Get Paid to Report Serious Bugs and Security Issues
Put your experience to work for cash or store credit, but most of all to make everyone's experience here better and more secure.
If you checkout or submit contact or lead forms, use
Make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our services. Do not access or modify data that does not belong to you. Do not make any information public until the issue has been resolved.
In order to encourage responsible disclosure, we will not bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.
This is Eligible
We decide if the minimum severity threshold is met and whether it was previously reported. Anything which has the potential for financial loss or data breach is of sufficient severity, including: (only the highest severity for a given issue is eligible)
Only the highest severity for a given issue is eligible
$US 2,500.00 Remote code execution / SQL injection
$US 2,500.00 Authentication bypass or privilege escalation
$US 500.00 Click jacking
$US 500.00 Obtaining user information but not enumeration
$US 300.00 XSS
$US 300.00 CSRF
$US ? Other at our discretion
This is In Scope
This is Outside of Scope, Not Eligible
Vulnerabilities on assets hosted by third parties
Denial of service
Out of date software
Attacks requiring physical access to a user's device
Password and account recovery policies, such as reset link expiration or password complexity
Missing security headers which do not lead directly to a vulnerability
Use of a known-vulnerable library (without evidence of exploitability)
Issues related to software or protocols not under Silver Gold Bull control
Reports from automated tools or scans
Reports of spam
Vulnerabilities affecting users of outdated browsers or platforms
Social engineering of Silver Gold Bull staff or contractors
Any physical attempts against Silver Gold Bull property or data centers
Apply Rate Limits of 1 per second to Automated Scanning
If you employ automated scanning tools, their requests must be rate limited to not exceed 1 requests per second. Failure to do so may be considered a DoS attack and will result in disqualification. Automated vulnerability scanners commonly have low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. Please submit an issue only if you have a reproduce-able proof-of-concept.
Send a Rich Report
Detailed steps on reproducing the bug. If valuable, please include any screenshots, links you clicked on, pages visited, etc. Quality not quantity. Keep focused on the technical details and provide precise explanations; stay clear of off-topic commentary. Provide a concrete attack scenario. How will this impact the company or our users?