Security Policy > Primary website
Reporting discoveries
Rewards payments will be paid exclusively via PayPal. If you cannot accept PayPal, your reward will be forefeit.
Scope
These rewards apply to whatbox.ca only. No subdomains.
Rewards
Rewards will be sent via PayPal only.
| Category | Cash | Service credit |
|---|---|---|
| XSS | 0 USD | 0 USD |
| Missing or Incorrect HTTP Headers | 0 USD | 0 USD |
| Missing or Incorrect DNS Records | 0 USD | 0 USD |
| Weak TLS Ciphers | 0 USD | 0 USD |
| SSL Certificate Errors | 0 USD | 0 USD |
| CSRF | 0 USD | 0 USD |
| Spoofing | 0 USD | 0 USD |
| Phishing | 0 USD | 0 USD |
| Confusion | 0 USD | 0 USD |
| Internal Server Errors | 0 USD | 0 USD |
| Denial of Service | 0 USD | 0 USD |
| Rate Limits | 0 USD | 0 USD |
| Resource Use | 0 USD | 0 USD |
| Credential stuffing | 0 USD | 0 USD |
| XSS (bypassing CSP) | 2,000 USD | 8,000 USD |
| Authentication bypass | 2,500 USD | 10,000 USD |
| SQL Injection | 15,000 USD | 60,000 USD |
| Remote code execution | 10,000 USD | 40,000 USD |
| Unauthenticated file read | 10,000 USD | 40,000 USD |
| Unauthenticated file write | 15,000 USD | 60,000 USD |