Bug Bounty Program

We are committed to keeping our data safe and providing a secure environment for our users. To that end, we engage the efforts of the responsible security community to identify potential vulnerabilities in our systems. The following program description outlines eligibility and scope, how to report vulnerabilities, and other important terms. Please read them carefully. If you believe you've found a vulnerability in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Disclosure Policy
  • As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization;
  • Follow industry standard disclosure guidelines;
  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue;
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party;
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder;
  • Do not access, modify or delete user data without permission of the account owner;
  • Do not exploit financial vulnerabilities beyond what is required to prove its existence;
  • Act in good faith not to degrade the performance of our services (including denial of service);
Rules

The following issues are outside the scope of our Program:

  • Denial of service
  • Spamming
  • Social engineering (including phishing) to our staff or contractors
  • Any physical attempts against our property or data centers
In Scope

unstoppabledomains.com and subdomains used to provide active services to our customers.

Non-Qualifying Vulnerabilities

The following types of issues are outside the scope of our Program (including but not limited to):

  • Clickjacking on static websites or pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
  • Login/logout CSRF
  • Attacks requiring MITM or physical access to a user's device
  • Previously known vulnerable libraries without a working Proof of Concept
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability
  • Missing best practices in SSL/TLS configuration
  • Missing security headers which do not lead directly to a vulnerability
  • Any activity that could lead to the disruption of our service (DoS)
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Rate limiting or bruteforce issues on non-authentication endpoints
  • Missing best practices in Content Security Policy
  • Missing HttpOnly or Secure flags on cookies
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • Vulnerabilities affecting users of outdated or unpatched browsers and platforms
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
  • Tabnabbing
  • Open redirect - unless an additional security impact can be demonstrated
  • Issues that require unlikely user interaction
  • Issues related to software outside Unstoppable Domains control
  • Use of a known-vulnerable library (without evidence of exploitability)
  • General best practices related to CSP policies, lack of specific security headers, etc.
  • Any exploit that requires a user's valid login credentials.
  • Reports from automated tools or scans (without validation of vulnerability)
  • Social engineering (like phishing) of Unstoppable Domains staff or contractors
  • Any physical attempts against Unstoppable Domains property or data centers
  • Single-user vulnerabilities that require jailbroken or otherwise non-standard hardware
  • Password Complexity Requirements
  • Mixed Content Scripts
  • Banner disclosure on common/public services
  • Disclosure of known public files or directories, (e.g. robots.txt)
  • Spamming
  • Self Cross Site Scripting (Self-XSS)
Submitting a Bounty

To submit a bounty please summarize your findings using the disclosure guidelines linked above in an email to bug-bounty@unstoppabledomains.com.