Bug Bounty Program

Scope (applicable to prior reports)

The program covers our corporate website www.cdn77.com and our customer portal client.cdn77.com.

The primary focus is on identifying and mitigating critical security vulnerabilities, such as:

• Server-Side Request Forgery (SSRF).
• Remote Code Execution (RCE).
• Ability to modify other customer accounts.
• Ability to obtain sensitive information.
• Stored Cross-Site Scripting (XSS) resulting in the ability to obtain or modify customer data.
• Reflected XSS resulting in the ability to obtain or modify customer data.

Out of scope (applicable to prior reports)

Certain areas are out of scope. The testing of any vulnerabilities outside the defined scope is strictly prohibited and will result in disqualification from eligibility for legal safe harbor protections.

The following issues are out of scope and will not be considered as security vulnerabilities:

• Clickjacking on pages with no sensitive actions.
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms without sensitive actions.
• Attacks requiring man-in-the-middle (MITM) or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept (PoC).
• CSV injection without demonstrating an actual vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could result in service disruption, including DoS.
• Content spoofing and text injection issues without an exploitable attack vector.
• Rate limiting or brute force issues on non-authentication endpoints.
• Missing best practices in Content Security Policy (CSP).
• Missing email best practices (e.g., SPF/DKIM/DMARC records).
• Vulnerabilities that only affect users of outdated or unpatched browsers (< 2 stable versions behind).
• Software version disclosure, banner identification issues, or descriptive error messages (e.g., stack traces)
• Cached/stored content of our customers.
• Lack of Security Headers

Rewards (applicable to prior reports)

The reward structure for this program is based on the severity of the reported vulnerability, the potential impact, and the ease of exploitation. We utilize Bugcrowd’s Vulnerability Rating Taxonomy as a general guideline for rating and categorizing vulnerabilities. However, this taxonomy is intended as a reference only, and we reserve the right to decline certain reports if the identified issue is not significant within our specific context. If any vulnerabilities are stated in these Program Terms as out of scope while being categorized as a vulnerability in Bugcrowd’s Vulnerability Rating Taxonomy, the Program Terms take precedence.

We reserve the right to adjust bounty awards based on the proven impact of the vulnerability. This ensures that reports demonstrating a significant, real-world effect will be compensated accordingly, while reports identifying issues without measurable impact or without relevance to our specific context may receive lower compensation or no reward.