We continuously develop our bug bounty platform. Our Responsible Disclosure program will start with a limited scope within our bug bounty environment.

Program description

HACKRATE is looking for your help in protecting and securing their online assets.

General Rules

• Testing is only authorized on the targets listed as Scope.
• Any domain/property/database/IP address of HACKRATE not listed in the Scope section is strictly out of scope.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of HACKRATE’s services.
• Only interact with accounts you own.
• Reports must be exact, and the reports must contain the steps to follow to reproduce the issue. Attachments such as screenshots or proof of concept code are highly recommended.
• Reports will not be awarded if our security team cannot reproduce and verify an issue.
• You must be the first person to reveal a valid vulnerability ('duplicate' reports will not be rewarded).
• The use of automated scanners is prohibited.
• HACKRATE requests that testers do not perform automated/scripted testing of web forms, especially "Contact Us" forms.
• If you find the same vulnerability several times, please create only one report. Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

HACKRATE reserves the right to modify the terms of this program or terminate it at any time.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please send your question to [email protected] before going any further.

Failure to comply with Program Rules rules can be sanctioned by the exclusion from the bug bounty program or, even worse (legal actions against you).

Credentials

Use your letmehack.it e-mail alias for testing. Your letmehack.it e-mail alias will forward all mails to your registered e-mail address at HACKRATE. For example: if your username is abcd, then your e-mail alias will be [email protected].

Out of scope targets

Anything outside of the explicitly approved testing scope is out of scope, including:

• *.hckrt.com

Strictly prohibited

• Denial of Service (DoS) and Distributed Denial of Service (DDoS) based attacks
• Non-technical attacks such as social engineering or phishing, vishing, smishing
• Physical security attacks
• Password cracking attempts (brute-forcing, rainbow table attacks, wordlist substitution, etc.)

Out of scope issues

• Open ports without an accompanying proof-of-concept demonstrating vulnerability
• Design flaws and best practices that do not lead to security vulnerabilities
• Weak/expired SSL configurations
• Vulnerabilities affecting users of outdated browsers
• Missing security best practices and controls (lack of CSRF protection, missing HttpOnly or secure flags on cookies, missing XSS-Protection HTTP header)
• Self XSS
• Software version disclosure
• Low impact session management issues
• Lack of strong password policy
• Internal IP disclosure
• Rate-limiting issues
• Lack of captcha's or other spam-preventing mechanisms
• Content spoofing and text injection issues
• User Enumeration
• Open redirects
• Clickjacking on pages with no sensitive actions
• DNS server misconfiguration, lack of DNS CAA, and DNS-related configurations
• Absence of SPF / DKIM / DMARC records
• Mixed content warnings

Public Disclosure

Before disclosing an issue publicly, we require that you first request permission from us (using [email protected] email address). HACKRATE will process requests for public disclosure on a per report basis. Any researcher found publicly disclosing reported vulnerabilities without HACKRATE's written consent will be sanctioned.

Rewards

HACKRATE currently does not offer rewards.

Your submission might be rejected if:

• Reports about theoretical damage
• Out of date software without proven exploitable risks
• Attacks requiring unrealistic user interaction
• All reports without proof-of-concept (POC)
• All reports without proven security impact