Being pro-active rather than re-active to emerging security issues is a fundamental belief at Volusion. Every day new security issues and attack vectors are created. Volusion strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.
Out of scope:
- All Volusion.com subdomains
- All other web-stores built by Volusion
- Volusion demo stores
www.VolusionPenTest1.com is a sample web-store built using the Volusion platform and it's the target for this bounty.
Special focus on:
- OWASP Top 10 and other critical web application vulnerabilities
- Business logic, authorization and authentication flaws (e.g. obtaining administrative access to the store)
- Unauthorized file upload
Additional information and Payment option information:
- Highly intrusive scans and DoS/DDoS attacks are not allowed
- Orders can be placed with a properly formatted "fake" credit card number (even when the site responds with a Gateway error)
- No purchases will actually be processed
- Federal Tax ID can be any number
The following finding types are specifically excluded from the bounty:
- Descriptive error messages (e.g. application errors), 403 Forbidden errors or other HTTP non-200 codes/pages
- Disclosure of known public files or directories (e.g. robots.txt)
- Missing HTTP headers (such as X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, etc.)
- Presence of application or web browser 'autocomplete' or 'save password'
- No email verification (when registering or emailing a friend)
- Email flooding (e.g. on password reset)
- Email enumeration
- Weak password policy
- Cross-site request forgery
- Missing SPF
Please read and follow the rules in the Standard Disclosure Terms.