> Bug Bounty
IN-SCOPE
The following domains/services are included in the scope of the program:
OUT-OF-SCOPE
Exploits/flaws that are not eligible for this program:
- Usage of large-scale vulnerability scanners, scrapers, or automated tools that produce excessive amounts of traffic
- Phishing attacks
- Denial of service attacks or other volume-based attacks
- Methods to reveal information about other running processes.
- Timing attacks which reveal information.
- Security bugs that do not affect our default application configuration.
- Rate limiting or brute force issues.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
- Any physical attempts against our property, data centers, or infrastructure providers.
- Missing security headers that do not directly lead to a vulnerability.
- Social engineering of our employees or clients.
- Vulnerabilities in the WireGuard, OpenVPN or V2Ray protocols should be reported to their official maintainers.
REWARDS
| EXPLOITS |
REWARD |
| XSS |
€ 200 |
| XSS (Bypassing CSP) |
€ 400 |
| CSRF |
€ 400 |
| Authentication Bypass |
€ 1000 |
| SQL Injection |
€ 2000 |
| Arbitrary code execution |
€ 2000 |
| Arbitrary code execution (with privilege escalation) |
€ 4000 |
| Persistent code change |
€ 2000 |
RECEIVING YOUR AWARD
We only offer payouts in Monero (XMR).
Ground Rules:
- Only use the ticket system to contact us with the technical details of discovered vulnerabilities.
- Report any vulnerability you’ve discovered promptly.
- Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience.
- Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope.
- You should only interact with test accounts you own.
- Do not engage in extortion.
SAFE HARBOR
When conducting vulnerability research under this policy, we consider it to be:
- Authorized in view of any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good faith violations of this policy
- Authorized in view of relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls
- Exempt from restrictions in our policies that would interfere with conducting security research, and we waive those restrictions on a limited basis
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You must comply with all applicable laws. If a third party takes legal action against you and you've followed this policy, we'll support you by clarifying that you've complied. If you're ever unsure about the consistency of your security research with this policy, please submit a report through the ticket system before proceeding further.
DISCLOSURE POLICY
If you believe you have discovered a vulnerability, please create a ticket through the ticket system.
- The report of your research must include exact steps to reproduce the vulnerability with clear descriptions. You may use this template to submit your report.
- Only use our official ticket system for any inquiries regarding the program.
- Publicly disclosing your research/submission without explicit, written permission from Xeovo and evaluation is a direct violation of the Rules of this bug bounty program, and you’ll be ineligible for a reward.