Being pro-active rather than re-active to emerging security issues is a fundamental belief at Volusion. Every day new security issues and attack vectors are created. Volusion strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.

Out of scope:

  • Volusion.com
  • All Volusion.com subdomains
  • All other web-stores built by Volusion
  • Volusion demo stores
  • Mail.VolusionPenTest1.com

Targets

In scope

www.VolusionPenTest1.com is a sample web-store built using the Volusion platform and it's the target for this bounty.

Special focus on:

  • OWASP Top 10 and other critical web application vulnerabilities
  • Business logic, authorization and authentication flaws (e.g. obtaining administrative access to the store)
  • Unauthorized file upload

Additional information and Payment option information:

  • Highly intrusive scans and DoS/DDoS attacks are not allowed
  • Orders can be placed with a properly formatted "fake" credit card number (even when the site responds with a Gateway error)
  • No purchases will actually be processed
  • Federal Tax ID can be any number

The following finding types are specifically excluded from the bounty:

  • Descriptive error messages (e.g. application errors), 403 Forbidden errors or other HTTP non-200 codes/pages
  • Disclosure of known public files or directories (e.g. robots.txt)
  • Missing HTTP headers (such as X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, etc.)
  • Presence of application or web browser 'autocomplete' or 'save password'
  • No email verification (when registering or emailing a friend)
  • Email flooding (e.g. on password reset)
  • Email enumeration
  • Weak password policy
  • Cross-site request forgery
  • Clickjacking
  • Missing SPF

Please read and follow the rules in the Standard Disclosure Terms.

Rules

This bounty follows Bugcrowd’s standard disclosure terms.

This bounty requires explicit permission to disclose the results of a submission.