Being pro-active rather than re-active to emerging security issues is a fundamental belief at Volusion. Every day new security issues and attack vectors are created. Volusion strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.

Out of scope:

  • Volusion.com
  • All Volusion.com subdomains
  • All other web-stores built by Volusion
  • Volusion demo stores
  • Mail.VolusionPenTest1.com

Targets

In scope

www.VolusionPenTest1.com is a sample web-store built using the Volusion platform and it's the target for this bounty.

Special focus on:

  • OWASP Top 10 and other critical web application vulnerabilities
  • Business logic, authorization and authentication flaws (e.g. obtaining administrative access to the store)
  • Unauthorized file upload

Additional information and Payment option information:

  • Highly intrusive scans and DoS/DDoS attacks are not allowed
  • Orders can be placed with a properly formatted "fake" credit card number (even when the site responds with a Gateway error)
  • No purchases will actually be processed
  • Federal Tax ID can be any number

The following finding types are specifically excluded from the bounty:

  • Descriptive error messages (e.g. application errors), 403 Forbidden errors or other HTTP non-200 codes/pages
  • Disclosure of known public files or directories (e.g. robots.txt)
  • Missing HTTP headers (such as X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, etc.)
  • Presence of application or web browser 'autocomplete' or 'save password'
  • No email verification (when registering or emailing a friend)
  • Email flooding (e.g. on password reset)
  • Email enumeration
  • Weak password policy
  • Cross-site request forgery
  • Clickjacking
  • Missing SPF

Please read and follow the rules in the Standard Disclosure Terms.

Rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for Informational (P5) findings. Learn more about Bugcrowd's VRT.

This bounty requires explicit permission to disclose the results of a submission.