Bug Bounty Channel

boozt



 

At Boozt we take security seriously, we want our customers not to only have great shopping experience but also feel and know they are safe.

But nobody's perfect and top-notch security online is possible only with everyone's help.

If you think you found a security vulnerability within our systems we ask you to give us reasonable amount of time to fix before publicly disclosing it. Also please follow the guidelines below on scope and (non-)qualifying vulnerabilities.

Scope

*  *.boozt.com

*  *.booztx.com

* *.shopeu.ecco.com

* *.booztlet.com

*  Boozt iOS App

*  Boozt Android APP

*  www.day.dk

Rules

* Follow the HackerOne Vulnerability Disclosure Guidelines

* Do not access or modify other users' private data

* Do not DDoS

* Do not use automated tools or scanners

* Do not move beyond "proof of concept" repro steps for server-side execution issues.

Qualifying vulnerabilities

Focus is on vulnerability that could expose private user data or in any other way affect user or Boozt data security. Very good and severe vulnerability examples are SQL injection, server-side code exection, XSS.

Non-qualifying vulnerabilities

* Reports from automated tools or scans

* Rate limitations (e.g. reset password, login, etc).

* Phishing

* Missing CSRF tokens on forms (we are reviewing this internally and addressing all known cases.)

* Clickjacking

* Missing http security headers

* Non-usage of HTTPS on specific parts of the site (we have a plan for the fixes in the roadmap already)

* Reports of insecure SSL/TLS ciphers

* Reports of insecure crossdomain.xml configuration

* Social engineering of Boozt staff

* Issues on services not under Boozt control

Thanks 

We will act as fast as possible to all responsible disclosures to fix them. In addition we will determine on our discretion if  the report qualifies for bounty and amount depending on the severity of the report.

Our security bug bounty reward budget is between 100$ and 500$, lowest being minor security issues and highest being severe bugs like SQL injection or remote code execution.



https://hackerone.com/boozt