Bug Bounty Program

CDN77 is committed to ensuring the security and privacy of our systems, data, and users. We encourage you, as security researchers, to responsibly report vulnerabilities you discover.

Submit a report

By participating in our Bug Bounty Program, you agree to the full terms and conditions|

Scope

The program covers our corporate website www.cdn77.com and our customer portal client.cdn77.com.

The primary focus is on identifying and mitigating critical security vulnerabilities, such as:

  • Server-Side Request Forgery (SSRF).
  • Remote Code Execution (RCE).
  • Ability to modify other customer accounts.
  • Ability to obtain sensitive information.
  • Stored Cross-Site Scripting (XSS) resulting in the ability to obtain or modify customer data.
  • Reflected XSS resulting in the ability to obtain or modify customer data.

Out of scope

Certain areas are out of scope. The testing of any vulnerabilities outside the defined scope is strictly prohibited and will result in disqualification from eligibility for legal safe harbor protections.

The following issues are out of scope and will not be considered as security vulnerabilities:

  • Clickjacking on pages with no sensitive actions.
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms without sensitive actions.
  • Attacks requiring man-in-the-middle (MITM) or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept (PoC).
  • CSV injection without demonstrating an actual vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could result in service disruption, including DoS.
  • Content spoofing and text injection issues without an exploitable attack vector.
  • Rate limiting or brute force issues on non-authentication endpoints.
  • Missing best practices in Content Security Policy (CSP).
  • Missing email best practices (e.g., SPF/DKIM/DMARC records).
  • Vulnerabilities that only affect users of outdated or unpatched browsers (< 2 stable versions behind).
  • Software version disclosure, banner identification issues, or descriptive error messages (e.g., stack traces)
  • Cached/stored content of our customers.
  • Lack of Security Headers

Rewards

The reward structure is based on the severity of the reported vulnerability, the potential impact, and the ease of exploitation. For the purpose of rating and categorizing vulnerabilities we use Bugcrowd’s Vulnerability Rating Taxonomy.

We reserve the right to award higher compensation for vulnerabilities deemed exceptionally innovative or severe, and to award lower compensation for vulnerabilities that necessitate atypical or complex user interaction.

Technical severity
Reward
P1$2,000 - $3,000
P2$1,000 - $2,000
P3$500 - $1,000
P4$250 - $500
P5$100 - $250

Safe Harbor

We offer legal safe harbor for participants acting in good faith. This means we will not pursue legal action against individuals who follow these Program Terms, including rules on responsible disclosure and scope, provided that they report the vulnerabilities through our Bug Bounty Program.

Full terms & conditions

Submit a report