Whatbox Logo

Security Policy > Shared servers

This page provides scope and reward information for this portion of our bug bounty program, please see the Security policy for general rules if you haven't already.

Reporting discoveries

security@whatbox.ca

Scope & Rewards

Endpoint XSS CSRF Auth Flaw Privilege escalation
https://*.whatbox.ca:443/login 250 USD 500 USD 1,500 USD OOS
https://*.whatbox.ca:443/logout 250 USD OOS 1,500 USD OOS
https://*.whatbox.ca:443/labs* 250 USD OOS N/A OOS
https://*.whatbox.ca:443/api* 250 USD OOS N/A OOS
https://*.whatbox.ca:443/filebrowser/ 250 USD OOS N/A OOS
https://*.whatbox.ca:443/private/ 250 USD OOS OOS OOS
sftp://*.whatbox.ca:22 OOS OOS 1,500 USD 4,000 USD
ftpes://*.whatbox.ca:21 OOS OOS 1,500 USD 4,000 USD
ssh://*.whatbox.ca:22 OOS OOS 1,500 USD 4,000 USD

At this time, all other exploit types, and all other endpoints are out of scope.

Please check that you are testing:

Recently rejected

Software version with known CVEs

While we regularly install hundreds of software updates, we do not consider outdated software inherently insecure, even if there are known CVEs in the older version.

When managing hundreds of packages, it is necessary that updates go through a quality assurance process. Occasionally it is necessary for us to holdback security fixes or to offer an older version of software for interoperability reasons.

You are encouraged to use known CVEs to assist you in generating a working Proof of Concept. But without a working Proof of Concept, reports of outdated software versions will be rejected.