Security researchers are encouraged to report security-related bugs found on behindthename.com to . Thank you to all who submit bug reports! In some cases we may pay a bounty for the information.

Bugs

• Eligible domains: *.behindthename.com
• Minor bugs, e.g. XSS (reflected or trivial)
• Medium bugs, e.g. XSS (stored or non-trivial), CSRF (on non-trivial actions), exposure of sensitive information, authentication bypass
• Critical bugs, e.g. SQL injection, remote code execution
• Out of scope: denial-of-service attacks, bugs in third-party products, social engineering attacks, username enumeration, bugs in very old web browsers, adjustment of rate limits
• Most of the common "configuration errors" (such as TRACE, HSTS, TLS) have already been mentioned multiple times and we are not planning to change.

Bounties

• We only pay a bounty for bugs related to security.
• We only pay a bounty for information that actually leads to changes being made.
• Bounties are paid via PayPal. In some cases, other arrangements can be made.
• Rates are USD $40 (minor), $70 (medium), $100 (high), and $200 (critical).