Bug Bounties


Powered by: 

Allows bounty splitting: 

Average time to first program response: 365

Average time to bounty awarded null: 

Average time to report resolved: 

Handle qulture_rocks

Managed program: false

Name: Qulture.Rocks

Offers bounties: false

Offers swag: false

Response efficiency percentage: 33

Submission state: open

Url: https://hackerone.com/qulture_rocks

Website: https://hackerone.qulture.rocks/

In scope:

  • Asset identifier: https://hackerone.qulture.rocks/
  • Asset type: URL
  • Availability requirement: high
  • Confidentiality requirement: medium
  • Eligible for bounty: 
  • Eligible for submissions: true
  • Instruction: This is an environment specific for hackerone. It has almost the same setup from the production environment, so any vulnerability found here, will probably be affecting both. Get in touch if you need test credentials to login to explore the app. Please do not report issues for our website www.qulture.rocks, only for the app on https://hackerone.qulture.rocks # Login strategy 1. We do not block or limit login attempts with invalid emails; 2. For valid emails, if the password is incorrect, we activate recaptcha after 2 wrong attempts (only in production env); 3. In order to avoid DDoS, valid users are never blocked due to failed login attempts. # Credentials Require the credentials by creating a report with title "Credentials request" (severity: none). We'll reply asap :) After we reply, you should close the report in seven days, otherwise, we'll close it as informative. # TLS We are already aware that the environment is not running with the latest TLS* version, and that should stay out of scope. Our production environment is using the latest version. # Public links We do have some public links which may be mistaken for vulnerabilities (e.g.: https://hackerone.qulture.rocks/translations and https://hackerone.qulture.rocks/robots.txt). # Out of scope items The following items are out of scope: 1. No rate limit for authenticated api requests # Contacting us We kindly ask not to send us messages on emails that you may find on our website for issues related to this forum, and also not to send chat messages for credentials, prefer to send messages via hackerone platform.
  • Integrity requirements: high
  • Max severity: critical