Security researchers are encouraged to report security-related bugs found on behindthename.com to mike@behindthename.com. Thank you to all who submit bug reports! In some cases we may pay a bounty for the information.
Bugs
- Eligible domains: *.behindthename.com
- Minor bugs, e.g. XSS (reflected or trivial)
- Medium bugs, e.g. XSS (stored or non-trivial), CSRF (on non-trivial actions), exposure of sensitive information, authentication bypass
- Critical bugs, e.g. SQL injection, remote code execution
- Out of scope: denial-of-service attacks, bugs in third-party products, social engineering attacks, username enumeration, bugs in very old web browsers, adjustment of rate limits
- Most of the common "configuration errors" (such as TRACE, HSTS, TLS) have already been mentioned multiple times and we are not planning to change.
Bounties
- We only pay a bounty for bugs related to security.
- We only pay a bounty for information that actually leads to changes being made.
- Bounties are paid via PayPal. In some cases, other arrangements can be made.
- Rates are USD $40 (minor), $70 (medium), $100 (high), and $200 (critical).