16 vulnerabilities rewarded
8 days average response time
Latest hall of famers
Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.
All pages and URLs hosted under www.sendsafely.com are included within the scope of our bug bounty program, and you can register for a free account on our website. When performing your testing, we ask that you please abide by the following rules:
- Do not use vulnerabilities to access, modify, harm, or otherwise alter any data that does not belong to you.
- Do not exploit vulnerabilities except for purposes of demonstrating it to us.
- Do not conduct network level or Denial of Service testing or traffic flooding attacks against our systems.
If you are unsure of exploitability, please contact us and one of our security engineers will work with you to verify it safely.
Testing is limited to www.sendsafely.com/*
Out of scope:
- All subdomains
- All 3rd party systems (for example, but not limited to: Zendesk, Github, Stripe, Tumblr)
Signup for an account at:
- This will create a fully functional account that is valid for 30 Days.
- The account will still be valid after 30 days, but functionality will be limited
- As part of the registration process you will receive and email and be asked to complete a profile. When completing the profile please use Last Name = Bugcrowd to indicate you are a Bugcrowd tester.
This is a production environment.
- Do not conduct tests that will impact the performance of the environment
- Aggressive Scanning
- Aggressive Scripting
- Network level Denial of Service (DoS/DDoS)
- Brute Force Testing
The following finding types are specifically excluded from the bounty:
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Fingerprinting / banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- CSRF on forms that are available to anonymous users (e.g. the contact form) and the Login/Logout URL.
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of HTTPOnly cookie flags.
- Lack of Security Speedbump when leaving the site.
- Login Brute Force (unless the CAPTCHA can be bypassed)
- OPTIONS HTTP method enabled
- Missing X-Content-Type-Options Header
- Use of SHA-1 SSL Certificate and support for TLS 1.0
- Findings from physical testing such as office access (e.g. open doors, tailgating)
- Findings derived primarily from social engineering (e.g. phishing, vishing)
- Findings from applications or systems not listed in the ‘Targets’ section
- Functional bugs and/or spelling mistakes