Security Rewards > Primary website

Specific exclusions

We are not currently providing rewards for the following types of vulnerabilities:

  1. Denial of service exploits are not currently included.
  2. Information disclosure through timing attacks are not currently included

Reward amounts

Your cash reward is the largest single value your exploit can be categorized under in the following table. Whatbox customers may ask to receieve their reward as a service credit instead of cash.

Category Cash Service credit
Invaliding page XML validity 100 USD 200 USD
XSS 100 USD 200 USD
XSS (bypassing CSP) 500 USD 1,000 USD
CSRF 200 USD 400 USD
Cache poisoning 300 USD 600 USD
Modifying outbound email (headers, recipients or content) 300 USD 600 USD
Authentication bypass 750 USD 1,500 USD
SQL Injection 3,500 USD 7,000 USD
Arbitrary code execution 2,250 USD 4,500 USD
Arbitrary code execution (with privilege escalation) 4,000 USD 8,000 USD
Persistent code change 3,000 USD 6,000 USD