iPaidThat values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities.
Since November 2021, iPaidThat is running a private bug bounty program on https://www.intigriti.com/
If you don't receive an answer for your report it's either:
it's considered as informational
it's considered as duplicate
Out of scope domains
https://ipaidthat.io/mag which is a WordPress instance running on a dedicated server, which does not contain any sensitive data, is out of scope!
Any domain that is not listed in the Domains section, is out of scope for this program
We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we will not take legal action against you nor ask law enforcement to investigate you provided you comply with the following Responsible Disclosure Guidelines:
PLEASE DO NOT RUN ANY AUTOMATIC SCAN AGAINST OUR INFRASTRUCTURE. IF YOU'RE USING TOOLS LIKE REPEATER ON BURP SUITE, PLEASE CONFIGURE YOUR THROTTLE TO SIMULATE A USER USAGE.
Create an account with the following phone number: +336 13371337
Use a valid address mail so we can get in touch with you in case you make to much "noise"
Do not create more than 5 accounts.
Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
Do not modify or access data that does not belong to you.
Give iPaidThat a reasonable time to correct the issue before making any information public, and ask for our approval before making any disclosure.
Endpoint
Website related endpoints on https://ipaidthat.io
API related endpoints on ipaidthat.io
We are primarily interested in hearing about the following vulnerability categories:
Sensitive Data Exposure – Cross Site Scripting (XSS) Stored, SQL Injection (SQLi), etc.
Authentication or Session Management related issues
Remote Code Execution
Particularly clever vulnerabilities or unique issues that do not fall into explicit categories
Out of Scope
The following vulnerability categories are considered out of scope of our responsible disclosure program and should be avoided by researchers.
Self-XSS that cannot be used to exploit other users
Verbose messages/files/directory listings without disclosing any sensitive information
CORS misconfiguration on non-sensitive endpoints
Missing cookie flags
Missing security headers
Cross-site Request Forgery with no or low impact
Presence of autocomplete attribute on web forms
Reverse tabnabbing
Bypassing rate-limits or the non-existence of rate-limits.
Best practices violations (password complexity, expiration, re-use, etc.)
Clickjacking on pages with no sensitive actions
CSV Injection
Host Header Injection
Sessions not being invalidated (logout, enabling 2FA, ..)
Hyperlink injection/takeovers
Mixed content type issues
Cross-domain referer leakage
Anything related to email spoofing, SPF, DMARC or DKIM
Content injection
Username / email enumeration
E-mail bombing
E-mail validation
HTTP Request smuggling without any proven impact
Homograph attacks
XMLRPC enabled
Banner grabbing / Version disclosure
Open ports without an accompanying proof-of-concept demonstrating vulnerability
Weak SSL configurations and SSL/TLS scan reports
Not stripping metadata of images
Disclosing API keys without proven impact
Same-site scripting
Subdomain takeover without taken over the subdomain
Arbitrary file upload without proof of the existence of the uploaded file
Privilege escalation between member of the same organisation
Missing CSRF token on some endpoint
HyperLink injection on Email
OpenRedirect without proven impact
Any other iPaidThat subdomains
Denial of Service (DoS) – Either through network traffic, resources exhaustion or others
Issues only present in old browsers/old plugins/end-of-life software browsers
Phishing or social engineering of iPaidThat employees, users or clients
User enumeration
TLS cookie without secure flag set
Privilege escalation between member of the same organisation
Missing CSRF token on some endpoint (we are aware of some issue and are working on it).
Systems or issues that relate to Third-Party technology used by iPaidThat
Disclosure of known public files and other information disclosures that are not a material risk (e.g.: robots.txt)
Any attack or vulnerability that hinges on a user’s computer first being compromised
Miss of rate limits
Report from automated tools or scans
DNSSEC
Relating to HSTS
Missing security headers which do not lead directly to a vulnerability
Physical attack on the infrastructure
Browser that support "Content Security Pocily" tag
Theoretical attacks
Breaking of SSL/TLS trust
Compromising of browser/device (ex. computer sharing, physical access to a user's device, ...)
Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
Outdated DNS record pointing to system which does not belong to iPaidThat
Access to content via means of CDN / Content Delivery Networks / Network caches
Clickjaking
Email verification
Password policy
HyperLink injection on Email
OpenRedirect without real impact
Vulnerability Rewards
Level | Examples | Reward |
Critical | Remote code execution SQL Injection Data leak Server Access | 500$+ |
High | Privilege Escalation to Super Admin accounts Access to unauthorized private data | 200$+ |
Medium | XSS Security missconfiguration | 100$+ |
Low | Vulnerability may result in limited risk or require the presence of multiple additional vulnerabilities to become exploitable. Examples include overly verbose error messages, and detailed banner information disclosure. | 25$-75$ |
Informative | Finding does not have a direct security impact but represents an opportunity to add an additional layer of security, is a deviation from best practices, or is a security-relevant observation that may lead to exploitable vulnerabilities in the future. Examples include vulnerable yet unused source code and missing HTTP security headers. DMARC / DKIM / SPF missconfiguration | 0 |
Vulnerability rating is based on CVSS and at the appreciation of iPaidThat team.
On top of this reward, we will also list you here in the Special Thanks session (if you accept)
Reporting a Security Vulnerability
Submit your finding to security@ipaidthat.io.
Please include:
A summary of the problem
A proof-of-concept or a stepwise breakdown