Security Rewards > Primary website
Specific exclusions
We are not currently providing rewards for the following types of vulnerabilities:
- Denial of service exploits are not currently included.
- Information disclosure through timing attacks are not currently included
Reward amounts
Your cash reward is the largest single value your exploit can be categorized under in the following table. Whatbox customers may ask to receieve their reward as a service credit instead of cash.
| Category | Cash | Service credit |
|---|---|---|
| XSS | 100 USD | 200 USD |
| XSS (bypassing CSP) | 750 USD | 1,500 USD |
| CSRF | 250 USD | 500 USD |
| Cache poisoning | 400 USD | 800 USD |
| Modifying outbound email (headers, recipients or content) | 400 USD | 800 USD |
| Authentication bypass | 1,000 USD | 2,000 USD |
| SQL Injection | 3,500 USD | 7,000 USD |
| Arbitrary code execution | 2,500 USD | 5,000 USD |
| Arbitrary code execution (with privilege escalation) | 4,000 USD | 8,000 USD |
| Persistent code change | 3,000 USD | 6,000 USD |