PricingDedicated ServersVPS
Signup

Bug Bounty Program

Suggest Edits

Program Eligibility

To be eligible for the program, you must not be a resident of, and will not make your submission from a country against which the United State has issued export sanctions or other trade restrictions (eg: Cuba, Iran, North Korea, Sudan, and Syria)

  • You will comply with all applicable laws and regulations
  • You will let us know as soon as possible following the discovery of a vulnerability
  • You will follow the disclosure guidelines defined below

What's not permitted

  • You may not submit reports from automated scanners and tools
  • You will not maliciously exploit any vulnerabilities
  • You will not in any way access any private or confidential information pertaining to Hivelocity, our users, and/or any third parties
  • You will not conduct Denial of Service testing nor any other actions that disrupt services
  • You may not do any testing that could: result in a system that is more vulnerable than it was when discovered, degrade performance, or destroy information.
  • You will not conduct social engineering of any Hivelocity employees and/or contractors
  • You will not conduct physical attempts against Hivelocity property

Low severity bug (up to $100):

  • Reflected XSS
  • DOM XSS
  • Server misconfiguration or provisioning errors
  • Information leaks or disclosure (excluding customer data)
  • Open Redirect

Medium severity bug (up to $250):

  • Cross-Site Request Forgery on Sensitive Actions or Functions (CSRF/XSRF)
  • Stored XSS
  • Session Highjacking
  • Broken Authentication or Authentication Bypass
  • Directory Traversal
  • Insecure Direct Object Reference

High severity bug ($500-$750):

  • LFI/RFI
  • Server-Side Request Forgery
  • Privilege Escalation

Critical severity bug ($1,500+):

  • SQL injection
  • Remote Code Execution
  • XXE

Non-Qualifying Bugs:

  • DoS/DDoS (Denial of Service) attacks
  • Brute-force attacks
  • Password-stuffing attacks
  • Social engineering related attacks (phishing, vishing, smishing)
  • Clickjacking/UI-redressing
  • Tab-Nabbing or other rel="noopener" bugs
  • Vulnerabilities reliant on out-of-date-browsers/software
  • Mixed content warnings
  • Missing or misconfigured security-related HTTP headers that don't directly lead to a vulnerability
  • Missing cookie flags that do not directly lead to a vulnerability
  • Web Cache Poisoning
  • Content Spoofing
  • Request Smuggling
  • CORS Misconfiguration
  • SPF, DKIM, and DMARC records and flags
  • Assets not owned/managed by Hivelocity (including customer IPs)
  • Server banners

Scope:
www.hivelocity.net
core.hivelocity.net
my.hivelocity.net
store.hivelocity.net

Reporting

If you find a vulnerability please send an email to: [email protected]

Subject: Vulnerability Found:

Bug Bounty Report Requirements:

Vulnerability Name:
Summary:

Impact:

PoC (Proof-of-Concept)
Step 1:
Step 2:
Step 3:
Step ...

Suggested Remediation:

Additional Proof (Screenshots / unlisted youtube video):

####################################################################################
In order for us to appropriately assess the vulnerability that you're submitting, we
require that you provide some additional information so that we do not mistake your
actions as being malicious. Please provide any information that you have:

IP Address:
User-Agent:
Email Address:
Client ID:

Updated about 1 month ago