Wednesday, September 20, 2017

Bug Bounty Program at A-Ads

This article might be outdated. Please see the updated version here:

The security of our operations is our highest priority for many reasons: we're dealing with our clients money, we must protect our partners privacy, and we have our own reputation at stake. Either you are a professional security researcher or just a beginner, we welcome your security reports, however we'd love them to be useful and actionable, that's why we have certain recommendations in their regard.

  Security report guidelines:
  • Please provide the information on how the vulnerability you've discovered might be used both theoretically and practically, what its impact is, and all the pertinent details.
  • Please provide the exact steps on how the vulnerability can be exploited and how we can reproduce the issue ourselves. We'd love to see the demonstration of the attack which will not affect our existing users. You may create as many test user accounts as you need.
  • Please submit the bug report via our support channels (email or web site widget) but only after you've verified that it indeed works.
  • Use whatever language you prefer if you don't feel comfortable writing in English.
We are leaving the monetary reward you'll be getting for your report to our discretion. The reward will be paid in bitcoins. Please remember that we don't reward for the already known vulnerabilities which are listed below.

Also, if you're a security researcher and you're reading this information we'd like to draw your attention to the fact that our SPF record is indeed valid and we do not deem account deletion a security vulnerability.

Hall of fame

  • 2018-05-06  Ch Chakradhar (Spi3er) reported a catalog CSRF vulnerability ($30)
  • 2018-03-02 Waqar Vicky reported a number of issues and received a $100 bounty:
    • Password reset requests are not rate limited and can be used to perform a DoS attack
    • Our jQuery library is outdated and might be insecure
    • We allow extremely weak password at user registration
    • After logging off you can use a web browser back button to see previously opened web pages
    • After changing an email address other open sessions are not invalidated
  • 2017-12-10 Anonymous researcher reported a session termination vulnerability and earned $50.
  • 2017-11-22 Anonymous researcher reported a self XSS protection vulnerability - we don't consider it to be our vulnerability, but we may take measures to mitigate it in the future.
  • 2017-11-22 Anonymous researcher reported a tab open vulnerability and earned ~$100.
  • 2017-11-22 Anonymous researcher reported an SSL cookie vulnerability (investigating).
  • 2017-11-21 Anonymous researcher reported a minor issue related to the email change and earned a reward of ~$30.
  • 2017-11-16 Ch Chakradhar (Spi3er) reported a minor issue which made it possible to check the existence of a user by email and earned a reward of ~$30.
  • 2017-11-08 Anonymous researcher reported a vulnerability which gave him access to our staging database and to a third-party server which we used for monitoring and control. Thus he earned a reward of ~$500.
  • 2017-11-05 Ankit Bharathan reported a low-impact XSS issue in ad preview page and earned a reward of ~$50.
  • 2017-07-04 Jens Mueller (@jensvoid) responsibly reported a CORS misconfiguration vulnerability and earned a reward of ~$240.