Minimum Bounty: $50 Category: Accounts, Payments


Bug-Bounty is a crowd sourced testing platform designed to help companies improve the security of their platforms and systems.


Currently, only the main bug-bounty.com website bug-bounty.com is included within the scope.

All subdomains on the bug-bounty.com are included too (*.bug-bounty.com).


Do NOT run automated scans with tools like ZAP, Burp Scanner, Acunetix and such. You will not be awarded a bounty if we detect that you used automated tools even if you report a valid bug!

Out of scope

All domains/subdomains/subnets not explicitly stated as in scope are considered out of scope.

The following vulnerabilities are considered out of scope:

  • Social engineering attacks.
  • Brute-force / dictionary attacks.
  • Non-sensitive Clickjacking.
  • Non-sensitive CSRF (login / logout).
  • Vulnerabilities without a POC (Proof of Concept).
  • Physical access dependent attacks.
  • MITM dependent attacks.
  • Best practices in SSL/TLS configuration, implementations….etc
  • Industry standards and policies.
  • Disruption of the service or to the website (for example, DoS attacks, mass scans …etc).
  • Rate-limiting issues.
  • Automated reports from tools like nmap, Nessus …etc.


Please ensure the submitted vulnerabilities / bugs are reproducible.

Provide as much information as possible and add screenshots when needed. Clear reports get validated quicker, and therefore you’ll get your bounty faster.


Do not share any information / data related to the tests you carry out without permission from Bug-Bounty.

Bounty Rewards

  • Low          –     $50
  • Medium  –     $200
  • High.       –     $500
  • Critical.   –    $1000

Range Scale

Submitted reports will first be reviewed by a member of the Bug-Bounty.com team to validate it, determine its servility and suggest an appropriate bounty to the program creator. The report will only become visible to the program creator once they reward you. Bug-Bounty.com reserves the right to make the final decision on the severity of the submitted bugs and their worth. To give you an idea, below are some common vulnerabilities and the categories they usually fall under.

Please note this list is not exhaustive. It is up to the reviewer to decide the category the discovered bug falls under. Depending on the actual bug a low vulnerability can be deemed high and vice versa.

  • Low:       
    • Minor information disclosures.
    • Broken session management.
    • Non dangerous CSRF.
    • HTML injection.
    • Open redirect.
    • DOM XSS.


  • Medium:
    • Broken session management.
    • Sensitive information disclosures.
    • Dangerous CSRF.
    • Invalidated redirects.
    • Reflected XSS


  • High:
    • Vulnerable authentication.
    • Privilege escalation.
    • Stored XSS .
    • Local file inclusion.


  • Critical:
    • SQL injection.
    • Remote file inclusion.
    • Remote code execution.