Naspers

  • Points per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

99 vulnerabilities rewarded

Validation within about 6 hours
75% of submissions are accepted or rejected within about 6 hours

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Naspers values the input of the security community to create a more secure Internet and welcomes the opportunity to collaborate with community members who share this common goal.

This coordinated vulnerability disclosure program (VDP) is limited to security vulnerabilities identified within Naspers's public online presence. Please review the program contents before submitting your findings.


Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

This program only awards points for VRT based submissions.

Targets

In scope

Target name Type Tags
*.naspers.com Website Testing
  • Website Testing
  • jQuery
  • ASP.NET
  • Microsoft IIS
  • Cloudflare CDN
*.naspers.fr Website Testing
  • Website Testing
  • ASP.NET
  • jQuery
  • Microsoft IIS
  • Cloudflare CDN
*.naspers.us Website Testing
  • Website Testing
  • ASP.NET
  • jQuery
  • Microsoft IIS
  • Cloudflare CDN
*.naspersventures.com Website Testing
  • Website Testing
*.naspers.co Website Testing
  • Website Testing
  • ASP.NET
  • jQuery
  • Microsoft IIS
  • Cloudflare CDN
*.naspers.co.in Website Testing
  • Website Testing
  • ASP.NET
  • jQuery
  • Microsoft IIS
  • Cloudflare CDN
*.prosus.com Website Testing
  • Website Testing
  • ASP.NET
  • jQuery
  • Microsoft IIS
  • Cloudflare CDN

Out of scope

Target name Type
development.naspers.com Website Testing
development-nasperspolicy.naspers.com Website Testing
development-naspersbrand.naspers.com Website Testing
development-prosus.naspers.com Website Testing

Testing is only authorized on the target listed as In-Scope. Any domain/property of Naspers not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.


Target Information

Web Applications:

https://www.naspers.com is our corporate website. Researchers are invited to test all aspects of this application by following the guidelines detailed in this program.

Please note: no credentials will be provided for testing

Please do not use automated vulnerability scanners on this program. Custom scripts and fuzzing tools are permitted, but if using them, please keep your traffic to six requests per second or less. Additionally, it’s worth noting that the client already runs automated scans from Acunetix, Zap, Nessus, et al., against the in-scope targets – so using these tools is likely of minimal utility to researchers. As such, please avoid using them unless for targeted, specific testing, and then only at less than six requests per second.

Focus Areas:

  • Cross-site Scripting (XSS)
  • Cross-site Request Forgery
  • Server-Side Request Forgery (SSRF)
  • SQL Injection
  • Remote Code Execution (RCE)
  • XML External Entity Injection (XXE) with significant impact
  • Access Control Issues
  • Authentication Bypass Issues
  • Authorization Flaws
  • Privilege Escalation
  • Directory Traversal Issues
  • Sensitive Information Disclosure
  • Data Exposure
  • Business Logic Vulnerabilities

Out of Scope:

The following submission types will not be rewarded (as per Bugcrowd's Vulnerability Rating Taxonomy):

  • Denial of service (DoS) attacks
  • Findings as reported by automated tools without additional analysis as to how and what is vulnerable
  • Vulnerabilities only affecting users of outdated or unpatched browsers
  • Spam reports
  • Phishing and social engineering reports
  • Targeted attacks against social media or third party services that Naspers use (LinkedIn, Twitter, etc)

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.