At Freelancer, we do our absolute best to ensure that our website is as secure as possible. Keeping up with the latest in web security can be a daunting task and new vulnerabilities can appear in new and old products. We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Freelancer. Every day new security issues and attack vectors are created. Freelancer strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.

You can read more about our security reporting program at: https://www.freelancer.com/info/security-reporting.php

Targets

In scope

  • *.warriorforum.com
  • *.freemarket.com
  • *.freelancer.com

Do not engage in any damaging activity.

This includes any type of denial of service attack, viewing another user's data without authorization or modifying data without authorization.

The following finding types are specifically excluded from the bounty:
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- Self-XSS and issues exploitable only through Self-XSS.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password

Rules

This bounty follows Bugcrowd’s standard disclosure terms.

This bounty requires explicit permission to disclose the results of a submission.

The following finding types are specifically excluded from the bounty:
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- Self-XSS and issues exploitable only through Self-XSS.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password