Web + API Applications in this OnGoing Bug Bounty Program
- $150 – $2,500 per vulnerability
- Up to $3,000 maximum reward
Large attack surface covering multiple web applications and an API. Testing environment is running on Azure and needs to follow the Microsoft Cloud Unified Penetration Testing Rules of Engagement:
| Rating | Range |
|---|---|
| P1 | $2,100-$2,500 |
| P2 | $1,000-$1,250 |
| P3 | $450-$600 |
| P4 | $150-$200 |
Reward range
Last updated
| Technical severity | Reward range |
|---|---|
| p1 Critical | $2,100 - $2,500 |
| p2 Severe | $1,000 - $1,250 |
| p3 Moderate | $450 - $600 |
| p4 Low | $150 - $200 |
Targets
- website
- api
There are a number of web applications available for testing, each with specific focus areas.
| Focus areas |
|---|
| Bypassing local authentication, abusing password reset, abusing external authentication, WCF authentication service |
| Auditing, PII management, Licensing, and XSS |
| Accessing administrative functions/privilege escalation; Missing access control checks/business logic vulnerabilities; Viewing sensitive data without meeting the contextual access criteria (ie: viewing another user's forms or personal documents); Modifying data without meeting the access criteria (ie: editing another user's draft, editing your form after submission without it being routed back to you); Making workflow decisions without meeting the access criteria (ie: approving a form that has not been routed to you.) |
| Auditing, Broken Access Control, XSS, SQLi |