Buio Bug Bounty Program
We acknowledge the crucial role that security researchers and our user
community play in ensuring the security of Buio and our users. If you
have discovered a vulnerability in our site or product, you may be
eligible for a monetary reward based on the terms and conditions of
our Bug Bounty Program.
Please submit your bug reports to [email protected].
Rewards
We strive to reward valid reports within 30 days of acceptance, often
sooner. Bounty rewards will be calculated according to CVSS 3.1
standards where applicable. For our program, we refer to the official
CVSS 3.1 reference at https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator. At our discretion as program owners, certain report types may not
receive rewards based on the CVSS 3.1 score. Such reports will either
receive a fixed amount reward or will be evaluated on a case-by-case
basis. Further details can be found in our official document.
Rules
Any activities conducted in accordance with this policy will be
considered authorized conduct, and we will not take legal action
against you. If a third party initiates legal action against you in
connection with activities carried out in compliance with this policy,
we will acknowledge that your actions were in accordance with this
policy. Buio reserves all legal rights in the event of noncompliance
with this policy.
Eligibility
-
Be at least 16 years of age. If you are 16 years old but considered
a minor in your place of residence, you must obtain permission from
your parent or legal guardian before participating in the program.
-
Must not be employed by Buio or any of its affiliates, or an
immediate family member of an employee at Buio or any of its
affiliates.
-
Must not be a resident of, or make submissions from, a country
against which the United States has imposed export sanctions or
other trade restrictions, and must not be an embargoed or restricted
person.
-
Must not violate any national, state, or local laws or regulations
related to any activities directly or indirectly associated with the
program.
The DOs
- Abide by the Program Terms.
-
Respect privacy and make a good faith effort not to access, process,
or destroy personal data.
-
Be patient and provide clarifications in good faith to any questions
we may have about your report.
- Interact respectfully with our team, and we will reciprocate.
- Conduct testing only using your own personal/test accounts.
-
Exercise caution during testing to avoid any negative impact on
customers or the services they rely on.
-
Stop testing whenever unsure. If you believe testing a vulnerability
may cause or has caused damage, report your initial findings and
request authorization to continue testing.
The DO NOTs
-
Leave any system in a more vulnerable state than you found it.
-
Engage in brute force or guess credentials to gain unauthorized
access to systems.
- Participate in denial of service attacks.
- Upload shells or create any type of backdoor.
-
Publicly disclose a vulnerability without our explicit review and
consent.
-
Engage in any form of social engineering targeting Buio employees,
customers, affiliates, or partners.
-
Attempt to extract, download, or exfiltrate data that may contain
Personal Identifiable Information or other sensitive data, unless it
belongs to you.
-
Change passwords of any account that does not belong to you or for
which you do not have explicit permission to change. If prompted to
change the password for an account you did not create or were not
authorized to use, immediately stop and report your findings.
-
Engage in activities that violate privacy, cause data destruction,
or disrupt our services.
- Interact with accounts that you do not own.
Out of Scope
The following activities are considered out of scope for our Bug
Bounty Program:
-
Physical or social engineering attempts, including phishing attacks
against Buio employees.
-
Ability to send push notifications/SMS messages/emails without the
ability to change content.
-
Ability to take over social media pages (Twitter, Facebook,
LinkedIn, etc.).
- Reports with negligible security impact.
- Unchained open redirects.
-
Reports stating that software is out of date or vulnerable without
providing a proof-of-concept.
- Highly speculative reports about theoretical damage.
-
Vulnerabilities reported by automated tools without additional
analysis demonstrating their impact.
-
Reports from automated web vulnerability scanners (Acunetix, Vega,
etc.) that have not been validated.
- SSL/TLS scan reports (e.g., output from SSL Labs).
-
Open ports without an accompanying proof-of-concept demonstrating
vulnerability.
- CSV injection.
- Best practices concerns.
- Protocol mismatch.
- Rate limiting.
- Dangling IPs.
-
Vulnerabilities that cannot be used to exploit other users or Buio,
such as self-xss or executing JavaScript in the browser console.
- Missing cookie flags on non-authentication cookies.
-
Reports that only affect outdated user agents. Exploits are only
considered in the latest browser versions for Safari, Firefox,
Chrome, Edge, and IE.
-
Issues requiring physical access to a victim's computer or device.
- Path disclosure.
-
Banner grabbing issues (determining the web server used, etc.).
-
If a site is complying with the privacy policy, there is no
vulnerability.
- Enumeration/account oracles.
-
Account oracles - the ability to submit a phone number, email, UUID,
and receive a message indicating the existence of a Buio account.
- Distributed denial of service attacks (DDoS).
Details
When you are ready to make a submission, please ensure that you have
thoroughly read our Bug Bounty Program Policy and then email us at [email protected].