Whatbox Logo

Security Policy > Shared servers

This page provides scope and reward information for this portion of our bug bounty program, please see the Security policy for general rules if you haven't already.


We provide shared hosting services to our customers, that includes SSH and the ability to run software of the customers installs independently. The scope of this program is designed to ensure our operating system remains secure. Not to ensure every piece of software running is secure.


  1. Port 1024 through 65535
  2. Information disclosure (username, running processes)
  3. Denial of service
  4. Bruteforce attacks
  5. Information disclosure through timing attacks
  6. XSS or CSRF behind a password prompt
  7. Security flaws resulting from non-default misconfigurations
  8. Security flaws resulting from non-default software


Your cash reward is the largest single value your exploit can be categorized under in the following table. Whatbox customers may ask to receieve their reward as a service credit instead of cash.

Rewards are paid out exclusively via PayPal at this time./

Category Cash Service credit
Authentication bypass (SSH, FTP, VPN, etc.) 1,000 USD 4,000 USD
Authentication bypass (Supported apps) 500 USD 2,000 USD
Arbitrary code execution without password (Supported apps) 500 USD 2,000 USD
Privilege escalation via SSH 2,500 USD 10,000 USD