Managed apps · Whatbox

Security Policy > Managed apps

Reporting discoveries

Scope

ruTorrent on subdomains of box.ca only.
rTorrent on subdomains of box.ca only.
Deluge on subdomains of box.ca only.
Deluge (WebUI) on subdomains of box.ca only.
Transmission on subdomains of box.ca only.
Sonarr on subdomains of box.ca only.
Radarr on subdomains of box.ca only.
Prowlarr on subdomains of box.ca only.
Jackett on subdomains of box.ca only.
Syncthing on subdomains of box.ca only.
Jellyfin on subdomains of box.ca only.
qBittorrent on subdomains of box.ca only.
SABnzbd on subdomains of box.ca only.
Autobrr on subdomains of box.ca only.
Bazarr on subdomains of box.ca only.

Rewards

Rewards will be sent via PayPal only.

Category	Cash	Service credit
XSS	0 USD	0 USD
Missing or Incorrect HTTP Headers	0 USD	0 USD
Missing or Incorrect DNS Records	0 USD	0 USD
Weak TLS Ciphers	0 USD	0 USD
SSL Certificate Errors	0 USD	0 USD
CSRF	0 USD	0 USD
Spoofing	0 USD	0 USD
Phishing	0 USD	0 USD
Confusion	0 USD	0 USD
Internal Server Errors	0 USD	0 USD
Application Crash	0 USD	0 USD
Denial of Service	0 USD	0 USD
Rate Limits	0 USD	0 USD
Resource Use	0 USD	0 USD
Credential stuffing	0 USD	0 USD
Authentication bypass	3,000 USD	12,000 USD
Unauthenticated remote code execution	4,000 USD	16,000 USD
Unauthenticated file read	3,000 USD	12,000 USD
Unauthenticated file write	4,000 USD	16,000 USD

Recently rejected

Software version with known CVEs

While we regularly install hundreds of software updates, we do not consider outdated software inherently insecure, even if there are known CVEs in the older version.

When managing hundreds of packages, it is necessary that updates go through a quality assurance process. Occasionally it is necessary for us to holdback security fixes or to offer an older version of software for interoperability reasons.

You are encouraged to use known CVEs to assist you in generating a working Proof of Concept. But without a working Proof of Concept, reports of outdated software versions will be rejected.