Caffeine

  • $100 – $5,000+ per vulnerability
  • Managed by Bugcrowd

Program stats

35 vulnerabilities rewarded

Validation within 2 days
75% of submissions are accepted or rejected within 2 days

Latest hall of famers

Recently joined this program

370 total

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Caffeine is a social broadcasting platform for gaming, entertainment, and the creative arts. Our goal with this bug bounty program is give researchers a responsible way to disclose vulnerabilities, allow us to build a more secure service for all our users, and reward you for your hard work.

For this program, we are inviting researchers to test our websites, API services, auxiliary services and our Windows 10 broadcasting software.

You are welcome to test almost all of the components, and though it is not required, to start broadcasting yourself. To do so you will need at least 5Mbps upload and a supported game installed.

You are free to test the chat system, but do not do so in an active streamer's chat. You can start your own broadcast or simply navigate to caffeine.tv/yourusername and send messages there if you want to hunt for issues.

You may "ignore" other users, but do not "report" any users or broadcasts.

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.

Important

For testing the website and APIs, only a Caffeine account is required. Please provide an email account that you actively monitor and prefix your username with "bcr_". Do not sign up with an @caffeine.tv email address! If you finish your examination and will not use the account in the future, please go into the account settings and delete the account.

Reward Range

Last updated
Technical severity Reward range
p1 Critical Starting at: $5,000
p2 Severe Starting at: $1,100
p3 Moderate Starting at: $450
p4 Low Starting at: $100
P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name Type
https://www.caffeine.tv/ Website
https://api.caffeine.tv/ API
https://payments.caffeine.tv API
https://realtime.caffeine.tv/ API
https://preview.caffeine.tv/ Website
https://images.caffeine.tv/ API
https://static.caffeine.tv/ Other
https://build.caffeine.tv/ Website
caffeine.exe Other
caffeine-helper.x86.exe Other
caffeine-helper.x64.exe Other
Caffeine iOS Application iOS

Out of scope

Target name Type
https://events.caffeine.tv/ API
Any Third Party Software Applications (Zendesk, etc) Website

Any domain/property of Caffeine not listed in this targets section is out of scope.

There are plenty of targets though:

Step 1: Create a user

As a researcher, you will need to sign up for a new account on Caffeine to test most of the components.

Important: When signing up, please:

  1. Prefix your username with the letter bcr_.
  2. Use an email address you actively monitor.

Please do not create more than 5 accounts.

After signing up, Caffeine will send an email with a verification link. Please click the link to verify your email address to enable your account to broadcast.

Step 2: Be a good citizen

  1. Do not spam or abuse someone's live broadcast.
  2. When you are done testing, please clean up after yourself by deleting your test account from the Account Settings page.

Targets

Target: Website

https://www.caffeine.tv

This is the main Caffeine website where users sign up/login and watch broadcasts with their friends. The website makes heavy use of Javascript (React, Redux, redux-saga), HTML and CSS. It is compiled at build time and deployed to AWS S3 as static files, with Fastly for CDN and SSL termination.

The website makes API calls to api.caffeine.tv, realtime.caffeine.tv, payments.caffeine.tv and *.rtcdn.caffeine.tv. Those are the dynamic services.

One point that is of particular interest is if you can determine the IP address of a broadcaster. We believe there is nothing exposing the broadcasters IP address anywhere, so if you find a workaround, expect to be compensated well.

Target: Request/Response API

https://api.caffeine.tv/

This is the API service the website uses for create accounts, fetch users, friends lists, and so on. It is a Ruby on Rails API service, with an nginx proxy, hosted on AWS ECS behind an ALB. It uses JWTs for authentication.

Target: Real-time API

https://realtime.caffeine.tv/

This is the API service the website uses for real-time communication and server push events. When watching a broadcast, the GIF chat system is powered by this API. It makes use of websockets for communication. It is a Golang program hosted on AWS ECS behind an ALB. It also uses JWTs for authentication.

Target: Payments API

https://payments.caffeine.tv/

This is the API service the website, iOS application and Caffeine Broadcaster use to read and make payments, such as buying gold and sending items. This uses the x-credential HTTP header for auth, which uses JOSE.

Target: RTCDN API

https://*.rtcdn.caffeine.tv/

To watch a broadcast, the website makes a request to this API service to determine where in our Real-Time Content Distribution Network to load video and audio from. It is also used by caffeine.exe (our broadcasting software) to determine where to send audio and video.

Target: Broadcasting Software

caffeine.exe and CaffeineInjector_x86.exe

To broadcast on Caffeine, a user downloads, installs and runs our custom broadcasting software. It runs only on Windows 10 computers. A user can login to Caffeine using this program, start a supported game, and begin broadcasting the game to Caffeine. They can also include a webcam. You can download the broadcasting software from here: https://www.caffeine.tv/start-broadcasting

In order to capture the game, CaffeineInjector_x86.exe will inject into the game’s process and hook into the render loop.

Target: Caffeine iOS Application

https://itunes.apple.com/us/app/caffeine-tv-for-gamers/id1170629931

Our iOS Application serves the same purpose as the website, being used sign up/in, view broadcasts and interact with the broadcasters. It uses the same APIs as the website as well. The application is written in Swift.

Target: Mini-website for Preview

https://preview.caffeine.tv

Caffeine makes use of social networking services such as Twitter. A link in Twitter on the iOS application opens their own browser. This mini-website is loaded in this case to support the embedded webview constraints.

Target: Images and Static content

https://static.caffeine.tv/
https://images.caffeine.tv/

The Caffeine software, user avatars, game images and other static content is hosted on these two domains. Both are hosted on AWS S3 with CloudFront for SSL handling and distribution.

Images can also make calls out to Imgix to perform transformations of images if necessary.

Target: Other internal websites

https://tomnook.caffeine.tv
https://junkrat.caffeine.tv

These websites follow the same systems as our main website (static files that make API calls).

Target: Internal Website: Build and Test

https://build.caffeine.tv

Caffeine has an internal websites we use for build and test automation. It is a Jenkins server running on AWS EC2. It is included here because it is exposed to the Internet. We believe we have firewalls and protections in place for this service that ensure it is not accessible without permission.

Out of scope

Any subdomain not included above is explicitly out of scope. That includes:

  • https://events.caffeine.tv/
    ...and any other subdomain of caffeine.tv or any other Caffeine owned domain.

  • In the Caffeine broadcasting software, there is a form to “Report an Issue”. Please do not test this more than once as it does go directly to our support team.

  • Do not attempt any tests on a broadcaster's live broadcast other than your own (www.caffeine.tv/yourusername), and do not send messages to the API with the stage_id of any other person's stage.

Also out of scope is the Caffeine iOS application on TestFlight.

Access

Scanning is allowed, but keep in mind this is running on AWS who do actively block some scans.

Authentication

Caffeine uses an OAuth 2.0 style authentication system with a Request Token and an Access Token. Currently, Access Tokens expire after 15 minutes. Submissions related to the access token not immediately expiring will be considered ineligible for reward (such as changing of password or logout). If a researcher is able to demonstrate that the access token is valid for more than 15 minutes, that is likely to be viewed as a priority. Refresh Tokens will expire immediately upon changing password.

Focus Areas

Given the website is statically hosted on S3, the attack surface is small. Instead, focus more on the APIs, particularly focusing on account takeover techniques.

Of particular importance is if you can determine the IP address of a broadcaster. We believe there is nothing exposing the broadcaster's IP address, so if you find a workaround, expect to be compensated well.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.