Program stats

16 vulnerabilities rewarded

3 days average response time

Latest hall of famers

Recently joined this program

130 total

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

In Dash Messaging, everyone has a price -- the price of delivering a message to the top of the message queue. In the system there are two types of message: public and private. Private messages are direct messages between users. Public messages are messages that can be delivered to targeted groups of people.

This is a kudos-only program - no cash bounties will be paid for bug and vulnerability reports.

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings.

Targets

We would like researchers to focus their attention on user authentication. We need to know how an attacker might take over another user's account. We are also interested in ways that the system can be gamed.

New users go through three phases that have escalating privileges:

  1. Guest user
  2. Registered user
  3. Confirmed user

We are interested in ways that an attacker might escalate their privileges in an unauthorized manner.

Access

Researchers are welcome to create accounts on the live site at https://d-msg.com for testing purposes. If a researcher would like conduct tests with deposited funds, contact Dash Messaging support team and we will make arrangements.

  • https://d-msg.com/D_MSG_support

Focus Areas

User authentication

Out-of-Scope

Only issues at the d-msg.com domain are within the scope of this program.

Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for Informational (P5) findings. Learn more about Bugcrowd’s VRT.