Bug bounty
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.
Bounty amounts are set at CargoX's discretion and are non-negotiable. Threats or extortion attempts for bounties automatically result in us blocking you forever.
The following issues are considered out of scope
- Self-XSS that cannot be used to exploit other users
- erbose messages/files/directory listings without disclosing any sensitive information
- CORS misconfiguration on non-sensitive endpoints
- Missing cookie flags
- Missing security headers
- Cross-site Request Forgery with no or low impact
- Presence of autocomplete attribute on web forms
- Reverse tabnabbing
- Bypassing rate-limits or the non-existence of rate-limits
- Best practices violations (password complexity, expiration, re-use, etc.)
- Clickjacking on pages with no sensitive actions
- CSV Injection
- Host Header Injection
- Sessions not being invalidated (logout, enabling 2FA, ..)
- Hyperlink injection/takeovers
- Mixed content type issues
- Cross-domain referer leakage
- Anything related to email spoofing, SPF, DMARC or DKIM
- Content injection
- Username / email enumeration
- E-mail bombing
- HTTP Request smuggling without any proven impact
- Homograph attacks
- XMLRPC enabled
- Banner grabbing / Version disclosure
- Open ports without an accompanying proof-of-concept demonstrating vulnerability
- Weak SSL configurations and SSL/TLS scan reports
- Not stripping metadata of images
- Disclosing API keys without proven impact
- Same-site scripting
- Subdomain takeover without taken over the subdomain
- Arbitrary file upload without proof of the existence of the uploaded file