Bug bounty

About company

George Egri, the co-founder, and CEO of BitNinja, has a web-hosting company. Some years ago, they had a lot of customer complaints because of hacked websites at Web-Server Ltd. They tried to combine the different tools on the market to secure their servers against the different kinds of cyberattacks, but it became unmanageable after a while. 

So they decided to solve this problem by creating an internal all-in-one solution. This project was the ancestor of BitNinja. They validated the tool on the market and realized that it could be beneficial not just for them but also for the shared hosting industry and the whole Internet. Therefore they started to establish their resources on BitNinja and on making the Internet a safer place.In 2019, they raised the Seed Round fund and in 2020, they closed the Series A round. BitNinja was also recognized by the cybersecurity experts and since 2020, they have won sixteen international awards and were finalists six times.

BitNinja’s multi-layered defense system protects against WordPress, Joomla, and Drupal infections. By now the company’s easy-to-use SaaS cybersecurity tool protects more than 20,000 servers worldwide and defends against 10+ million attacks daily.

Program description

BitNinja is looking for your help in protecting and securing their online assets.

General Rules

  • Testing is only authorized on the targets listed as Testing scope.
  • Any domain/property/database/IP address of BitNinja not listed in the Testing scope section is strictly out of scope.
  • Avoid privacy violations, destruction of data, and interruption or degradation of BitNinja’s services.
  • Only interact with accounts you own.
  • Findings must be exact, and the Bug Bounty Reports must contain the steps to follow to reproduce the issue. Attachments such as screenshots or Proof of Concept Code are highly recommended.
  • Rewards or recognition will not be awarded if our security team cannot reproduce and verify a Finding.
  • You must be the first person to report a valid Finding (‘duplicate’ reports will not be rewarded).
  • The use of not allowed Third-Party Systems, Third-Party Software and/or automated scanners are prohibited.
  • BitNinja requests that Bounty Hunters do not perform automated/scripted testing of web forms, especially “Contact Us” forms.
  • If you find the same Vulnerability several times, please report only one Finding. Multiple Vulnerabilities caused by one underlying issue will be awarded one bounty.
  • You must not be a former or current employee of BitNinja or one of its subcontractors.

Strictly prohibited

  • Denial of Service (DoS) and Distributed Denial of Service (DDoS) based attacks
  • Non-technical attacks such as social engineering or phishing, vishing, smishing
  • Physical security attacks
  • Password cracking attempts (brute-forcing, rainbow table attacks, wordlist substitution, etc.)

Out of scope issues

  • Open ports without an accompanying proof-of-concept demonstrating Vulnerability
  • Design flaws and best practices that do not lead to security Vulnerabilities
  • Weak/expired SSL configurations
  • Vulnerabilities affecting users of outdated browsers
  • Missing security best practices and controls (lack of CSRF protection, missing HttpOnly or secure flags on cookies, missing XSS-Protection HTTP header)
  • Self XSS
  • Software version disclosure
  • Lack of strong password policy
  • Internal IP disclosure
  • Rate-limiting issues
  • Lack of captcha’s or other spam-preventing mechanisms
  • Content spoofing and text injection issues
  • User Enumeration
  • Open redirects
  • Clickjacking on pages with no sensitive actions
  • DNS server misconfiguration, lack of DNS CAA, and DNS-related configurations
  • Absence of SPF / DKIM / DMARC records
  • Mixed content warnings

Public Disclosure

Before disclosing an issue publicly, we require that you first request permission from us (using bugbounty@hckrt.com email address). BitNinja will process requests for public disclosure on a per report basis.

Any Bounty Hunter found publicly disclosing reported Vulnerabilities without BitNinja’s written consent will be sanctioned.

Rewards

BitNinja will determine, in its sole discretion, whether Reward will be awarded. All our Rewards are severity based. Therefore, we ask you to evaluate a Vulnerability’s impact carefully.

Vulnerability severity shall be determined by using the MITRE CAPEC method (https://capec.mitre.org/).

You will not receive a reward, or your Finding submission might be rejected if:

  • Reports about theoretical damage
  • Out of date software without proven exploitable risks
  • Attacks requiring unrealistic user interaction
  • All reports without proof-of-concept (POC)
  • All reports without proven security impact