Bounty FactoryFirst European Bug Bounty platform & Infosec Jobs.


At BountyFactory we take user safety seriously and strive to ensure a safe experience for you when you use our website. When properly reported, we will quickly investigate all legitimate reports of security vulnerabilities and try to fix potential problems.

  • - Scope


  • - Report security vulnerability

If you believe you have discovered a security vulnerability in a BountyFactory website, please report it with a thorough explanation of the vulnerability. Please remember to include full details of the security issue, including Proof-of-Concept URL, the details of the system where the tests were conducted and detailed reproduction steps.
Please describe the security issue:

    - Authentication/Authorization
    - Cross-Site Scripting (XSS)
    - Cross-site request forgery (CSRF)
    - Injection
    - Information leakage

  • - Eligibility and Responsible Disclosure

You are responsible for complying with any applicable laws, and you should only use your own accounts or test accounts for reporting vulnerabilities.

To promote the discovery and reporting of vulnerabilities and increase user safety, we ask that you:

    - Share the security issue with us in detail
    - Give us a reasonable time to respond to the issue before making any information about it public.
    - Not access or modify data without explicit permission of the owner.
    - Act in good faith not to degrade the performance of our services (including denial of service).

We only reward the first reporter of a vulnerability. Public disclosure of the vulnerability prior to resolution will result in disqualification from the program. You must report a qualifying vulnerability through the BountyFactory reporting Platform to be eligible for a monetary reward.

  • - Out-of-scope Vulnerabilities

    - Logout CSRF
    - Our policies on presence/absence of SPF/DMARC records
    - Missing autocomplete attributes
    - Self-XSS (we require evidence on how the XSS can be used to attack another BountyFactory user)
    - Use of a known-vulnerable library (without evidence of exploitability)
    - Social engineering
    - Missing cookie flags on non-sensitive cookies
    - Reports from automated tools or scans
    - HTML Injection
    - Hosting malware/arbitrary content on bountyFactory
    - Issues located within third party components
    - Denial of service attacks


  • - UPDATE 09/06/2016
  • - Out-of-scope Vulnerabilities

    - Rate limiting
    - HTML Injection
    - Hosting malware/arbitrary content on bountyFactory
    - Extension manipulation without any evidence of vulnerability (Attachments)