Bug Bounty Program

since 2018-12-03

Porkbun wants to stamp out any bugs we haven't yet found, and we need the help of the security community to do it. If you find a security vulnerability on Porkbun, we want to hear about it, ASAP.



BE PATIENT: We will assess and process your submission as quickly as possible. Depending on the nature of the vulnerability and available development time it may take up to 30 days for us to fix it and make payment to you.


Porkbun has adopted Bugcrowd’s Vulnerability Rating Taxonomy (VRT) for the purpose of prioritizing and paying out on reported bugs. We currently payout for P1 through P4 vulnerabilities.

Download VRT PDF


Payout Schedule

If one vulnerability leads to being able to take advantage of multiple vulnerabilities, we will only payout for the highest value vulnerability. For example, if a P1 vulnerability leads to you being able to complete a higher value "Uber Challege", only the Uber Challege will be paid out.
PriorityAdditional InfoBounty
P1$750
P2$500
P3$250
P4$0 - $100
OtherPlease note, while we appreciate the submission we currently cannot payout on low priority vulnerabilities. We would be happy to comment on or recommend you via a recognized bug bounty / security website however.$0

Invalid Vulnerabilities

There are some vulnerabilities that we cannot accept. Reasons may include us already being aware, business needs outweighing potential effect, acceptable due to low level of risk or harm, etc.
VulnerabilityExplanation
Self-XSSSelf-XSS and issues exploitable only through Self-XSS.
Error MessagesDescriptive error messages such as stack traces, application or server errors, HTTP error pages, etc.
CSRF RequiredIssues exploitable by requiring a valid CSRF token.
ClickjackingClickjacking and issues only exploitable through clickjacking.
Already KnownIssues previously submitted, already known internally or publicly, etc.
Public CSRFCSRF on forms and actions that are available to anonymous users such as search, contact form, cart actions, etc.
CSRF CookieThe CSRF token cookie is not http only. We know this and it is by design.
Out of ScopeIssues not directly related to the porkbun.com website. This includes subdomains, email spoofing, spf/dmarc/dkim configuration, etc.

Rules

Confidentiality

Confidentiality is important. Do not disclose any nature of any vulnerability to others, before and after disclosure to us. Any vulnerabilities not kept confidential will not qualify for payment.

Submission Requirements

You must submit all required information in order for your submission to be accepted.

  • Each vulnerability must be reported in a separate email. Do not reply to previously reports with additional vulnerabilities, those will be ignored.
  • Email your vulnerability, along with supporting documentation, to abuse@porkbun.com.
  • The subject line should be in the form of "Bug Bounty: [PRIORITY LEVEL]". For example: "Bug Bounty: P2".
  • Include the "OWASP Top Ten + Bugcrowd Extras", "Specific Vulnerability Name", and if available the "Variant or Affected Function" from the VRT mentioned above.
  • Include your PayPal address where you'd like to receive payment.
  • Include a detailed Proof of Concept (PoC). Please include as much detailed information as possible such as screenshots, steps to reproduce, etc.

Additional Rules

  • The decisions made by Porkbun regarding bounties are final and binding.
  • Vulnerabilities must be related to the Porkbun.com website. Issues regarding email spoofing, staging websites, etc will probably be ignored.
  • Don’t commit any crimes or engage in illegal activity.
  • You’re solely responsible for paying taxes on rewards as appropriate in your jurisdiction.
  • Don’t mislead, abuse, or in any way engage with Porkbun customers. Use test accounts if you need to simulate an interaction.
  • A phishing scheme is probably not a vulnerability, don't make one.
  • Do not use Denial of Service attacks, scrape the site, or otherwise stress the site to find a vulnerability.
  • Don’t harm anyone, by any definition of the word “harm.”
  • Anonymous submissions are not allowed. To receive a payment, you must agree to us confirming your identity.
  • We may ask you to sign a W-9 tax form or other similar form required by the IRS.
  • By submitting the vulnerability, you assign full intellectual property of the report to Porkbun and relinquish any copyright to the report itself.
  • If you reside in a country under US sanctions, unfortunately we will be unable to make payment to you.

ICANN Logo
Copyright © Porkbun LLC. All rights reserved.
Porkbun is a Top Level Design Company
Made in the USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
WARNING: This site has been known to cause a mind blowing experience. We recommend you prepare yourself mentally and if possible be sitting down. Side effects may include saving money, letting out a chuckle, and sporadic oinking.
Footer Popup Pig