Porkbun wants to stamp out any bugs we haven't yet found, and we need the help of the security community to do it. If you find a security vulnerability on Porkbun, we want to hear about it, ASAP.
BE PATIENT: We will assess and process your submission as quickly as possible. Depending on the nature of the vulnerability and available development time it may take up to 30 days for us to fix it and make payment to you.
Porkbun has adopted Bugcrowd’s Vulnerability Rating Taxonomy (VRT) for the purpose of prioritizing and paying out on reported bugs. We currently payout for P1 through P4 vulnerabilities.
View Bugcrowd’s VRT
Payout Schedule
If one vulnerability leads to being able to take advantage of multiple vulnerabilities, we will only payout for the highest value vulnerability. For example, if a P1 vulnerability leads to you being able to complete a higher value "Uber Challege", only the Uber Challege will be paid out.
| Priority | Additional Info | Bounty |
|---|
| P1 | | $750 |
| P2 | | $500 |
| P3 | | $250 |
| P4 | | $0 - $100 |
| Other | Please note, while we appreciate the submission we currently cannot payout on low priority vulnerabilities. We would be happy to comment on or recommend you via a recognized bug bounty / security website however. | $0 |
Invalid Vulnerabilities
There are some vulnerabilities that we cannot accept. Reasons may include us already being aware, business needs outweighing potential effect, acceptable due to low level of risk or harm, etc.
| Vulnerability | Explanation |
|---|
| Self-XSS | Self-XSS and issues exploitable only through Self-XSS. |
| Error Messages | Descriptive error messages such as stack traces, application or server errors, HTTP error pages, etc. |
| CSRF Required | Issues exploitable by requiring a valid CSRF token. |
| Clickjacking | Clickjacking and issues only exploitable through clickjacking. |
| Already Known | Issues previously submitted, already known internally or publicly, etc. |
| Public CSRF | CSRF on forms and actions that are available to anonymous users such as search, contact form, cart actions, etc. |
| CSRF Cookie | The CSRF token cookie is not http only. We know this and it is by design. |
| Out of Scope | Issues not directly related to the porkbun.com website. This includes subdomains, email spoofing, spf/dmarc/dkim configuration, etc. |
Rules
Confidentiality
Confidentiality is important. Do not disclose any nature of any vulnerability to others, before and after disclosure to us. Any vulnerabilities not kept confidential will not qualify for payment.
Submission Requirements
You must submit all required information in order for your submission to be accepted.
- Each vulnerability must be reported in a separate email. Do not reply to previously reports with additional vulnerabilities, those will be ignored.
- Email your vulnerability, along with supporting documentation, to support@porkbun.com.
- The subject line should be in the form of "Bug Bounty: [PRIORITY LEVEL]". For example: "Bug Bounty: P2".
- Include the "OWASP Top Ten + Bugcrowd Extras", "Specific Vulnerability Name", and if available the "Variant or Affected Function" from the VRT mentioned above.
- Include your PayPal address where you'd like to receive payment.
- Include a detailed Proof of Concept (PoC). Please include as much detailed information as possible such as screenshots, steps to reproduce, etc.
Additional Rules
- The decisions made by Porkbun regarding bounties are final and binding.
- Vulnerabilities must be related to the Porkbun.com website. Issues regarding email spoofing, staging websites, etc will probably be ignored.
- Don’t commit any crimes or engage in illegal activity.
- You’re solely responsible for paying taxes on rewards as appropriate in your jurisdiction.
- Don’t mislead, abuse, or in any way engage with Porkbun customers. Use test accounts if you need to simulate an interaction.
- A phishing scheme is probably not a vulnerability, don't make one.
- Do not use Denial of Service attacks, scrape the site, or otherwise stress the site to find a vulnerability.
- Don’t harm anyone, by any definition of the word “harm.”
- Anonymous submissions are not allowed. To receive a payment, you must agree to us confirming your identity.
- We may ask you to sign a W-9 tax form or other similar form required by the IRS.
- By submitting the vulnerability, you assign full intellectual property of the report to Porkbun and relinquish any copyright to the report itself.
- If you reside in a country under US sanctions, unfortunately we will be unable to make payment to you.
