• $25 – $750 per vulnerability

Program stats

18 vulnerabilities rewarded

Latest hall of famers

Recently joined this program

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being proactive rather than reactive to emerging security issues is a fundamental belief at Multicraft. Every day new security issues and attack vectors are created. Multicraft strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.


In scope

Target name Type
Multicraft 2.1.0 - Linux 64bit (primary target) - see Access Information below Other
Sample installation @ Other


Multicraft 2.1.0 was recently released.
Areas to focus

  • Docker container feature
  • Editable user roles
  • Two Factor authentication
  • Subdomain feature

Staff Login for Test Installation

  • Username: teststaff
  • Password: teststaffpassword123

In scope (ordered by priority)

  • Obtaining "root" access to the system as a normal user
  • Obtaining "admin" access to the panel as a normal user
  • Obtaining access to the panel or the daemon database as a normal user
  • Obtaining edit access to a server other than the one owned by the user
  • Running actions outside of the privilege of the current user (CSRF/XSS for example)

Out of scope

  • Issues arising from faulty/suboptimal configuration (this includes not using encrypted connections or having CSRF validation disabled in the settings)
  • Accessing files outside of the server directory as the server user
  • Access gained through external software
  • Bruteforce attacks
  • Bugs, such as XSS, that only affect legacy software or require exceedingly unlikely user interaction
  • Disclosure information that is public or does not present significant risk
  • Vulnerabilities that we determine to be an acceptable risk

Additional Information

When using own installation

  • Use free license (or any license you own)
  • Use latest 2.1.0, Linux 64bit version only
  • Use up to date Linux system
  • Secure installation according to security guide:

When using sample installation

  • Login is shared between users, please don't change the login information
  • Installation is reset every 12 hours
  • If installation is broken somehow, please contact

Quick architecture overview

  • Front end panel written in PHP using Yii 1 framework
  • Back end daemon written in in Python 2.7
  • Communication using custom protocol over TCP
  • Communication secured using a "daemon password"
  • Main configuration file of panel is in protected/config/config.php
  • Main config of daemon is the multicraft.conf file
  • Two databases:
    • Daemon Database, shared between all daemons as well as the panel (daemon information, server information, players, commands, etc)
    • Panel database, only used by the panel (user information, server metadata)

Access information

Using own installation

  • Download package
  • Install using the installation instructions:
  • Try obtaining admin/root/database/cross server access

Using sample installation

  • Visit
  • Log in using: testuser / testpassword123
  • Try obtaining admin/root/database/cross server access

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.