- Rules for you
Don’t attempt to gain access to another user’s account or data.
Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
Don’t publicly disclose a bug before it has been fixed.
Only test for vulnerabilities on sites you know to be operated by Web Hosting Magic and listed under open bounties. Sites not listed should not be tested.
Do not impact our users with your testing, this includes testing for vulnerabilities. We may ban your IP address if you do so.
Don’t use scanners, scrapers or any other automated tools in your testing. They’re noisy and we may ban your IP address.
Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
When in doubt, contact us at redteam[at]webhostingmagic.com
- Rules for us
We will respond as quickly as possible to your submission.
We will keep you updated as we work to fix the bug you submitted.
We will not take legal action against you if you play by the rules.
- What does not qualify?
Bugs that don’t affect the latest version of modern browsers (Chrome, Firefox, Edge, Safari). Bugs related to browser extensions are also out of scope.
Bugs requiring exceedingly unlikely user interaction.
Submissions which don’t include steps to reproduce the bug, or only include those steps in video form.
Bugs, such as timing attacks.
Insecure cookie settings for non-sensitive cookies.
Disclosure of public information and information that does not present significant risk.
Bugs that have already been submitted by another user, or that we are already aware of are ineligible.
Bugs in applications not listed under open bounties are generally not eligible. Look at individual bounties for details on scope.
Bugs in content/services that are not owned/operated by Web Hosting Magic. This includes our users’ code, and third party services operating on subdomains outside of direct websites.
Vulnerabilities that Web Hosting Magic determines to be an accepted risk will not be eligible for a paid bounty or listing on the site.
Scripting or other automation and brute forcing of intended functionality.
When in doubt, contact us at redteam[at]webhostingmagic.com.
- Enterprise Reward
Rewards range from 1-3 months of free hosting or as may be determined at our discretion based on a number of factors. For example, a vulnerability in a service that is intended to be restricted from external access would have a lower reward than backends. Or you find a reflected XSS that is only possible in Opera, and Opera is <2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at >60% of our traffic, will earn a much larger reward.
- Web Hosting Magic CSP
Previously identified attacks are not eligible for reward (we’ve put a lot of thought into CSP bypasses already). Attacks against CSP features not used on webhostingmagic.com or its sub-domains, such as script nonces, are not eligible for reward. Vulnerabilities resulting from injection in implausible locations, such as within an element that doesn’t contain user-content, are not eligible for reward. Rewards are determined at our discretion: if you think you’ve found something cool and novel, report it!
- Other applications
Web Hosting Magic builds and operates a number of web properties and applications. Not all of them are currently part of an open bounty, however, we still appreciate the effort researchers put forth to identify vulnerabilities. Vulnerabilities found in applications not specifically listed on the open bounties are not currently eligible for cash rewards.
There are a handful of reports that we consider ineligible, either because the feature is working as intended or we accept the low risk as a security/usability tradeoff:
- Clickjacking a static site
There are several other Web Hosting Magic owned sites created using static HTML or static site generator. These applications do not contain any sensitive user information or authenticated sessions. As a result, they are not at risk of a clickjacking attack.
- Host header injection
Host header injection reports are ineligible unless it can be shown to cause a specific security issue. We set the Strict-Transport-Security header and are in the browser preload lists which prevent active network attacks that may attempt to inject the header.
- Email verification policy
Any email address that is not already associated with an account on Web Hosting Magic may be claimed and this will give client privileges to the claiming user if the account is active. Disputes around emails on accounts can be resolved by contacting our support team.
- Phishing using Unicode homoglyphs or RTLO characters
We are aware of different ways that Unicode - specifically homoglyphs and RTLO characters - can be used to display misleading information to users. We consider these low-risk and ineligible for a reward. If you have noticed someone using Web Hosting Magic for phishing, please let us know.
- Can I donate my reward to a charity?
Yes. We know that some of you would prefer your bounty reward go toward helping someone else. If you choose, we will donate your reward to an established 501(c)(3) charitable organization of your choice. Web Hosting Magic will also match your donation - subject to our discretion. Any rewards that go unclaimed after 12 months will be donated to a charity of Web Hosting Magic’s choosing.
- I reported a vulnerability but no response!
Please allow up to 72 hours for an initial response. Also realize that spam filters and email in general can sometimes be problematic. If you ever feel we are not communicating in a timely fashion, definitely let us know.
- Can I submit a video proof-of-concept?
You can certainly attach a video if you believe it will clarify your submission. However, all submissions must also include step-by-step instructions to reproduce the bug. The security team will let you know if we think a video will clarify your report. Submissions which only include video reproduction steps will have a longer response time and we may close your submission as
- How is the bounty reward determined?
Our security and development teams take many factors into account when determining a reward. These factors include the complexity of successfully exploiting the vulnerability, the potential exposure, as well as the percentage of impacted users and systems. Sometimes an otherwise critical vulnerability has a very low impact simply because it is mitigated by some other component, e.g. requires user interaction, an obscure web browser, or would need to be combined with another vulnerability that does not currently exist.
- What are points?
We are trying to make this fun. We assign a point value to each vulnerability and list will it on this site. The researchers with the most points are listed on our leaderboard. While we use many of the same metrics when determining point value as for dollar value, other non-tangible factors are considered as well. For example, if you provide an awesome writeup of a vulnerability with a functional POC that will be factored in.
- What if I do not want my submission published?
Please still send us your vulnerability! We will only publish your submission after your approval. To be visible within the leaderboard you must provide us with a Web Hosting Magic username. This allows us to link submissions to a single user and generate your sweet profile page.
- Can I submit my report via a third-party?
Web Hosting Magic’s Bug Bounty program is designed to both reward individual researchers and increase the security of all Web Hosting Magic users. We don’t believe that disclosing Web Hosting Magic vulnerabilities to third parties achieves either of those goals. As a result, any vulnerabilities that are disclosed to third-party before being submitted to our program are ineligible for rewards.
- I don't live in the United States, am I eligible?
Yes, international researchers are eligible. Researchers between 13 and 18 years of age are also eligible, however, those in the United States will need to submit a guardian consent form before any payment can be made. Individuals under 13 years of age are not eligible to participate due to U.S. federal law.
- What are the legal terms of Web Hosting Magic's
Bug Bounty program?
By participating in Web Hosting Magic’s Bug Bounty program (the “Program”), You acknowledge that you have read and agree to Web Hosting Magic’s Terms of Service as well as the following:
You’re not participating from a country against which the United States has issued export sanctions or other trade restrictions, including Cuba, Iran, North Korea, the Sudan and Syria.
Your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.
You are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.
Web Hosting Magic reserves the right to terminate or discontinue the Program at its discretion.