Are you a security ninja?
|
If you believe that you found a vulnerability in activpn.com or the ActiVPN infrastructure, let's talk.
We are running a bug bounty.
Some rules:
- Scope: our website and our VPN servers: *.activpn.com
- OK: Code Execution at server side: BOF, IOF, IUF, UAF, Race Condition in our applications
- OK: Web Command Injection: Shell Injection, XSS, SQL Injection, PHP injection, XXE, SSRF ...
- OK: path traversal, LFI, RFI, open redirect (assuming it leaks customer data),
- OK: authentication or authorization flaw, or significant infoleak of customer data
- Responsible disclosure only: never publish any user data, do not publish the details of the vulnerability before it has been patched
- Responsible behavior only: if you gain write access, do not modify or delete other users' data, use accounts you created for this purpose ; similarly, if you gain read access, do not dump the whole dataset, two entries that you created are enough.
- EXCLUDED: DDOS, Spam, Phishing, logout CSRF, ClickJacking, Directory Listing (unless you get server interpreted source code), CSRF (unless affects the confidentiality or the availability of the user data), Session Fixation, Missing Content-Type header unless you can upload a file, Cookie set without secure flag, no HSTS flag, Cache settings (unless you get code execution or privilege escalation or significant infoleak), Path/Exception disclosure (we voluntarily setup an exception mechanism that indicates you information about the failure for helping pentesting), Password auto-complete in Browser, password policy
- FIFO: first tester to report a valid vulnerability earns the reward
- Payment: So far, we are unable to pay residents of the following countries: Egypt, Cuba, Iran, North Korea, Sudan and Syria.
Two methods for reporting:
- via email security []A[] activpn.com.
You will get a reply within 5 business days at most.
|