do not directly lead to a vulnerability.
  6. Lack of best practices (we need evidence of system vulnerability).
  7. Placing malicious / arbitrary content on hosting.
  8. Any attacks directed at itself, such as Self-XSS.
  9. We will accept reports of vulnerabilities in the operating system and third-party products, but we will not reward them.
  10. Host header injections if you can't show how they can lead to user data theft.
  11. Using a known vulnerable library (no proof of use).
  12. Reports from automated tools or scans.
  13. Vulnerabilities affecting users of outdated browsers or platforms.
  14. Social engineering of employees or contractors of Hosting.XYZ LTD.
  15. The presence of the autocomplete attribute in web forms.
  16. Missing cookie flags for insensitive cookies.
  17. Reports of insecure SSL / TLS ciphers (unless you have a working proof of concept, not just a report from a scanner).
  18. The ability to determine whether the user is registered on the hosting, if his email is known.
  19. Any report on circumvention of our service restrictions.
  20. Content spoofing vulnerabilities (when you can only insert text or an image on a page) are out of scope. We will accept and fix a spoofing vulnerability where an attacker can enter an image or rich text (HTML) but is not eligible for a bounty. The introduction of pure text is out of scope.
  21. Create multiple accounts using the same email address.
  22. Risk of phishing due to unicode / punycode or RTLO issues.
  23. Vulnerability due to the fact that we disabled DMARC. It is not a vulnerability that third-party servers ignore SPF records and accept emails from third-party services (including Gmail).
  24. Any kind of flood and bruteforce, DoS and DDoS attacks, as well as attacks associated with a decrease in server performance.
  25. Attacks in which the attacker knows in advance the login, password, and two-step authentication code.
  26. Attacks in which the attacker knows the login and password from the mail to which the hosting account is registered, or has access to the user's phone. 15/07/2021
  27. Security headers missing COEP, COOP, CORS, CORB, Referrer-policy, Content-Security-Policy, HSTS, Cookie-prefix, SameSiteCookie . 08/29/2021
  28. Availability of information about the software that is used. We are a hosting provider and announce information about installed software to customers. Therefore, this information cannot be classified. 29/08/2021
  29. Obtaining the IP address of a company employee is not a vulnerability. Technical support opens links, you can send a phishing link or SVG file to the mail, etc. 24/11/2021
  30. The presence of EXIF data on pictures sent by users. Our clients do not publish their personal photos on our website, which may contain EXIF with coordinates. 30/11/2021
  31. Loading SVG files. We save them as attachments and do not display them on the site. This avoids getting data from the site. 01/12/2021
  32. Social Engeneering Attacks. 18/07/2022
  33. Presence of CAA records in DNS. 29/11/2022
  34. Vulnerability reports are temporarily unacceptable due to a redesign of the storage service. 30/11/2022

Final provisions

  1. You are responsible for paying any taxes related to awards.
  2. We may change the terms of this program or terminate it at any time. We will not apply any changes made to these program terms retroactively.
  3. Employees of Hosting.XYZ LTD and their family members are not eligible for remuneration.
  4. Hosting.XYZ LTD can provide you with free access to products. This access is for testing purposes only and may be revoked at any time with or without prior notice.