Security Policy > Shared servers
This page provides scope and reward information for this portion of our bug bounty program, please see the Security policy for general rules if you haven't already.
Reporting discoveries
Scope & Rewards
| Endpoint | XSS | CSRF | Auth Flaw | Privilege escalation | |
|---|---|---|---|---|---|
| https://*.whatbox.ca:443/login | 250 USD | 500 USD | 1,500 USD | OOS | |
| https://*.whatbox.ca:443/logout | 250 USD | OOS | 1,500 USD | OOS | |
| https://*.whatbox.ca:443/labs* | 250 USD | OOS | N/A | OOS | |
| https://*.whatbox.ca:443/api* | 250 USD | OOS | N/A | OOS | |
| https://*.whatbox.ca:443/filebrowser/ | 250 USD | OOS | N/A | OOS | |
| https://*.whatbox.ca:443/private/ | 250 USD | OOS | OOS | OOS | |
| sftp://*.whatbox.ca:22 | OOS | OOS | 1,500 USD | 4,000 USD | |
| ftpes://*.whatbox.ca:21 | OOS | OOS | 1,500 USD | 4,000 USD | |
| ssh://*.whatbox.ca:22 | OOS | OOS | 1,500 USD | 4,000 USD | |
At this time, all other exploit types, and all other endpoints are out of scope.
Please check that you are testing:
- The correct protocol
- The correct port
- The correct URI prefix if applicable
- The type of exploit is not Out of Scope (marked OOS above)
Recently rejected
Software version with known CVEs
While we regularly install hundreds of software updates, we do not consider outdated software inherently insecure, even if there are known CVEs in the older version.
When managing hundreds of packages, it is necessary that updates go through a quality assurance process. Occasionally it is necessary for us to holdback security fixes or to offer an older version of software for interoperability reasons.
You are encouraged to use known CVEs to assist you in generating a working Proof of Concept. But without a working Proof of Concept, reports of outdated software versions will be rejected.