Web + API Applications in this OnGoing Bug Bounty Program

  • $150 – $2,500 per vulnerability
  • Up to $3,000 maximum reward
  • Safe harbor

This is the teaser page of a private program

Public code ovv41tyYARpWDHrCsFHLse6D

Use this public code to communicate with Bugcrowd support about this program.

Large attack surface covering multiple web applications and an API. Testing environment is running on Azure and needs to follow the Microsoft Cloud Unified Penetration Testing Rules of Engagement:

Rating Range
P1 $2,100-$2,500
P2 $1,000-$1,250
P3 $450-$600
P4 $150-$200

Reward range

Last updated

Technical severity Reward range
p1 Critical $2,100 - $2,500
p2 Severe $1,000 - $1,250
p3 Moderate $450 - $600
p4 Low $150 - $200
P5 submissions do not receive any rewards for this program.


  • website
  • api

There are a number of web applications available for testing, each with specific focus areas.

Focus areas
Bypassing local authentication, abusing password reset, abusing external authentication, WCF authentication service
Auditing, PII management, Licensing, and XSS
Accessing administrative functions/privilege escalation; Missing access control checks/business logic vulnerabilities; Viewing sensitive data without meeting the contextual access criteria (ie: viewing another user's forms or personal documents); Modifying data without meeting the access criteria (ie: editing another user's draft, editing your form after submission without it being routed back to you); Making workflow decisions without meeting the access criteria (ie: approving a form that has not been routed to you.)
Auditing, Broken Access Control, XSS, SQLi