Skip to main content

Pentest-Tools.com

Bug Bounty Program

If you are a security researcher and have discovered a security vulnerability in one of our services, we appreciate your help in disclosing it to us in a responsible manner. We will validate and fix vulnerabilities in accordance with the policies below. As soon as your reported vulnerability is officially accepted by our team, you are eligible to appear in our Hall of Fame.

Who can participate?

Anyone who doesn't work for Pentest-Tools.com or partners of Pentest-Tools.com, who signals a security issue in scope and does not disclose it to a third party before we have patched and updated the issue.

Acceptable techniques

Please don't perform research that could impact other users. Secondly, please keep the reports short and succinct. If we fail to understand the logics of your bug, we will tell you.

In general, please refrain from the following:

  • Do not use weaknesses you discover for purposes other than your own investigation.
  • Do not use social engineering to gain access to a system.
  • Do not compromise our system security in any way, even if you just want to prove a point.
  • Do not alter or delete any information in the system. If you need to copy information for your investigation never copy more than you need. If one record is sufficient, do not go any further.
  • Do not alter the system in any way.
  • Do not share access or details of any vulnerable system with others.
  • Do not use brute force techniques, such as repeatedly entering passwords, to gain access to systems.
  • Do not use automated tools which can affect and deteriorate system performance, integrity, and availability.

Domains and services in scope

  • The root domain ^pentest-tools.com
  • The www subdomain www.pentest-tools.com
  • The app subdomain app.pentest-tools.com
  • Any other subdomain not explicitly specified above *.pentest-tools.com
  • ^ptt-logger.net
  • *.ptt-logger.net

Domains and services out of scope

  • Any subdomain that starts with "test" testing1.pentest-tools.com
  • Any subdomain that constitutes only of numbers [0-9]+.pentest-tools.com

If you can however prove that a bug under these domains have significant impact (for example fetching content on pentest-tools.com from support.pentest-tools.com), a bug on these domains may qualify anyway.

Qualifying vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is in scope for the program. Common examples include:

  • Persistent Cross-site scripting (Persistent XSS),
  • Open redirect,
  • Cross-site request forgery (CSRF),
  • Business logic bypass,
  • File inclusion,
  • Mixed-content scripts,
  • Authentication or authorization flaws and bypass,
  • Privilege escalations,
  • Injection attacks (SQL, XML, JSON, etc.),
  • Remote code execeution (RCE),
  • Server-side code execution bugs and request forgery (SSRF).

Non-qualifying vulnerabilities

Depending on their impact, some of the reported issues may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues that typically do not earn a reward:

  • Any vulnerability not adhering to the Scope above.
  • Any vulnerability not demonstrated with an attack scenario or exploit explanation.
  • Typical no impact bugs such as:
    • Self XSS (XSS without any real impact, e.g. <script>alert(1);</script>),
    • Missing Cookie flags on non-session cookies or 3rd party cookies,
    • Logout CSRF,
    • Social engineering,
    • Denial of service,
    • SSL BEAST/CRIME/etc,
    • Email spoofing, SPF, DMARC & DKIM.
  • Any vulnerability previously disclosed publicly or to any third party.
  • Any vulnerability we had knowledge of prior to the report.

How should reports be formatted and sent?

We would like you to format your reports like this:

      Name: %name
      Twitter: %twitter
      Bug type: %bugtype
      Domain: %domain
      Severity: %severity
      URL: %url
      PoC: %poc
      Screenshots (optional): %screenshots
      CVSS (optional): %cvss
      CWSS (optional): %cwss

Please direct all your reports to: security@pentest-tools.com.

Rewards

Pentest-Tools.com does not (for the moment) offer any monetary rewards for Bug Bounty Hunting and Responsible Disclosure. This will likely change in the future, when we might even choose to reward a number of previously unrewarded Bug Bounty Hunters that have helped us in the past.

At this time, you will be rewarded by being placed on the Hall of Fame for your efforts, and you will have our thanks.

Availability

Pentest-Tools.com reserves the rights to discontinue the reward program without previous notice at any time.

Legal points

We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to enter depending upon your local law.

Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own. You should also not use any techniques that send a high degree of traffic our way, or that are unnecessary in order to find or demonstrate the weakness you identified.