General rules and regulations

for hackers

General rules:

  • The program may be canceled at any time, and awards are at the sole discretion of the bug bounty panel.

  • Participants must not be on any sanctions lists or reside in countries on sanctions lists (e.g., North Korea, Iran, etc.).

  • Proof of identity is required due to local laws.

  • Participants are responsible for any applicable taxes.

  • All awards are subject to applicable law.

  • Participants must adhere to the reporting guidelines provided.

Eligibility for Rewards:

  • Issues without a Proof of Concept (POC) are not eligible for bounty rewards.

  • Duplicate reports of the same vulnerability are not eligible for additional rewards.

  • Publicly disclosing a vulnerability before it's resolved makes it ineligible for a bounty.

  • The vulnerability report should not be related to activities that violate the service's terms of service or any laws.

Vulnerability Submission:

  • One report per vulnerability

  • The first report for a specific vulnerability is accepted.

  • Reports for vulnerabilities already known are not accepted.

  • Reports submitted for vulnerabilities explicitly listed as out of scope are not accepted.

  • If a chain security vulnerability is detected using multiple security vulnerabilities, separate reporting is allowed.

  • Higher rewards are paid for clear, well-written submissions.

  • A Proof of Concept (POC) must be included to be eligible for rewards. Please include test code, scripts, and detailed instructions. The easier we can reproduce and verify the vulnerability, the higher the reward.

  • Include a clear description of how to fix the issue.

  • Vulnerability reports should be submitted through the designated channels.

Testing Guidelines:

  • Testing must not violate any law or compromise any data that the participant does not own.

  • Participants should not access or modify other users' data during testing and should only use accounts under their control.

  • Vulnerabilities allowing access to user data should be reported responsibly, without unauthorized access.

  • Testing should be limited to verifying the presence and impact of the vulnerability.

Prohibited Actions:

  • Social engineering methods (e.g., phishing, vishing, smishing) and physical attacks (e.g., computer theft, SIM card copying) are strictly prohibited.

  • Denial of Service (DoS) attacks must not be attempted.

  • Any actions that could compromise the integrity or availability of our system

Submission Requirements:

  • Reports must be submitted in English.

  • All details about the vulnerability must be shared, and a Proof of Concept (PoC) must be provided.

  • If multiple vulnerabilities are discovered, researchers should submit separate reports for each distinct issue.

Last updated