MVPS.net Bug Bounty Program

We consider the security of our systems a top priority. It is understood that no system is perfect and there can always be flaws in a techonolgy. We are looking forward to working with skilled security researchers to protect our customers.

If you believe you have identified a security issue in our product or service, we encourage you to notify us.



Guidelines for responsible disclosure
  • Let us know as soon as possible upon discovery of a potential security issue, and we will make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • No unauthorized impersonation: any unauthorized attempts to socially engineer another party through impersonation of a MVPS.net employee, another hacker, or a security team will not be tolerated.
  • If you comply with all conditions set in the guidelines, we will not take any legal action against you regarding this report.
  • Your report will be confidential, we will not share your personal information with third parties without prior consent, unless this is necessary to comply with a legal obligation.


Rewards

To show our appreciation of responsible security researchers, MVPS.net offers bounties for reports of qualifying security vulnerabilities. Bounties will be awarded in the form of financial compensation(s) or MVPS.net merchandise. The amount that is rewarded per bounty is at discretion of MVPS.net and will be based on the internal severity rating of the disclosed vulnerability. The bounty will be communicated after validation of the security vulnerability by our internal teams.



To qualify for a reward, you must:

  1. Be the first reporter of the vulnerability.
  2. Follow the guidelines as described on this page.
  3. Not publicly disclose the vulnerability prior to our resolution.
  4. Provide a working proof of concept that exploits the security issue
  5. Solely use your created accounts and not access data of other users
  6. Not be an inhabitant of any country listed on the Specially Designated Nationals and Blocked Persons (SDN) list
  7. Not be an inhabitant of any country listed on the Consolidated List of persons, groups and entities subject to EU Financial Sanctions list.


Absolute Exclusions
  • Social engineering (including phishing)
  • Any physical attempts against MVPS.net property or data centers
  • Physical attack on the infrastructure
  • Denial of service
  • CSRF
  • Self-XSS
  • Miss of rate limits
  • Report from automated tools and scans
  • Bugs in 3rd party software
  • X-Frame-Options related
  • Missing cookie flags
  • Missing security headers which do not lead directly to a vulnerability
  • DKIM/SPF/DMARC issues
  • Version exposure
  • Directory listing
  • Content spoofing on error pages or text injection
  • Clickjacking and issues only exploitable through clickjacking.
  • Any kind of Browser vulnerabilities
  • Homograph attacks
  • Weak Captcha / Captcha Bypass
  • OPTIONS HTTP method enabled
  • Content Spoofing / Text Injection
  • Cache related issues
  • Authentication session timeouts (it's IP bound and has a 1h timeout) or session expiration on password changes/2fa/password reset etc.
  • Any attack that comes from having access to the user's computer (physical or remote)
  • Open redirects
  • Password policy
  • Server IP Disclosure
  • Password verification on email change or 2FA
  • Wordpress vulnerabilities
  • SSL Issues
  • Missing noreferer, noopener
  • Any kind of brute forcing
  • Parameter tampering for payment processors
  • User enumeration by brute force


Due to the large number of invalid requests, we will not reply to reports that are on our absolute exclusions list.


How to report

Please send your initial findings to security@mvps.net.