We understand the hard work that goes into security research. To show our appreciation for researchers who help us keep our users safe, we operate a recognition and reward program for responsibly disclosed vulnerabilities. Blinksale rewards the confidential disclosure of any design or implementation issue that could be used to compromise the confidentiality or integrity of our users' data (such as by bypassing our login process, injecting code into another user's session, or instigating action on another user's behalf). Recognition in the Blinksale Security Hall of Fame may be provided for the disclosure of qualifying bugs. At our discretion, we may occasionally provide a nominal cash reward based on the creativity or severity of the bugs.

As with most security recognition and reward programs, we ask that you use common sense when looking for security bugs.

  • Vulnerabilities must be disclosed to us privately with reasonable time to respond.
  • Only vulnerabilities submitted to <a href="https://bugcrowd.com/blinksale">bugcrowd.com/blinksale</a> are eligible for the recognition and reward program. Vulnerabilities reported via social media and/or support forms and forums are not eligible.
  • Researchers must avoid compromise of user accounts and loss of funds.
  • Researchers must properly identify any user accounts created for the purpose of security research by using the phrase "BugCrowd" in the company name or other user-input field.
  • We do not reward denial of service, spam, or social engineering vulnerabilities.
  • Although Blinksale itself and all services offered by Blinksale are eligible, vulnerabilities in third-party applications that use Blinksale are not.
  • Your report must include a Proof of Concept in the form of running code, screenshots or screen recording demonstrating the vulnerability

And finally, as with most security recognition and reward programs, there are restrictions. We will only recognize the first person to responsibly disclose a bug to us. Any bugs that are publicly disclosed without providing us a reasonable time to respond will not be recognized. Whether to recognize or reward the disclosure of a bug and the timing and amount of the recognition or reward is entirely at our discretion, and we may cancel the program at any time. Your testing must not violate any laws. We can’t provide you a reward if it would be illegal for us to do so, such as to residents of countries under current U.S. sanctions (e.g. North Korea, Libya, Cuba, etc.).

Thank you for helping keep Blinksale, our users, and their customers safe!

Targets

In scope

  • *.blinksale.com

We are primarily interested in hearing about the following vulnerability categories:

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • SQL Injection (SQLi)
  • Authentication related issues
  • Data Exposure
  • Redirection Attacks
  • Remote Code Execution
  • Particularly clever vulnerabilities or unique issues that do not fall into explicit categories

The following vulnerability categories are considered out of scope and will not be eligible for credit on our researcher list:

  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
  • User enumeration
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Disclosure of administrative URLs that are protected by login
  • Clickjacking and issues only exploitable through clickjacking.
  • Self-XSS and issues exploitable only through Self-XSS.
  • Mixed content warnings
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser 'autocomplete' or 'save password'
  • Vulnerability reports related to the reported version numbers of web servers, services, or frameworks.
  • Vulnerability reports that would be more symptomatic of a social engineering or phishing attack and not an application vulnerability.

Rules

This program follows Bugcrowd’s standard disclosure terms.

This bounty requires explicit permission to disclose the results of a submission.