Find security issues in BCMS
and get a reward.
Policy
The following guidelines give you an idea of what we usually pay out for different classes of security issues.
Low-quality issues may be rewarded below these tiers, so please make sure that there is enough information for us to be able to reproduce your issue and step-by-step instructions including how to reproduce your issue. Screenshots are also helpful, but please make sure to not make these public before submitting them to follow our program’s rules.
Each reported security issue goes through internal investigation, and if Prohibited actions are broken, you will not be rewarded.
Rewards
Rules of reporting
- Report a qualifying vulnerability that is in the scope of our program (below).
- Be the first person to report the vulnerability.
- Be reasonable with automated scanning methods so as to not degrade services.
- Refrain from disclosing the vulnerability until we've addressed it.
- Report security issue exclusively via the form which is monitored by our security team.
- NEVER try to gain access to real user's account or data.
- You must not leak, manipulate, or destroy any user data.
- Do not impact users with your testing.
In Scope
Out Of Scope
What we are looking for
- Cross-site Scripting (XSS)
- Cross-site Request Forgery
- Server-Side Request Forgery (SSRF)
- Database Injections
- Server-side Remote Code Execution (RCE)
- XML External Entity Attacks (XXE)
- Access Control Issues
- Cross-Site Request Forgery on Sensitive Actions or Functions (CSRF/XSRF)
- Exposed Administrative Panels that don't require login credentials
- Anything not listed but important
What we are not looking for
- Vulnerabilities requiring physical access to the victim's unlocked device
- Denial of Service attacks
- Brute Force attacks
- Spam or Social Engineering techniques
- Content Spoofing
- Best practices concerns
- Issues relating to Password Policy
- Issues relating to token lifetime
- User enumeration
- CSRF-able actions that do not require authentication (or a session) to exploit
- Version number information disclosure
- Reports related to missing security headers
- CSV Injection
- Reverse Tabnabbing
- Race condition
- Rate limit
- Bugs that do not represent any security risk
- Security bugs in third-party applications or services built on the BCMS API
- Vulnerabilities that are limited to unsupported browsers
- Improper session invalidation
- Use of a known-vulnerable library (without evidence of exploitability)
- Vulnerabilities on Third Party Products
- Not enforcing certificate pinning
- Pre-Account Takeover
Prohibited actions
- Do not initiate any unauthorized financial transactions
- Do not conduct social engineering attacks (e.g. phishing, vishing, smishing) against BCMS employees, partners, or customers.
- Using automated scanning tools to scan assets
- Spam-like or other high volume activity
- Mass creation of users, groups, and projects
- Creation and maintenance of a persistent connection to the server
- Interruption of normal operations (e.g. triggering a reboot)
- Deletion of any files or data
- Modification of any files or data, including permissions
- Files that allow arbitrary commands (i.e. a webshell)
Payouts
We determine bounty amounts based on a variety of factors, including (but not limited to) Impact, classification and sensitivity of the data, ease of exploitation and overall risk to BCMS.
The reward for reporting a bug will be paid out once the bug has been fixed and successfully retested by the reporter. This ensures that the fix is effective and meets the standards set by our company.