27 vulnerabilities rewarded
Latest hall of famers
Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.
ActiVPN provides an easy-to-use anonymizing VPN service. <b>This is a points-only program and is managed by the ActiVPN team.</b>
The target hosts for this bounty are:
- ActiVPN infrastructure
- Code Execution at server side: BOF, UAF in our server applications
- Web Command Injection: Shell Injection, XSS, SQL Injection, PHP injection
- Open redirect
- Authentication or authorization flaw, or significant info leak of customer data
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for Informational (P5) findings. Learn more about Bugcrowd’s VRT.
Specifically excluded from this bounty:
- Logout CSRF
- Directory Listing (unless you get server interpreted source code)
- CSRF (unless affects the confidentiality or the availability of the user data)
- Session Fixation
- Missing Content-Type header unless you can upload a file
- Cookie set without secure flag
- no HSTS flag
- Cache settings (unless you get code execution or privilege escalation or significant infoleak)
- Path/Exception disclosure (we voluntarily setup an exception mechanism that indicates you information about the failure for helping pentesting)
- Password auto-complete in Browser
- password policy