Security Policy > whatbox.ca
This page provides scope and reward information for this portion of our bug bounty program, please see the Security policy for general rules if you haven't already.
Scope
- This program includes whatbox.ca only. All other subdomains and infrastructure are covered by other programs.
Out-of-Scope
We are not currently providing rewards for the following types of vulnerabilities:
- Denial of service.
Rewards
Your cash reward is the largest single value your exploit can be categorized under in the following table. Whatbox customers may ask to receieve a service credit instead of cash.
Rewards are paid out exclusively via PayPal at this time./
| Category | Cash | Service credit |
|---|---|---|
| XSS | 150 USD | 600 USD |
| XSS (bypassing CSP) | 1,500 USD | 6,000 USD |
| CSRF | 300 USD | 1,200 USD |
| Authentication bypass | 1,500 USD | 6,000 USD |
| SQL Injection | 10,000 USD | 40,000 USD |
| Arbitrary code execution | 4,000 USD | 16,000 USD |
| Arbitrary code execution (with privilege escalation) | 15,000 USD | 60,000 USD |
| Persistent code change | 10,000 USD | 40,000 USD |
Recently rejected
No CSRF token on /logout
While the lack of a CSRF token means an attacker can trick a user into logging out of their Whatbox account, we consider this a non-issue.
- A cross site logout increases the security of the user, by restricting the potential for further exploit.
- If CSRF tokens were employed, an expired token could prevent a user from logging out successfully and accidentally leaving a valid session open when they intentionally clicked "Logout".
Username or email enumeration (with rate limit)
Due to the requirements for unique usernames and unique email addresses, username enumeration is possible in many areas of the site. We employ rate limiting to limit the volume of information that can be leaked this way.