Bug Bounty
We acknowledge the crucial role that security researchers and our user community play in ensuring the security of Buio and our users. If you have discovered a vulnerability in our site or product, you may be eligible for a monetary reward based on the terms and conditions of our Bug Bounty Program.
Please submit your bug reports to bugbounty@buio.com.
Rewards
We strive to reward valid reports within 30 days of acceptance, often sooner. Bounty rewards will be calculated according to CVSS 3.1 standards where applicable. For our program, we refer to the official CVSS 3.1 reference at https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator. At our discretion as program owners, certain report types may not receive rewards based on the CVSS 3.1 score. Such reports will either receive a fixed amount reward or will be evaluated on a case-by-case basis. Further details can be found in our official document.
Rules
Any activities conducted in accordance with this policy will be considered authorized conduct, and we will not take legal action against you. If a third party initiates legal action against you in connection with activities carried out in compliance with this policy, we will acknowledge that your actions were in accordance with this policy. Buio reserves all legal rights in the event of noncompliance with this policy.
Eligibility
- Be at least 16 years of age. If you are 16 years old but considered a minor in your place of residence, you must obtain permission from your parent or legal guardian before participating in the program.
- Must not be employed by Buio or any of its affiliates, or an immediate family member of an employee at Buio or any of its affiliates.
- Must not be a resident of, or make submissions from, a country against which the United States has imposed export sanctions or other trade restrictions, and must not be an embargoed or restricted person.
- Must not violate any national, state, or local laws or regulations related to any activities directly or indirectly associated with the program.
The DOs
- Abide by the Program Terms.
- Respect privacy and make a good faith effort not to access, process, or destroy personal data.
- Be patient and provide clarifications in good faith to any questions we may have about your report.
- Interact respectfully with our team, and we will reciprocate.
- Conduct testing only using your own personal/test accounts.
- Exercise caution during testing to avoid any negative impact on customers or the services they rely on.
- Stop testing whenever unsure. If you believe testing a vulnerability may cause or has caused damage, report your initial findings and request authorization to continue testing.
The DO NOTs
- Leave any system in a more vulnerable state than you found it.
- Engage in brute force or guess credentials to gain unauthorized access to systems.
- Participate in denial of service attacks.
- Upload shells or create any type of backdoor.
- Publicly disclose a vulnerability without our explicit review and consent.
- Engage in any form of social engineering targeting Buio employees, customers, affiliates, or partners.
- Attempt to extract, download, or exfiltrate data that may contain Personal Identifiable Information or other sensitive data, unless it belongs to you.
- Change passwords of any account that does not belong to you or for which you do not have explicit permission to change. If prompted to change the password for an account you did not create or were not authorized to use, immediately stop and report your findings.
- Engage in activities that violate privacy, cause data destruction, or disrupt our services.
- Interact with accounts that you do not own.
Out of Scope
The following activities are considered out of scope for our Bug Bounty Program:
- Physical or social engineering attempts, including phishing attacks against Buio employees.
- Ability to send push notifications/SMS messages/emails without the ability to change content.
- Ability to take over social media pages (Twitter, Facebook, LinkedIn, etc.).
- Reports with negligible security impact.
- Unchained open redirects.
- Reports stating that software is out of date or vulnerable without providing a proof-of-concept.
- Highly speculative reports about theoretical damage.
- Vulnerabilities reported by automated tools without additional analysis demonstrating their impact.
- Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated.
- SSL/TLS scan reports (e.g., output from SSL Labs).
- Open ports without an accompanying proof-of-concept demonstrating vulnerability.
- CSV injection.
- Best practices concerns.
- Protocol mismatch.
- Rate limiting.
- Dangling IPs.
- Vulnerabilities that cannot be used to exploit other users or Buio, such as self-xss or executing JavaScript in the browser console.
- Missing cookie flags on non-authentication cookies.
- Reports that only affect outdated user agents. Exploits are only considered in the latest browser versions for Safari, Firefox, Chrome, Edge, and IE.
- Issues requiring physical access to a victim’s computer or device.
- Path disclosure.
- Banner grabbing issues (determining the web server used, etc.).
- If a site is complying with the privacy policy, there is no vulnerability.
- Enumeration/account oracles.
- Account oracles - the ability to submit a phone number, email, UUID, and receive a message indicating the existence of a Buio account.
- Distributed denial of service attacks (DDoS).
Details
When you are ready to make a submission, please ensure that you have thoroughly read our Bug Bounty Program Policy and then email us at bugbounty@buio.com.