Redox: New Year, Friendly Reminders for Bounty Hunters
Happy 2021 Researchers, In 2020 you did some amazing work on the Redox program. To set you up for success in the new year we wanted to share the following updates.
Guidance on Common Findings / Known Issues
The following are intended design or are in the process of being remediated, please avoid spending time here as you are more likely to earn a bounty when hunting on our Focus Areas (see below or on the brief)
- Failure to Invalidate Session > On Password Reset and/or Change Please note, other authorization and session-based vulnerabilities can be valuable
- HTML Injection is of limited value to the team, please focus on other XXS type findings
- No Rate Limiting on 'Forgot Password' or 'Email-Triggering', if you can find other ways to leverage the password reset then you are welcome to submit your finding.
- Lack of DMARC record
- Email HTML Injection
Submissions Eligible for Additional 10% Bonus are as follows:
-Any Stored XXS
-Any Remote Code Execution
-Any Local File Inclusion
-Any Privilege Escalation
If you have any questions, please reach out to firstname.lastname@example.org.