You may be eligible to receive a monetary reward if:
- You are the first person to submit a site or product vulnerability
- The vulnerability is considered to be a valid security issue by our team
- You have complied with all Program Rules
All bounty amounts will be determined by our team, who will evaluate each report and assign a severity level that determines the amount of the monetary reward to be received. The severity levels are decided internally based on the type of vulnerability and potential impact. Below you can find an overview of samples for each severity level:
Severity level: None
- Issues not related with security, such as non-200 HTTP response codes, application or server errors, etc.
- Issues without a clear security impact, such as logged-out CSRF, missing HTTP security headers, SSL issues, password policy issues, or clickjacking on pages with no sensitive actions.
- Issues affecting outdated applications or components, no longer in use or maintained
- Issues affecting third-parties, such as third-party apps or services we use (e.g., Firebase, ZenDesk)
- Issues involving Spam or Social Engineering techniques, such as SPF and DKIM, and lack of DNSSEC.
- Issues involving server information disclosure, namely `X-Powered-by` and `Server` response headers. Exceptions may exist whenever disclosed information contains a server version with an associated CVE disclosure.
- Issues involving server-side request forgery (SSRF) on services that perform active requests by design, unless it is proven that sensitive information can be leaked.
- Bugs requiring exceedingly unlikely user interaction. (eg. account takeover through SSO login)
- Reports that require privileged access to the target's devices or that are otherwise outside our control. These include but are not limited to: access to browser cookies and/or other tokens used to impersonate the user, access to user's email address, etc.
- Clickjacking issues that occur on pre-authenticated pages, or the lack of X-Frame-Options, or any other non-exploitable clickjacking issues.
- Missing rate limits, unless it can lead to an exploitable vulnerability.
- Specific to client apps
- User data stored unencrypted
- Lack of obfuscation
- Runtime hacking exploits that involve manipulation of running code or its environment
Severity level: Low
- Open redirections
- Server misconfiguration or provisioning errors
- Information leaks or disclosure excluding sensitive user data
- Reflected XSS
- Mixed content tissues, if the target URL doesn't respond with a 'Strict-Transport-Security' (aka HSTS) header. The risk still exists but is limited to a single interaction per domain/subdomain (depending on HSTS value). In 2021 browsers have been transitioning to an HTTPS default, further mitigating this problem.
- Other low-severity issues
Severity level: Medium
- CSRF / XSRF
- SSRF to an internal service
- Stored XSS
- Other medium-severity issues
Severity level: High
- Information leaks or disclosure including sensitive user data
- Other high-severity issues
Severity level: Critical
- SQL injection
- Remote code execution
- Privilege escalation
- Broken authentication
- SSRF to an internal service, resulting in critical security risk
- Other critical-severity issues
Severity level: Critical
- SQL injection
- Remote code execution
- Privilege escalation
- Broken authentication
- SSRF to an internal service, resulting in critical security risk
- Other critical-severity issues
Security Level
Reward
None
$0
Low
$100
Medium
$200
High
$500
Critical
$1,000
None
Low
Medium
High
Critical
Reward
$0
$100
$200
$500
$1,000
All bounties are paid out via PayPal.
Scholar Fund's team retains the right to determine if the submitted vulnerability is eligible.
All determinations as to the amount of a bounty made by the Scholar Fund Bug Bounty team are final.