Security Rewards > Primary website

Specific exclusions

We are not currently providing rewards for the following types of vulnerabilities:

  1. Denial of service exploits are not currently included.
  2. Information disclosure through timing attacks are not currently included

Reward amounts

Your cash reward is the largest single value your exploit can be categorized under in the following table. Whatbox customers may ask to receieve their reward as a service credit instead of cash.

Category Cash Service credit
XSS 100 USD 200 USD
XSS (bypassing CSP) 750 USD 1,500 USD
CSRF 250 USD 500 USD
Cache poisoning 400 USD 800 USD
Modifying outbound email (headers, recipients or content) 400 USD 800 USD
Authentication bypass 1,000 USD 2,000 USD
SQL Injection 3,500 USD 7,000 USD
Arbitrary code execution 2,500 USD 5,000 USD
Arbitrary code execution (with privilege escalation) 4,000 USD 8,000 USD
Persistent code change 3,000 USD 6,000 USD