Help us protect our kingdom!
We are in need of your service, chivalrous knight! Our lands are tormented by ferocious abominations. They come in many forms and are called by many names - some call them monsters, others call them little devils, but you might know them as bugs.
We invite you to take part in our quest to hunt these bugs down. It is open to everybody, as long as you follow several rules (specified below), because even battles have rules, and so does our hunt. The hunting season is open ended, there is no deadline or time limit for this quest.
And of course, there is a treasure waiting for every successful hunter abiding rules mentioned. Bring us proof of your catch and you will be handsomely rewarded!
Protect King Kevin!
Battlefield
- Website
www.contentkingapp.com - Web application
app.contentkingapp.com - Public API
api.contentkingapp.com - Private API
data.contentkingapp.com - Machines using IP ranges defined in https://www.contentkingapp.com/support/crawl-ip-addresses/ (opens in a new tab)
89.149.192.96/2781.17.55.192/2723.105.12.64/27173.234.16.0/28
- Any machine which contains a copy of https://www.contentkingapp.com/security.txt (opens in a new tab) at filesystem path
/security.txt - Public GIT repositories:
Vulnerability found on third-party components are not included in the scope of this program. Please report such cases to us as well, we will notify the third-party in question and work with them in finding a solution for such a vulnerability.
We do not provide any hardware, software or licenses as part of this program.
The following finding types are specifically out of scope:
- Lack of MFA.
- Open redirects (through headers and parameters) / Lack of security speedbump when leaving the site.
- Internal IP address disclosure.
- Accessible Non-sensitive files and directories (e.g. README.TXT, CHANGES.TXT, robots.txt, .gitignore, etc).
- Social engineering / phishing attacks.
- Self XSS.
- Text injection.
- Email spoofing (including SPF, DKIM, DMARC, From: spoofing, and visually similar, and related issues).
- Descriptive error messages (e.g. stack traces, application or server errors, path disclosure).
- Fingerprinting/banner disclosure on common/public services.
- Clickjacking and issues only exploitable through clickjacking.
- CSRF issues that don't impact the integrity of an account (e.g. log in or out, contact forms and other publicly accessible forms).
- Lack of Secure and HTTPOnly cookie flags (critical systems may still be in scope).
- Login or Forgot Password page brute force, account lockout not enforced, or insufficient password strength requirements.
- Lack of rate limiting or other missing DOS protections.
- HTTPS mixed content scripts.
- Username / email enumeration by brute forcing / error messages (e.g. login / signup / forgotten password).
- Exceptional cases may still be in scope (e.g. ability to enumerate email addresses via incrementing a numeric parameter).
- Missing HTTP security headers.
- TLS/SSL Issues, including BEAST, BREACH, insecure renegotiation, bad cipher suite, expired certificates, etc.
- Standard WPA cracking attacks, such as those that result from users choosing weak passwords.
- Denial of Service attacks.
- Out-of-date software.
- Use of a known-vulnerable component (exceptional cases, such as where you are able to provide proof of exploitation, may still be in scope).
- Physical attacks against ContentKing's facilities, property and infrastructure.
Rules of Engagement
If you follow these rules, we vow not to pursue any legal actions against you for participation in our bug hunting program.
- Testing that disrupts the service to other users is considered out of scope.
- You are prohibited to provide any information about the discovered security vulnerability to third parties.
- You are prohibited to collect any data, accessed through such security vulnerabilities.
- You are prohibited to abuse or exploit any vulnerability beyond the extent necessary to create a proof of such vulnerability.
- You are expected to comply with all applicable laws.
If you are not sure that your action might be against the rules of our program or laws, please contact us and consult with us before taking such action.
Treasures
Rewards are awarded based on type and severity of the vulnerability or bug reported, according to the following guidelines:
| RCE: | Up to $5,000 |
| SQLi: | $250–$5,000 |
| XSS: | $50–$500 |
| CSRF: | $50–$250 |
| Authentication bypass: | Up to $5,000 |
| Horizontal privilege escalation: | $250-$1,500 |
| Vertical privilege escalation: | $250–$5,000 |
Claim Your Reward
Each vulnerability must be reported to the email bugbounty@conductor.com. Each report must contain details of vulnerability and PoC or screenshot in order for vulnerability to be replicated and validated.
- Every reported vulnerability will be evaluated and rewarded individually on a case by case basis, based on severity of the bug.
- Only new, previously not reported vulnerabilities will be rewarded.
- Reward will be awarded to the first reporter of each vulnerability.
- You will be rewarded for the reporting (more details above), you are not provided with any operational compensations such as salary, utilities, etc.
If you have any questions or comments about the bug bounty program, you can contact us on email bugbounty@conductor.com.
Happy hunting!
