Bug Bounty Program


FEB 22, 2017 UPDATE: Bounty Program is SUSPENDED until further notice.  All reports submitted prior to this date will still be processed as usual.  Any new reports will be ignored until the program is resumed.


  • The bug must not have been previously reported

  • You must not have created the buggy code or are in anyway involved in the creation of it

  • The bug must be exploitable one of the Mobile Nations properties listed in the eligible domains section


Eligible Vulnerability Types

  • Unauthenticated remote execution of arbitrary PHP code: US$500

  • Unauthenticated remote malicious file inclusion: US$500

  • Unauthenticated SQL injection that can modify the database: US$500

  • Unauthenticated login to an account: US$500

  • Unauthenticated persistent cross-site scripting (XSS): US$250

  • Unauthenticated arbitrary file viewing that exposes configuration file contents: US$250

  • Unauthenticated information disclosure that exposes website backup files: US$250



  • passport.mobilenations.com
  • crackberry.com
  • www.androidcentral.com
  • www.imore.com
  • www.connectedly.com
  • www.teslacentral.com
  • www.vrheads.com
  • www.webosnation.com
  • forums.crackberry.com
  • forums.imore.com
  • forums.androidcentral.com
  • forums.connectedly.com
  • forums.teslacentral.com
  • forums.vrheads.com
  • forums.webosnation.com


To receive the bounty you need to be the first to report the vulnerability to us via email bounty@mobilenations.com with full details of the vulnerability**.   One bug per email and include a descriptive subject line. The bounty will be paid as soon as we have confirmed that the vulnerability exists. The bounty will be paid via PayPal. The bounty can also be donated to a charity of your choice.


** Only one bounty is rewarded per vulnerability (even if it occurs on multiple domains).  Eg.  If the same vulnerability is exploitable on www.imore.com and www.vrhead.com, it is considered one vulnerability.


Rewarded Bounties

Bounty #1
CSRF - disconnect facebook/twitter/microsoft/google account
Reported on July 30, 2016.  Rewarded to paramdham. 

Bounty #2
CSRF - change email address/user info
Reported on July 30, 2016.  Rewarded to paramdham.  

Bounty #3
CSRF - change account password
Reported on July 30, 2016.  Rewarded to paramdham.  

Bounty #4
CSRF - connect google account
Reported on July 30, 2016.  Rewarded to paramdham.  

Bounty #5
Change password with expired password reset link
Reported on August 1, 2016.  Rewarded to paramdham.  

Bounty #6
CSRF - partner site
Reported on August 9, 2016.  Rewarded to Nitin Goplani.

Bounty #7
Secure flag on session cookie
Reported on August 10, 2016.  Rewarded to Sajibe Kanti (eesec.org).

Bounty #8
Email verification link not expired
Reported on August 25, 2016.  Rewarded to Sumit Jain

Bounty #9
CSRF in Store add cart
Reported on August 31, 2016.  Rewarded to Abdullah Erdem

Bounty #10
CSRF in Store remove item
Reported on Sept 16, 2016.  Rewarded to Ashutosh Kumar

Bounty #11
CSRF in Store remove item
Reported on Sept 16, 2016.  Rewarded to Sumit Jain