Whatbox Logo

Security Policy > whatbox.ca

This page provides scope and reward information for this portion of our bug bounty program, please see the Security policy for general rules if you haven't already.



We are not currently providing rewards for the following types of vulnerabilities:

  1. Denial of service.


Your cash reward is the largest single value your exploit can be categorized under in the following table. Whatbox customers may ask to receieve a service credit instead of cash.

Rewards are paid out exclusively via PayPal at this time./

Category Cash Service credit
XSS 150 USD 600 USD
XSS (bypassing CSP) 1,500 USD 6,000 USD
CSRF 300 USD 1,200 USD
Authentication bypass 1,500 USD 6,000 USD
SQL Injection 10,000 USD 40,000 USD
Arbitrary code execution 4,000 USD 16,000 USD
Arbitrary code execution (with privilege escalation) 15,000 USD 60,000 USD
Persistent code change 10,000 USD 40,000 USD

Recently rejected

No CSRF token on /logout

While the lack of a CSRF token means an attacker can trick a user into logging out of their Whatbox account, we consider this a non-issue.

  1. A cross site logout increases the security of the user, by restricting the potential for further exploit.
  2. If CSRF tokens were employed, an expired token could prevent a user from logging out successfully and accidentally leaving a valid session open when they intentionally clicked "Logout".
Username or email enumeration (with rate limit)

Due to the requirements for unique usernames and unique email addresses, username enumeration is possible in many areas of the site. We employ rate limiting to limit the volume of information that can be leaked this way.