Bug Bounty

It is important for us to keep user data safe, so we are ready to cooperate with people who search for vulnerabilities and reward them.

We don't accept any XSS attack since 22 of April 2023 untill future notice.

Reward

Hosting.XYZ LTD provides a reward for vulnerabilities found. The minimum amount of remuneration is 50$, maximum — 1000$... The amount of the reward depends on the level of vulnerability, which is determined by how realistic it is to exploit the vulnerability:

  1. High level — up to 1000$. Access to the central database, access to the source code, execution of arbitrary commands on the central server, execution of arbitrary commands on the hosting server as root.
  2. Medium level — up to 250$. 
  3. Low level — up to 150$. Potential attacks that are difficult to make or for which a large number of factors must match. 
  4. All XSS attacks that require following a link are capped at 50$.
  5. Vulnerabilities found in alpha and beta versions of services are limited to 150$. (29/11/2022)

Reports

To increase confidence in the parties, the process of filing a vulnerability report is carried out according to the following algorithm:

  1. Write to email inquiry regarding the possibility of filing a report... We will tell you that we are ready to accept the new vulnerability. We will do this only if we have no other vulnerabilities in our work. Since there may be a situation that someone has already reported the same vulnerability, and it turns out that you sent the vulnerability, but you will not receive a reward for it.
  2. After obtaining consent, you check the possibility of exploiting the vulnerability.
  3. Only submit one bug... You should not send a lot of bugs at once, as there are often cases when, when a vulnerability is closed, it is closed immediately in other places. After all, one line of code can be called from hundreds of places in the program.
  4. We study the impact and reality of exploiting the vulnerability.
  5. We fix the bug.
  6. We pay remuneration to PayPal, current account or card. We do not have the ability to make payments in cryptocurrencies (Bitcoin and others), as we do not use them.

Conditions

  1. The program does not include third-party development, zero-day operating system vulnerabilities, errors in processor cores and other vulnerabilities that we cannot influence.
  2. The program applies only to the software created by us, which is located on the websites ukraine.com.ua, auth.adm.tools, webmail.online and adm.tools.
  3. Do not use the found vulnerability to change information or gain unauthorized access to it. Use your account for testing.
  4. Please let us know as soon as possible if you have inadvertently changed data that should not be changed. Do not view, modify or save data that was obtained in the event of a vulnerability.
  5. Act with good intent so as not to violate the privacy of other users, do not disable services.
  6. Act within the law.
  7. The reward goes to the first person to report the vulnerability.
  8. Publication of a vulnerability on the Internet prior to its resolution may result in the cancellation of the reward. We will not negotiate in response to threats (for example, we will not negotiate a payout amount under threat of concealing a vulnerability or threatening to disclose a vulnerability or any disclosure to the public).
  9. The speed of processing bugs depends on the severity of bugs and the workload of programmers and takes from 3 to 30 days.

Vulnerabilities for which no remuneration is paid

The following questions are outside the scope of our reward program:

  1. Our policy regarding the presence / absence of SPF / DMARC records.
  2. Password, email and account policies such as email ID verification, reset link expiration, password complexity.
  3. Lack of CSRF tokens (if there is no evidence of an actual, confidential user action that is not protected by a token).
  4. Attacks that require physical access to the user’s device. As well as attacks related to the interception of traffic. 
  5. There are no security headers that do not directly lead to a vulnerability.
  6. Lack of best practices (we need evidence of system vulnerability).
  7. Placing malicious / arbitrary content on hosting.
  8. Any attacks directed at itself, such as Self-XSS.
  9. We will accept reports of vulnerabilities in the operating system and third-party products, but we will not reward them.
  10. Host header injections if you can’t show how they can lead to user data theft.
  11. Using a known vulnerable library (no proof of use).
  12. Reports from automated tools or scans.
  13. Vulnerabilities affecting users of outdated browsers or platforms.
  14. Social engineering of employees or contractors of Hosting.XYZ LTD.
  15. The presence of the autocomplete attribute in web forms.
  16. Missing cookie flags for insensitive cookies.
  17. Reports of insecure SSL / TLS ciphers (unless you have a working proof of concept, not just a report from a scanner).
  18. The ability to determine whether the user is registered on the hosting, if his email is known.
  19. Any report on circumvention of our service restrictions.
  20. Content spoofing vulnerabilities (when you can only insert text or an image on a page) are out of scope. We will accept and fix a spoofing vulnerability where an attacker can enter an image or rich text (HTML) but is not eligible for a bounty. The introduction of pure text is out of scope.
  21. Create multiple accounts using the same email address.
  22. Risk of phishing due to unicode / punycode or RTLO issues.
  23. Vulnerability due to the fact that we disabled DMARC. It is not a vulnerability that third-party servers ignore SPF records and accept emails from third-party services (including Gmail).
  24. Any kind of flood and bruteforce, DoS and DDoS attacks, as well as attacks related to a decrease in server performance. 
  25. Attacks in which the attacker has access to the email or phone of the victim.
  26. Missing security headers COEP, COOP, CORS, CORB, Referrer-policy, Content-Security-Policy, HSTS, Cookie-prefix, SameSiteCookie...
  27. Availability of information about the software that is used. We are a hosting provider and announce information about installed software to customers. Therefore, this information cannot be classified.
  28. Obtaining the IP address of a company employee is not a vulnerability. Technical support opens links, you can send a phishing link or an SVG file to the mail, etc.
  29. The presence of EXIF data in image files that users submit. Our clients do not publish their personal photos on our site, which may contain EXIF with valuable coordinates.
  30. Loading SVG files. We save them as attachments and do not display them on the site. This avoids getting data from the site.
  31. Social Engeneering Attacks.
  32. Presence of CAA records in DNS.
  33. ""Friendly attacks" carried out by users who were granted access to services by the victim. 16/05/2023
  34. Any public CVE-, CWE-vulnerabilities of public software, certificates, etc.
  35. Attacks that require physical access to the victim's computer. 26/01/2024

Final provisions

  1. You are responsible for paying any taxes related to awards.
  2. We may change the terms of this program or terminate it at any time. We will not apply any changes made to these program terms retroactively.
  3. Employees of Hosting.XYZ LTD and their family members are not eligible for remuneration.
  4. Hosting.XYZ LTD can provide you with free access to products. This access is for testing purposes only and may be revoked at any time with or without prior notice.