DarkMatter Group is a leading Emirati technology company, focusing significantly on advanced technologies that enable smart and safe digital, including blockchain and cryptography. Since its establishment in 2015, We have developed a portfolio of solutions aimed at enhancing and securing critical infrastructure within the key sectors that underpin society: defense, intelligence, civil government, financial services, transportation, energy, and telecommunications.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
Please be aware that injection type issues that are present on the same form/functionality, but slightly different parameters, will be treated as single issues. For instance, if ever parameter on
/foo is vulnerable to XSS, only the first submission here will be reward, and all subsequent findings against this form will be considered duplicates.
NOTE: for any P1/2 type issues, please include a video PoC with your initial report, as that will help us validate in a more expedient fashion. Thanks!
Reward RangeLast updated
|Technical severity||Reward range|
|p1 Critical||$2,400 - $2,400|
|p2 Severe||$1,600 - $1,600|
|p3 Moderate||$600 - $600|
|p4 Low||$100 - $100|
Any domain/property of DarkMatter not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
- This targets for this program are the production:
- Note that this is built on the Ubraco CMS; some particular points of interest include trying to access authenticated content via the api, etc.
- When testing, please ensure you limit your testing to only non-invasive injections (e.g. when doing command execution limit to yourself to running an
idcommand, SQL injection limit to only select queries (no
DELETEetc). Proving the point is sufficient without having to go 10 layers deep.
Testing for this target will be External Only. No credentials will be provided for this assessment.
Out of Scope:
- Any type of DoS - whether network or app level