Bug Bounty Program

Scope

The program covers our corporate website www.cdn77.com and our customer portal client.cdn77.com.

The primary focus is on identifying and mitigating critical security vulnerabilities, such as:

• Server-Side Request Forgery (SSRF).
• Remote Code Execution (RCE).
• Ability to modify other customer accounts.
• Ability to obtain sensitive information.
• Stored Cross-Site Scripting (XSS) resulting in the ability to obtain or modify customer data.
• Reflected XSS resulting in the ability to obtain or modify customer data.

Out of scope

Certain areas are out of scope. The testing of any vulnerabilities outside the defined scope is strictly prohibited and will result in disqualification from eligibility for legal safe harbor protections.

The following issues are out of scope and will not be considered as security vulnerabilities:

• Clickjacking on pages with no sensitive actions.
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms without sensitive actions.
• Attacks requiring man-in-the-middle (MITM) or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept (PoC).
• CSV injection without demonstrating an actual vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could result in service disruption, including DoS.
• Content spoofing and text injection issues without an exploitable attack vector.
• Rate limiting or brute force issues on non-authentication endpoints.
• Missing best practices in Content Security Policy (CSP).
• Missing email best practices (e.g., SPF/DKIM/DMARC records).
• Vulnerabilities that only affect users of outdated or unpatched browsers (< 2 stable versions behind).
• Software version disclosure, banner identification issues, or descriptive error messages (e.g., stack traces)
• Cached/stored content of our customers.
• Lack of Security Headers

These are not eligible unless they directly lead to one of the vulnerabilities described in P1–P4.