hackerone.com
Open in
urlscan Pro
2606:4700::6810:6434
Public Scan
URL:
https://hackerone.com/fetlife
Submission: On February 02 via api from LU — Scanned from DE
Submission: On February 02 via api from LU — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
Skip to main content > Hacktivity Opportunities Directory Leaderboard Learn more about HackerOne Log in FETLIFE FetLife is the Social Network for the BDSM, Fetish & Kinky Community. https://fetlife.com Reports resolved 223 Assets in scope 2 Average bounty - Submit report give feedback icongive feedback icon Give feedback Bug Bounty Program Launched in Jan 2021 * Policy * Scope New! * Hacktivity * Thanks * Updates (0) This program requires two-factor authentication enabled to participate in. Policy MenuMenu No technology is perfect, and FetLife believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly. RESPONSE TARGETS FetLife will make a best effort to meet the following SLAs for hackers participating in our program: Type of ResponseSLA in business daysTime to first response5 daysTime to triage10 daysTime to bounty15 daysTime to resolutiondepends on severity and complexity PROGRAM RULES * Reports must include concrete and clear reproducible steps that do not require any commercial tools * Register all accounts using your <hackerone_username>+x@wearehackerone.com address. * Not interact with other accounts without the explicit consent of their owners. * Communicate with FetLife's engineering team exclusively via HackerOne. * Be the first person to report the issue to us. In cases where you submit a vulnerability that is already acknowledged, we will only award a bounty if it: proves to be more extensive, or provides more information. * If vuln appears to affect multiple domains please include in single report. You will be rewarded correctly as it warrants?? * Do not use shared fake / temporary phone services. If our website requires you to enter a phone number, contact us at security@fetlife.com and we'll take care of it. You are responsible for your test accounts at fetlife.com, so please use common security practices to secure those accounts. DISCLOSURE POLICY * Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. * Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. * Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our service. * Only interact with accounts you own or with the explicit permission of the account holder. BOUNTY REWARD PROGRAM To show our appreciation of responsible security researchers, FetLife offers a monetary bounty for reports of qualifying security vulnerabilities. Vulnerability TypeAverage BountyRemote Code Execution (RCE) on FetLife Servers$6,000SQL Injection (with output)$4,000SQL Injection (blind)$2,000Privilege Escalation Flaw$1,500User Impersonation Vulnerability$1,500Server Side Request Forgery (SSRF)$1,000Local file Inclusion$500Stored Cross Site Scripting$500Stored Self Cross Site Scripting$150Self Cross Site Scripting$50Sensitive Data Exposure$500Cross-Site Request Forgery (CSRF)$500Improper Direct Object Reference (IDOR)$500User-Activity Exposure Flaw$200Open Redirect$150User-Specific Authorization Bypass$100Generic Authorization Flaw$100Other$100+ To clarify the distinctions among the specified vulnerability types, predominantly within the group that would fit the description of "authorization flaws", refer to the following list: * Generic Authorization Flaw - A catch-all category encompassing miscellaneous authorization flaws with minimal impact on our user. * User-Specific Authorization Bypass - Any vulnerability pertinent to the user in question without data leaks. Actions such as editing one's own comments from banned groups are examples. * User-Activity Exposure Flaw - Resembling User-Specific Authorization Bypass, yet unveiling actions or data concerning other users. For instance, viewing likes on a comment from a group one is banned from, or receiving notifications from closed groups (without the ability to view the content). * Sensitive Data Exposure - Entails the ability to view content in unauthorized zones or on a broader scale than the User-Activity Exposure Flaw. * User Impersonation Vulnerability - Pertains to masquerading as another user, except if the sole attack vector differs from the types listed in the table above. For instance, employing XSS from your primary account on your secondary account to access the latter account will be classified as XSS, not this vulnerability. However, being able to log in as a different user qualifies. * Privilege Escalation Flaw - Refers to unauthorized elevation of permissions, like assuming the role of a caretaker. However, if such action results from executing an XSS or a similar attack on an elevated user, it won't be categorized here. NOTE: In line with HackerOne's guidelines, post-triage of reports, we reserve the right to label reports as duplicates if they would be resolved due to another preceding report. For example, if a singular flaw in our code affects our entire website, we will address only the first report and label subsequent ones as duplicates. Triage implies successful replication of the issue and does not guarantee a reward. Rewards will be allocated solely when our developers confirm the issue is unique and have started working on them. OUT OF SCOPE We do not consider the following to be eligible vulnerabilities under this program: * Denial of Service * Email spoofing * Spamming * Rate-limiting * Click-jacking * Content spoofing * SPF, DMARC or other email configuration related issues * Lack of DNSSEC * SSL configuration issues * Disclosure of server or software version numbers * Generic examples of Host header attacks without evidence of the ability to target a remote victim * Password or account recovery policies, such as reset link expiration or password complexity * Theoretical sub-domain takeovers with no supporting evidence * Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text over TLS without demonstrating impact, etc. * Reports exploiting unsupported browsers * False reports, or reports lacking evidence of a vulnerability * Attacks requiring a Man-in-the-Middle, with no other possible exploitation * CSV injection that affects third-party applications * Android Application (https://github.com/fetlife/android) * iOS Application (https://github.com/fetlife/ios * Configuration issues on end users machines. For example password storage or cache settings. DISQUALIFIERS * Interacting with other accounts without the explicit consent of their owners. * Denial of service * Social engineering of any kind * Physical intrusion * Automated scanning and brute-forcing * Requests to /ads/serve, /ads/application_serve*, and /ads/click/* * Overwhelming our support team with messages * Mentioning PHP QUESTIONS * You can contact us with any questions at security@fetlife.com We offer a bounty of up to $5000 for helping us to protect our community. * Last updated on November 15, 2023. * View changes Looking for what's in scope? Check out the new Scope tab above. Response Efficiency 2 days Average time to first response 4 days Average time to triage 3 days Average time to bounty 6 days Average time to resolution 80% of reports Meet response standards Based on last 90 days Program Statistics Updated Daily $100 Minimum bounty $48,302 Total bounties paid $500 - $1,000 Top bounty range $700 Bounties paid in the last 90 days 15 Reports received in the last 90 days 3 months ago Last report resolved 223 Reports resolved 120 Hackers thanked Top hackers xploiterr Reputation:952 balerion Reputation:685 chernobyl Reputation:372 rhinestonecowboy Reputation:311 trieulieuf9 Reputation:274 All Hackers © HackerOne * Opportunities * Security * Leaderboard * Blog * Docs * Support * Disclosure Guidelines * Press * Privacy * Terms * It looks like your JavaScript is disabled. To use HackerOne, enable JavaScript in your browser and refresh this page.