Bug Bounty Program
Report vulnerabilities, earn rewards!
Join our Bug Bounty, enhance digital security, hack responsibly!
Welcome to the Bug Bounty Program for UNGUESS! We greatly value the security of our platforms, including unguess.io, tryber.me, and whitejar.io, and we encourage security researchers to help us identify and resolve potential vulnerabilities. This Bug Bounty Policy outlines the rules and guidelines for participating in our program and provides details on the rewards, scope, and reporting process.
Please be aware that any activity that does not adhere to the policies outlined on this page will not be eligible for payment under our bug bounty program.
Effective Date: 25/01/2024
Last update: 20/02/2024
DOMAINS UNDER TEST
Scope
Our Bug Bounty Program covers the following domains and associated services:
*tryber.me
*whitejar.io
app.unguess.io
We are particularly interested in vulnerabilities that could compromise the confidentiality, integrity, or availability of user data or disrupt the normal operation of our platforms.
All activities on this website (www.unguess.io) remain out of scope.
Rewards
We offer monetary rewards for the responsible disclosure of qualifying security vulnerabilities. The reward amounts are determined based on the severity and impact of the vulnerability. Rewards are granted at our sole discretion and are influenced by factors such as the quality of the report, the potential impact of the vulnerability, and the uniqueness of the finding.
The maximum reward per vulnerability will not exceed 1,000 euros.
Please be aware that any activity that does not adhere to the policies outlined on this page will not be eligible for payment under our bug bounty program.
Vulnerability Categories and Examples
Examples of vulnerabilities that are eligible for the Bug Bounty Program include (but are not limited to):
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Remote Code Execution (RCE)
- Server-Side Request Forgery (SSRF)
- SQL Injection (SQLi)
- Authentication or Authorization flaws
- Privilege Escalation
- Information Disclosure
- Misconfigurations
Ineligible Vulnerabilities
The following types of vulnerabilities are not eligible for rewards under our Bug Bounty Program:
- Any vulnerabilities on third-party applications/services integrated with our platforms.
- Self-XSS or reflected/encoded payloads that don’t demonstrate an exploit scenario.
- Issues that have already been reported by another researcher.
- Vulnerabilities that do not have a direct and significant impact.
- Vulnerabilities requiring physical access to a user’s device.
- Vulnerabilities related to outdated or unpatched browsers/plugins on the user’s end.
- Any activities on the website www.unguess.io
- Any activity that leads to DoS/DDoS
Reporting process
To report a security vulnerability, please follow these steps:
- Visit the Bug Bounty Submission Form;
- Provide a detailed description of the vulnerability, including steps to reproduce;
- Attach any relevant screenshots, videos, or proof-of-concept code;
- Submit the report.
Rules and Guidelines
- You must comply with all applicable laws and regulations during your participation in the Bug Bounty Program
- You may not publicly disclose or exploit the vulnerability before we have confirmed its resolution
- Do not access, modify, or delete any user data without explicit permission
- You must provide accurate and truthful information in your report
- We will investigate and resolve reported vulnerabilities as quickly as possible
- We reserve the right to modify the terms of the Bug Bounty Program or terminate it at any time
- You can use our testing campaign to find security vulnerabilities https://app.tryber.me/manual-cp-6833/ and NOT send reports on active live campaigns.
- Rate limit 5 req/sec
Acknowledgment
We are committed to acknowledging the contributions of security researchers who responsibly disclose vulnerabilities to us.
If you report a qualifying vulnerability, we will publicly acknowledge your contribution, unless you explicitly request otherwise.
Please be aware that any activity that does not adhere to the policies outlined on this page will not be eligible for payment under our bug bounty program.
Legal
This Bug Bounty Policy does not grant you any rights, licenses, or ownership in our platforms or associated services. You must comply with all applicable laws and regulations and respect our terms of service.
By participating in our Bug Bounty Program, you agree to abide by the rules and guidelines outlined in this policy.
For any inquiries or clarifications regarding the Bug Bounty Program, please contact us at info@unguess.io.
Disclaimer
This Bug Bounty Policy is subject to change without notice. We reserve the right to make amendments, updates, or modifications to this policy at any time. It is your responsibility to review this policy periodically to ensure your continued compliance.
By participating in our Bug Bounty Program, you acknowledge that you have read, understood, and agreed to the terms and conditions outlined in this policy.
Report a bug now!
Want to be an Ethical Hacker for our customers?
Show off your talent. Take part in the Bug Bounty Campaigns launched by our Clients and earn financial rewards based on the vulnerabilities you can find.