BitNinja Bug Bounty Program
@bitninja
bitninja.com
Launched on
Testing period
All Bounties Reports: 138
Last report
Announcement
Dear Hackers,
Please note that we will be concluding and closing Bitninja Public Bug Bounty program.
However, your invaluable contributions have not gone unnoticed. If you encounter any further issues, please feel free to share your reports with us at [email protected]
Thank you for your dedication in advance.
Scope
In Scope
admin-staging.bitninja.io WEB
BitNinja Dashboard staging environment
Tier 1
console-staging.bitninja.io WEB
BitNinja Console staging environmnet
Tier 1
About company
George Egri, the co-founder, and CEO of BitNinja, has a web-hosting company. Some years ago, they had a lot of customer complaints because of hacked websites at Web- Server Ltd. They tried to combine the different tools on the market to secure their servers against the different kinds of cyberattacks, but it became unmanageable after a while.
So they decided to solve this problem by creating an internal all-in-one solution. This project was the ancestor of BitNinja. They validated the tool on the market and realized that it could be beneficial not just for them but also for the shared hosting industry and the whole Internet. Therefore they started to establish their resources on BitNinja and on making the Internet a safer place.In 2019, they raised the Seed Round fund and in 2020, they closed the Series A round. BitNinja was also recognized by the cybersecurity experts and since 2020, they have won sixteen international awards and were finalists six times.
BitNinja’s multi-layered defense system protects against WordPress, Joomla, and Drupal infections. By now the company’s easy-to-use SaaS cybersecurity tool protects more than 20,000 servers worldwide and defends against 10+ million attacks daily.
Program Rules
Program description
BitNinja is looking for your help in protecting and securing their online assets.
General Rules
- Testing is only authorized on the targets listed as Testing scope.
- Any domain/property/database/IP address of BitNinja not listed in the Testing scope section is strictly out of scope.
- Avoid privacy violations, destruction of data, and interruption or degradation of BitNinja’s services.
- Only interact with accounts you own.
- Findings must be exact, and the Bug Bounty Reports must contain the steps to follow to reproduce the issue. Attachments such as screenshots or Proof of Concept Code are highly recommended.
- Rewards or recognition will not be awarded if our security team cannot reproduce and verify a Finding.
- You must be the first person to report a valid Finding ('duplicate' reports will not be rewarded).
- The use of not allowed Third-Party Systems, Third-Party Software and/or automated scanners are prohibited.
- BitNinja requests that Bounty Hunters do not perform automated/scripted testing of web forms, especially "Contact Us" forms.
- If you find the same Vulnerability several times, please report only one Finding. Multiple Vulnerabilities caused by one underlying issue will be awarded one bounty.
- You must not be a former or current employee of BitNinja or one of its subcontractors.
Credentials
Testing credentials are provided by BitNinja. Please click the „Request Credential” button to get your test user.
Out of scope targets
Anything outside of the explicitly approved testing scope is out of scope, including the following:
- *.bitninja.io subdomains (except for subdomains in testing scope)
- *.ninguard.com
- *.bitninja.info
- *.containerprotection.io
- *.containerprotection.net
- *.containerprotection.org
- *.dockerprotection.com
- *.dockerprotection.io
- *.dockerprotection.net
- *.dockerprotection.org
- *.malware-monitor.com
- *.malware-monitor.io
- *.malware-monitor.net
- *.malware-monitor.org
- IP addresses of the out of scope domains
- All databases belong to BitNinja
- DNS servers related to BitNinja domains
Strictly prohibited
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) based attacks
- Non-technical attacks such as social engineering or phishing, vishing, smishing
- Physical security attacks
- Password cracking attempts (brute-forcing, rainbow table attacks, wordlist substitution, etc.)
Out of scope issues
- Open ports without an accompanying proof-of-concept demonstrating Vulnerability
- Design flaws and best practices that do not lead to security Vulnerabilities
- Weak/expired SSL configurations
- Vulnerabilities affecting users of outdated browsers
- Missing security best practices and controls (lack of CSRF protection, missing HttpOnly or secure flags on cookies, missing XSS-Protection HTTP header)
- Self XSS
- Software version disclosure
- Lack of strong password policy
- Internal IP disclosure
- Rate-limiting issues
- Lack of captcha's or other spam-preventing mechanisms
- Content spoofing and text injection issues
- User Enumeration
- Open redirects
- Clickjacking on pages with no sensitive actions
- DNS server misconfiguration, lack of DNS CAA, and DNS-related configurations
- Absence of SPF / DKIM / DMARC records
- Mixed content warnings
Incident Handling and Response
You, as Bounty Hunter must report any suspicious, unintentional or unwanted activities and security events you may find in the Environment to [email protected].
BitNinja reserves the right to terminate and/or suspend the Program or revoke any Bounty Hunter’s authorization if a security incident occurs in the Environment.
Public Disclosure
Before disclosing an issue publicly, we require that you first request permission from us (using [email protected] email address). BitNinja will process requests for public disclosure on a per report basis.
Any Bounty Hunter found publicly disclosing reported Vulnerabilities without BitNinja’s written consent will be sanctioned.
Rewards
BitNinja will determine, in its sole discretion, whether Reward will be awarded. All our Rewards are severity based. Therefore, we ask you to evaluate a Vulnerability's impact carefully.
Vulnerability severity shall be determined by using the MITRE CAPEC method (https://capec.mitre.org/).
You will not receive a reward, or your Finding submission might be rejected if:
- Reports about theoretical damage
- Out of date software without proven exploitable risks
- Attacks requiring unrealistic user interaction
- All reports without proof-of-concept (POC)
- All reports without proven security impact
Bounty Table
Hackrate
Our platform helps companies to identify software vulnerabilities in a cost-efficient way. It provides a secure and centralized view of ethical hacking projects for your company.
US Patent Applied for HackGATE #63/645,845
Products
From the Blog
-
Why choose managed Vulnerability Disclosure Programs (mVDP)?
Aug 30 • 10 min read
-
Pentesting AI Applications with Hackrate and SplxAI
Aug 12 • 4 min read ★
-
Navigating the NIS 2 directive - Key takeaways
Aug 06 • 6 min read