Segments in Scope
- Anything that does not involve accessing sensitive user information, such as (but not limited to) emails, passwords, and private messages is in scope.
- Anything that does not involve modifying a file is in scope.
Qualifying Vulnerabilities
- Cross-site scripting,
- Cross-site request forgery,
- Mixed-content scripts,
- Authentication or authorization flaws,
- SQL injections,
- Server-side code execution bugs.
Rules of Engagement
- Please inform me about your intentions before testing vulnerabilities. This is not an absolute requirement, except if you are doing something that potentially compromises the security of the server, such as a remote execution exploit. While I understand most companies do not have this requirement, those are companies: I alone manage the code base and the server. As such, it's very easy to get in touch with me, and I'm a little bit more worried about someone doing something by accident that ruins the server.
- Please inform me of your results as soon as possible.
- Do not share with others anything about the vulnerability until I have plugged it. This includes just saying you successfully hacked YWS. After I have plugged it, you are free to say how you did it.
Questions?
I am keeping this thread locked just to keep it tidy. If you have any questions, please send me a PM.
Gender:
Points: 11417
Reviews: 425