vFairs Bug Bounty Program

Thank you for your interest in helping us improve the security of our open source products, websites and other properties. We have created this Bug Bounty program to appreciate and reward your efforts.

Reward Guidelines:

We base all payouts on impact and will reward accordingly. Please emphasize the impact as part of your submission. We are particularly interested and will consider extraordinary submissions for issues that result in full compromise of a system.

Priority

Reward Range

Critical

$500 – $1,000 depending on severity.

High

~ $250 to $500

Medium

 ~ $50 to $250

Low

Case to case

Common in all of the above

Certificate of appreciation + inclusion in our hall of fame

The table above outlines the nominal rewards for in-scope assets. We will make the final decision on the bounties and rewards for qualifying vulnerabilities. Bounties will only be awarded to the first reporter of a vulnerability. The amounts may vary depending on the severity of the issue and the quality of the report. vFairs holds the right to make the final decision at its own discretion.

General Guidelines:

  • We kindly request that vulnerability reports meet certain criteria for consideration. Reports that solely rely on automated tools, scanners, or theoretical attack descriptions without accompanying proof of exploitability will unfortunately not be accepted.
  • To enhance the quality of your submission, please include step-by-step instructions that allow us to replicate and validate the reported vulnerability. A functional proof of concept should be demonstrated to showcase the exploit.
  • Please ensure that your submission contains sufficient and pertinent details to facilitate a comprehensive understanding of the vulnerability. Submissions lacking in this regard will regrettably be declined.
  • Given that our websites share a common stack, vulnerabilities that affect multiple websites will be treated as a single report when determining bounty eligibility.
  • IMPORTANT: We kindly request that communication occur solely via email. Attempts to contact vFairs members via personal phone numbers for updates or inquiries regarding your report may result in a ban and disqualification of your report.
  • IMPORTANT: For all communication, please use the designated email address provided above. Contacting other vFairs team members in an attempt to escalate the bug bounty report may lead to a ban and the disqualification of your report. Your adherence to these guidelines is greatly appreciated.
  • Maintain Confidentiality: Eligibility for any recognition or rewards within this program is the strict maintenance of confidentiality. Must not publicly disclose any information about discovered vulnerabilities until the program team has investigated and addressed them. This approach helps protect our users and maintains the integrity of our systems.

Qualifying Vulnerabilities:

Any reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:

  1. Cross Site Request Forgery (CSRF)
  2. Server Side Request Forgery (SSRF)
  3. Remote Code Execution (RCE)
  4. SQL Injection (SQLi)
  5. Privilege Escalation

Exclusion List:

We are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. As a web-scale service, our threshold for rate limiting is higher than you might expect. Of course, if you think you have found an exception to this rule, please let us know.

  1. Marketing/Product website (https://www.vfairs.com)
  2. Any Testing / Demonstration websites
  3. Any contact or support forms
  4. Anything SSL (related attacks, insecure cipher suites, etc.)
  5. Weak Captcha / Captcha Bypass
  6. Username / Email Enumeration
  7. Brute Force attacks on our Login or Forgot Password pages
  8. Account lockout enforcement and related attacks
  9. HTTP security headers and Cookies related Issues
  10. Weak password policies
  11. CSRF on forms that are available to anonymous users (e.g., login or contact forms)
  12. Clickjacking,
  13. Tab nabbing
  14. Anything related to Mail Server Domain Misconfiguration (Email spoofing, missing DMARC, SPF/DKIM, etc.)
  15. Vulnerabilities impacting only old or end-of-life platforms, browsers, and plugins
  16. Cross-site scripting (XSS) is out of scope for that are impact less.
  17. Missing Best Practices that don’t pose a direct security threat will most likely not be accepted
  18. Vulnerabilities discovered in non-production environments
  19. Only report issues that are reproducible and verifiable
  20. Reports of vulnerabilities that have already been submitted.
Please ensure any reported vulnerabilities are relevant to our active and production systems to ensure effective and meaningful security improvements.

Crafting a Report:

To help streamline our intake process and ensure efficient issue verification, all submissions must include a that clearly outlines the reported issue, in addition to the following:

  1. Description of the vulnerability
  2. Steps to reproduce the reported vulnerability
  3. Proof of exploitability (e.g. screenshot, video)
  4. Perceived impact to another user or the organization
  5. Proposed CVSSv3 Vector & Score (without environmental and temporal modifiers)
  6. List of URLs and affected parameters
  7. Other vulnerable URLs, additional payloads, Proof-of-Concept code
  8. Browser, OS and/or app version used during testing
  9. Impact of the bug
  10. Any recommended mitigations or fixes.
  11. Report should be sent to [email protected] with unique and descriptive subject line.

Hall of Fame

We’re incredibly grateful to the security researchers from around the world who’ve helped make the vFairs platform safer. Through their responsible disclosure and identification of impactful vulnerabilities, they’ve significantly strengthened our security. We honor the security researchers who participated in the program and extend our gratitude to them.

  • Coming Soon …