Naspers

  • Points per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

59 vulnerabilities rewarded

Validation within 3 days
75% of submissions are accepted or rejected within 3 days

Latest hall of famers

Recently joined this program

220 total

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Naspers values the input of the security community to create a more secure Internet and welcomes the opportunity to collaborate with community members who share this common goal.

This coordinated vulnerability disclosure program (VDP) is limited to security vulnerabilities identified within Naspers's public online presence. Please review the program contents before submitting your findings.


Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Targets

In scope

Target name Type
*.naspers.com Website
*.myacademy.io Website
*.naspers.fr Website
*.naspers.us Website
*.naspersventures.com Website
*.naspers.co Website
*.naspers.co.in Website
*.prosus.com Website

Testing is only authorized on the target listed as In-Scope. Any domain/property of Naspers not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.


Target Information

Web Applications:

https://www.naspers.com is our corporate website. Researchers are invited to test all aspects of this application by following the guidelines detailed in this program.

Please note: no credentials will be provided for testing

Focus Areas:

  • Cross-site Scripting (XSS)
  • Cross-site Request Forgery
  • Server-Side Request Forgery (SSRF)
  • SQL Injection
  • Remote Code Execution (RCE)
  • XML External Entity Injection (XXE) with significant impact
  • Access Control Issues
  • Authentication Bypass Issues
  • Authorization Flaws
  • Privilege Escalation
  • Directory Traversal Issues
  • Sensitive Information Disclosure
  • Data Exposure
  • Business Logic Vulnerabilities

Out of Scope:

The following submisssion types will not be rewarded (as per Bugcrowd's Vulnerability Rating Taxonomy):

  • Denial of service (DoS) attacks
  • Findings as reported by automated tools without additional analysis as to how and what is vulnerable
  • Vulnerabilities only affecting users of outdated or unpatched browsers
  • Spam reports
  • Phishing and social engineering reports
  • Targeted attacks against social media or third party services that Naspers use (LinkedIn, Twitter, etc)

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.