Security Rewards > Primary website

Specific exclusions

We are not currently providing rewards for the following types of vulnerabilities:

  1. Denial of service exploits are not currently included.
  2. Information disclosure through timing attacks are not currently included

Reward amounts

Your cash reward is the largest single value your exploit can be categorized under in the following table. Whatbox customers may ask to receieve their reward as a service credit instead of cash.

Category Cash Service credit
XSS 100 USD 200 USD
XSS (bypassing CSP) 1,000 USD 2,000 USD
CSRF 250 USD 500 USD
Authentication bypass 1,000 USD 2,000 USD
SQL Injection 5,000 USD 10,000 USD
Arbitrary code execution 3,000 USD 6,000 USD
Arbitrary code execution (with privilege escalation) 5,000 USD 10,000 USD
Persistent code change 5,000 USD 10,000 USD