Volusion V1

  • $25 – $500 per vulnerability

Program stats

49 vulnerabilities rewarded

Validation within 4 days
75% of submissions are accepted or rejected within 4 days

$100 average payout (last 3 months)

Recently joined this program

553 total

Being pro-active rather than re-active to emerging security issues is a fundamental belief at Volusion. Every day new security issues and attack vectors are created. Volusion strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.

Out of scope:

  • Volusion.com
  • All Volusion.com subdomains
  • All other web-stores built by Volusion
  • Volusion demo stores
  • Mail.VolusionPenTest1.com


In scope

Target name Type
https://www.VolusionPenTest1.com Other

www.VolusionPenTest1.com is a sample web-store built using the Volusion platform and it's the target for this bounty.

Special focus on:

  • OWASP Top 10 and other critical web application vulnerabilities
  • Business logic, authorization and authentication flaws (e.g. obtaining administrative access to the store)
  • Unauthorized file upload

Additional information and Payment option information:

  • Highly intrusive scans and DoS/DDoS attacks are not allowed
  • Orders can be placed with a properly formatted "fake" credit card number (even when the site responds with a Gateway error)
  • No purchases will actually be processed
  • Federal Tax ID can be any number

The following finding types are specifically excluded from the bounty:

  • Descriptive error messages (e.g. application errors), 403 Forbidden errors or other HTTP non-200 codes/pages
  • Disclosure of known public files or directories (e.g. robots.txt)
  • Missing HTTP headers (such as X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, etc.)
  • Presence of application or web browser 'autocomplete' or 'save password'
  • No email verification (when registering or emailing a friend)
  • Email flooding (e.g. on password reset)
  • Email enumeration
  • Weak password policy
  • Cross-site request forgery
  • Clickjacking
  • Missing SPF

Please read and follow the rules in the Standard Disclosure Terms.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.