Bug bounty program
Reward program for detecting bugs and vulnerabilities in ISPsystem products
We value the efforts of bug hunters as they help us improve our developments. This is why we have launched the reward program for verified bugs and vulnerabilities.
It takes a couple of clicks to participate in the program. It is crucial though that the request for participation meets the outlined criteria and that the participant has duly finalized the report and accepted the offer.
Types of bugs
#1 Problems that cause hanging of our products or shutdown or a service as a result of user (not administrator) actions via a panel (for example, once a certain value is entered).
#2 Problems that cause utilization of more resources than those available under a license purchased from ISPsystem (breach of ISPsystem license agreement).
#3 Security problems – access to another user's data can be obtained as a result of certain user actions.
#4 Security problem – administrator rights can be obtained as a result of user actions (not actions of control panel main administrator).
#5 Bugs based on social engineering – a privileged or other user is requested to perform an action: perform a certain operation or open a certain URL while being logged in the system. These bugs are subject to review on a case-by-case basis. The reward depends on the likelihood of such event or on how unobvious to the victim the consequences of performing the action or opening the URL are.
Clarification
We find it not very likely that any issues may result from administrator following a URL that has been received via email, a messenger, a request to technical support or otherwise, provided that the administrator is authorized in BILLmanager. Administrator shall be cautions and insightful prior to following odd links. Besides, it is not difficult to predict and eliminate consequences of following an odd link. We are willing to pay up to 150$ for reporting this type of issues.
However, it is considered a severe bug when a link or a script runs automatically, for example, when opening a request to technical support or viewing a list, whereas the administrator does not realize that script has been activates. On such instances you can expect the full reward, as promised for detection of this type of issues.
Whatever the case is, to receive a reward you need to present a working method that results in issues described in items 1 to 4. If you point out a vulnerability that allows to run the script, but you do not explain how the result can be achieved, the reward may be minimal. The reward will be paid only if we can achieve the result ourselves by using the received information as a clue.
The procedure for finalizing messages
- When a problem is found, the client shall prepare a clear step-by-step instruction and indicate other prerequisites for a problem to occur (the problem has to be consistently reproducible), attach control panel logs with a maximum level of debugging, and send a message to our technical support.
- Then our testing team checks if the problem occurs and saves it to our bug register if it has been verified.
Message review period is 3 business days. -
The first client to report the problem receives the reward immediately once a bug is verified. The reward is according to Program terms and conditions
Rules and exceptions
- Bugs that have been made publicly available, do not participate in the Program.
- Information about bugs shall be deemed confidential and not be subject to disclosure without vendor's consent.
- The reward shall only be payable once the vulnerability of the products has been addressed but not later than within a week from the date of application.
- In order to search for vulnerabilities a participant of the program is entitled to use only those products that he/she owns personally. This is to make sure that we do not review problems that have caused damage to third party installations through participant’s actions.
- We do not review cases where administrator has intentionally compromised the security of his/her server (for example, left its password exposed in each user’s home directory).
- We do not review cases of a server artificial denial resulting from superfluous requests with a lengthy data, considering it a typical example of DDOS attack.
- Former and active employees of the company as well as their relatives cannot participate in the Program.
- In case of a problem that causes utilization of more resources than those available under a license purchased from ISPsystem (breach of ISPsystem license agreement). We do not review solutions based on modifications of executable files included in the product.
Fill out a short form to receive your reward