Bug Bounty Program


Bug Bounty Program is currently Suspended


  • The bug must not have been previously reported

  • You must not have created the buggy code or are in anyway involved in the creation of it

  • The bug must be exploitable one of the Mobile Nations properties listed in the eligible domains section


Eligible Vulnerability Types

  • Unauthenticated remote execution of arbitrary PHP code: US$1000

  • Unauthenticated remote malicious file inclusion: US$1000

  • Unauthenticated SQL injection that can modify the database: US$1000

  • Unauthenticated login to an account: US$500

  • Unauthenticated persistent cross-site scripting (XSS): US$250

  • Unauthenticated arbitrary file viewing that exposes configuration file contents: US$250

  • Unauthenticated information disclosure that exposes website backup files: US$250



  • passport.mobilenations.com

  • crackberry.com

  • forums.crackberry.com

  • www.androidcentral.com

  • forums.androidcentral.com

  • www.imore.com

  • forums.imore.com

  • www.webosnation.com

  • forums.webosnation.com

  • www.windowscentral.com

  • forums.windowscentral.com

  • www.cordcutters.com

  • forums.cordcutters.com

  • www.thrifter.com


To receive the bounty you need to be the first to report the vulnerability to us via email bounty@mobilenations.com with full details of the vulnerability**.   One bug per email and include a descriptive subject line. The bounty will be paid as soon as we have confirmed that the vulnerability exists. The bounty will be paid via PayPal. The bounty can also be donated to a charity of your choice.


** Only one bounty is rewarded per vulnerability (even if it occurs on multiple domains).  Eg.  If the same vulnerability is exploitable on www.imore.com and www.androidcentral.com, it is considered one vulnerability.


Rewarded Bounties

Bounty #1
CSRF - disconnect facebook/twitter/microsoft/google account
 Rewarded to paramdham. 

Bounty #2
CSRF - change email address/user info
Rewarded to paramdham.  

Bounty #3
CSRF - change account password
Rewarded to paramdham.  

Bounty #4
CSRF - connect google account
Rewarded to paramdham.  

Bounty #5
Change password with expired password reset link
Rewarded to paramdham.  

Bounty #6
CSRF - partner site
Rewarded to Nitin Goplani.

Bounty #7
Secure flag on session cookie
Rewarded to Sajibe Kanti (eesec.org).

Bounty #8
Email verification link not expired
Rewarded to Sumit Jain

Bounty #9
CSRF in Store add cart
Rewarded to Abdullah Erdem

Bounty #10
CSRF in Store remove item
Rewarded to Ashutosh Kumar

Bounty #11
CSRF in Store remove item
Rewarded to Sumit Jain