Looking for our research? We've moved it to a dedicated page

PortSwigger bug bounty program

Dafydd Stuttard | 30 November 2016 at 12:13 UTC

PortSwigger bug bounty program

Today we are pleased to announce our bug bounty program. This covers:

The program is managed on HackerOne, and all reports should be submitted through that platform.

Access the PortSwigger bug bounty program on HackerOne.

Visit HackerOne

Full details of the program policy are reproduced below. Please read the policy carefully and in full before carrying out any testing or submitting any reports.

Scope

Subdomains of portswigger.net like support.portswigger.net are strictly out of scope. Do not test these.

If you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that.

Vulnerabilities of interest

Here are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:

Critical - $5000

High - $3000

Medium - $1000

Any medium severity issue involving unlikely user interaction - $350

Issues not of interest

The following are strictly forbidden and may result in you being barred from the program, the website, or both:

We are not interested in low severity, purely theoretical and best-practice issues. Here are some examples:

There are a few known issues we consider to be low severity, but may fix eventually:

Some other caveats:

What constitutes a vulnerability in Burp Suite?

The system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.

Contact

If you have any questions, you can contact us at support@portswigger.net.

Good luck and have fun!