BitoFree welcomes reports from third party security researchers and their help in making our products and services more secure.
How to send a report
If you would like to submit a bug report, please send the details to [email protected]
In case of valid vulnerabilities, we are happy to pay out an appropriate bounty. At this time, we do not have a formal bounty tier and rate list and determine bounty amounts on a case-by-case basis.
This may change in the future.
The following domains host software developed entirely by us and are fully in scope:
The followwing domains host third party developed software. The infrastructure is within scope, but the applications themselves are not:
The following sites are built and/or maintained by our supplier iFastNet. Please report any identified vulnerabilities to iFastNet.
- Control panel domains: cpanel.epizy.com, cpanel.rf.gd, etc.
- Most services exposed through the control panel, unless explicitly defined as in-scope, e.g.:
- The hosting platform itself, such as vulnerabilities found in the web servers, FTP servers and database servers of the free hosting service.
Out of Scope Vulnerabilities
The following vulnerabilities are considered insignificant. No bounties will be awarded for them.
- Self-XSS that cannot be used to exploit other users
- Verbose messages/files/directory listings without disclosing any sensitive information
- CORS misconfiguration on non sensitive endpoints
- Missing cookie flags on non sensitive cookies
- Missing security headers which do not present an immediate security vulnerability
- Cross-site Request Forgery with no or low impact
- Presence of autocomplete attribute on web forms
- Reverse tabnabbing
- Bypassing rate-limits or the non-existence of rate-limits
- Best practices violations (password complexity, expiration, re-use, etc.)
- Clickjacking on pages without sensitive actions
- CSV Injection
- Host Header Injection
- Sessions not being invalidated (logout, enabling 2FA, etc.)
- Hyperlink injection/takeovers
- Cross-domain referer leakage
- Anything related to email spoofing, SPF, DMARC or DKIM
- Content injection
- Username / email enumeration
- E-mail bombing
- HTTP Request smuggling without any proven impact
- Homograph attacks
- XMLRPC enabled
- Banner grabbing / Version disclosure
- Open ports without an accompanying proof-of-concept demonstrating vulnerability
- Weak SSL configurations and SSL/TLS scan reports
- Not stripping metadata of images
- Disclosing API keys without proven impact
- Disclosing credentials without proven impact
- Arbitrary file upload without proof of the existence of the uploaded file
- Crashes due to malformed URL Schemes
- Attacks requiring the usage of shared computers, man in the middle or compromised user accounts
- Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted
- Attacks requiring unrealistic user interaction
- Spam, social engineering and physical intrusion
Additionally, the following rules are true:
- Known Vulnerabilities: In case that a reported vulnerability was already known to the company from their own tests, no bounties will be awarded.
- Theoretical Vulnerabilities: Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded.
- DoS/DDoS attacks or brute force attacks: These attacks are strictly prohibited and will be reported to relevant law enforcement agencies.
- Patching delay: Recently disclosed zero-day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available. We need time to patch our systems just like everyone else - please give us 2 weeks before reporting these types of issues.
Rules of Engagement
- Please clean up remnants of your testing and do not interfere with the normal operation of the site.
- Please do NOT use automatic scanners. We cannot accept any submissions found by using automatic scanners.
- Provide detailed but to-the point reproduction steps
- Include a clear attack scenario, a step by step guide in the PoC is highly appreciated
- Suggestions for mitigation are appreciated as well
- Do not exploit the identified leak: only collect the information necessary to demonstrate its existence.
- Do not change or delete any data or system settings.
- Handle any found data in a responsible manner: if you can demonstrate that there is a security problem with a small portion, do not go any further.
- Please do NOT publish/discuss bugs before they are fixed.
- Remember: quality over quantity!
BitoFree considers ethical hacking activities that follow these rules to be “authorized” conduct under criminal law. We will not pursue legal action as long as you comply by these rules, or in case of any accidental, good faith violations.
If a third party initiates legal action against you and you have complied with the terms, BitoFree will take steps to make it known that your actions were conducted in compliance and with our approval.