WOO Network: Bug Bounty Program

  • $200 – $9,000 per vulnerability
  • Up to $10,000 maximum reward

Program stats

  • Vulnerabilities rewarded 42
  • Validation within 3 days 75% of submissions are accepted or rejected within 3 days
  • Average payout $200 within the last 3 months

Latest hall of famers

Recently joined this program

No technology is perfect and WOO Network believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our web applications and API. Good luck, and happy hunting!

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

The final bounty will be the Base Bounty + PII Bonus (if any) +Special Bonus (if any)

type Category Maximum Rewards Notes
P1 Remote Code Execution (RCE) $10,000 The ability to execute arbitrary system commands on a remote server with no circumstances beyond the attacker’s control will qualify for a maximum reward.
P1 Server Side Request Forgery (SSRF) $6000 – $9000 The ability to make arbitrary network requests within WOO Network’s internal network and read sensitive data would qualify for a maximum reward. Factors that may limit severity include: Blind SSRF (unable read data or only certain file types, like images) and Limited to the type of requests that can be made (e.g. POST only).
P1 SQL Injection $6000 – $9000
P1 Sensitive File Access $6000 – $9000
P2 Account takeover $2000 – $4000 The maximum reward is reserved for account takeover vulnerabilities that require no user interaction.
P2 Logic flaw $2000 – $4000 This includes (non-exhaustive) ways to exploit the fact that the application does not behave as expected, such as: Changing/altering of parameters that results in unintended behavior (Eg: IDOR) or Bypassing paywall, approval process, business workflow within the application or Bypassing authentication mechanism.
P3 Cross-Site Scripting (XSS) $1000 - $2000 XSS vulnerabilities are limited to a base reward of $1,000. If you can access sensitive data, you may also be eligible for the PII bonus. If the XSS can be escalated to a more severe vulnerability, it will be evaluated under that category.
P3 CSRF $1000 - $2000
P4 Other valid vulnerabilities $200 - $1500

Bonus rewards in addition to base bounties:

Type Bonus amount
Special Bonus Up to $5000
Personal information leakage Up to $5000

Report Assessment and Bounty Calculations

1) Base Bounty Maximum reward is based on the bounty table. The report is then evaluated based on maximum reward, CVSS and an evaluation of the business impact.
2) Other rewards: Personal information leakage (PII) We aim to follow the below when awarding bounties, but the following should be considered a guideline and exceptions may apply.

  • Category A – Max $5000:
    • Financially sensitive data (Example: Credit card details, incl. either CVC/CVV number and/or full card number)
    • Biometric data (Example: Fingerprint features used for authentication)
    • Official documents used for identification (Example: Passport)
    • Any information covered by Personal Information Protection law (Example: Information that allows one to uniquely identifying a person)
  • Category B – Max $2000:
    • Partially identifying information (Example: Full address incl. apartment number, if applicable)
    • Information not supposed to be available to the attacker (Example: Account Amount and Transaction History)
  • Category C – Max $1000:
    • Other types of sensitive user information (Example: Full name, List of previous purchases)

3) Other rewards: Special Bonus This category is for rewarding special contributions. This is entirely up to the WOO Network Bug Bounty team’s discretion, but the goal is to reward reports we consider exceptional. Reports that qualify based on the below will have their bounty increased up to $5,000.

Qualifying Vulnerabilities in the Woo Network concerned with:

  • Remote Code Execution
  • Significant manipulation of the account balance
  • Leakage of sensitive data
  • XSS/CSRF/Clickjacking affecting sensitive actions(excluding Self-XSS)
  • Theft of privileged information
  • Partial authentication bypass
  • Other vulnerabilities with clear potential for financial or data loss

Out-of-scope Vulnerabilities

Non-Qualifying Vulnerabilities in the Woo Network

  • Theoretical vulnerabilities without actual proof of concept
  • Email verification deficiencies, expiration of password reset links, and password complexity policies
  • Clickjacking/UI redressing with minimal security impact
  • Email enumeration (E.g. the ability to identify emails via password reset)
  • Information disclosure with minimal security impact (E.g. stack traces, path disclosure, directory listings, logs)
  • Self-XSS
  • Spamming
  • Usability issues
  • Vulnerabilities only exploitable on out-of-date browsers or platforms
  • Reports from automated tools or scans, without exploitability demonstration
  • Vulnerabilities related to autofill web forms
  • Use of known vulnerable libraries without actual proof of concept
  • Lack of security flags in cookies
  • Issues related to unsafe SSL/TLS cipher suites or protocol version
  • Content spoofing
  • Cache-control related issues
  • Exposure of internal IP address or domains
  • Missing security headers that do not lead to direct exploitation
  • Vulnerabilities that require physical access to a user's device
  • Non-technical attacks, such as a physical attack, social engineering, phishing, etc.(E.g. HTTP Basic Authentication Phishing)

Testing is only authorized on the targets listed as in scope. Any domain/property of WOO Network} not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to identify a security vulnerability on a target that is not in scope, but it demonstrably belongs to WOO Network, you can report it to this program. However, be aware that it is ineligible for rewards or points-based compensation.


Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.