Bug Bounty Program

 
 

Requirements

  • The bug must not have been previously reported

  • You must not have created the buggy code or are in anyway involved in the creation of it

  • The bug must be exploitable one of the Mobile Nations properties listed in the eligible domains section

 

Eligible Vulnerability Types

  • Unauthenticated remote execution of arbitrary PHP code: US$500

  • Unauthenticated remote malicious file inclusion: US$500

  • Unauthenticated SQL injection that can modify the database: US$500

  • Unauthenticated login to an account: US$500

  • Unauthenticated persistent cross-site scripting (XSS): US$250

  • Unauthenticated arbitrary file viewing that exposes configuration file contents: US$250

  • Unauthenticated information disclosure that exposes website backup files: US$250

 

ELIGIBLE Domains

  • passport.mobilenations.com
  • crackberry.com
  • www.androidcentral.com
  • www.imore.com
  • www.connectedly.com
  • www.teslacentral.com
  • www.vrheads.com
  • www.webosnation.com
  • forums.crackberry.com
  • forums.imore.com
  • forums.androidcentral.com
  • forums.connectedly.com
  • forums.teslacentral.com
  • forums.vrheads.com
  • forums.webosnation.com
  • shop.crackberry.com
  • www.shopandroid.com
  • store.imore.com
  • shop.windowscentral.com

 

Process

To receive the bounty you need to be the first to report the vulnerability to us via email bounty@mobilenations.com with full details of the vulnerability**.   One bug per email and include a descriptive subject line. The bounty will be paid as soon as we have confirmed that the vulnerability exists. The bounty will be paid via PayPal. The bounty can also be donated to a charity of your choice.

 

** Only one bounty is rewarded per vulnerability (even if it occurs on multiple domains).  Eg.  If the same vulnerability is exploitable on www.imore.com and www.vrhead.com, it is considered one vulnerability.

 

Rewarded Bounties

Bounty #1
CSRF - disconnect facebook/twitter/microsoft/google account
Reported on July 30, 2016.  Rewarded to paramdham. 

Bounty #2
CSRF - change email address/user info
Reported on July 30, 2016.  Rewarded to paramdham.  

Bounty #3
CSRF - change account password
Reported on July 30, 2016.  Rewarded to paramdham.  

Bounty #4
CSRF - connect google account
Reported on July 30, 2016.  Rewarded to paramdham.  

Bounty #5
Change password with expired password reset link
Reported on August 1, 2016.  Rewarded to paramdham.  

Bounty #6
CSRF - partner site
Reported on August 9, 2016.  Rewarded to Nitin Goplani.

Bounty #7
Secure flag on session cookie
Reported on August 10, 2016.  Rewarded to Sajibe Kanti (eesec.org). FaceBook: @Sajibe.kanti