Bug Bounty Program

Security researchers are encouraged to report security-related bugs found on behindthename.com to mike@behindthename.com. Thank you to all who submit bug reports! In some cases we may pay a bounty for the information.

Bugs

  • Eligible domains: *.behindthename.com
  • Minor bugs, e.g. XSS (reflected or trivial)
  • Medium bugs, e.g. XSS (stored or non-trivial), CSRF (on non-trivial actions), exposure of sensitive information, authentication bypass
  • Critical bugs, e.g. SQL injection, remote code execution
  • Out of scope: denial-of-service attacks, bugs in third-party products, social engineering attacks, username enumeration, bugs in very old web browsers, adjustment of rate limits
  • Most of the common "configuration errors" (such as TRACE, HSTS, TLS) have already been mentioned multiple times and we are not planning to change.

Bounties

  • We only pay a bounty for bugs related to security.
  • We only pay a bounty for information that actually leads to changes being made.
  • Bounties are paid via PayPal. In some cases, other arrangements can be made.
  • Rates are USD $40 (minor), $70 (medium), $100 (high), and $200 (critical).