Bug Bounty Program

Thank you for your interest in helping us improve the security of our open source products, websites and other properties.

We have created this Bug Bounty program to appreciate and reward your efforts.

Reward Guidelines:

We base all payouts on impact and will reward accordingly. Please emphasize the impact as part of your submission. We are particularly interested and will consider extraordinary submissions for issues that result in full compromise of a system.

PriorityReward Range
Critical$500 to $5000+ depending on severity
High~ $500
Medium~ $300
LowCase to case
Common in all of aboveCertificate of appreciation + inclusion in our hall of fame

The table above outlines the nominal rewards for in-scope assets. Brainstorm Force, at its own discretion, will make a final decision on the bounty for qualifying vulnerabilities. Bounties will be awarded to the first reporter of a vulnerability only.

Amounts may vary depending upon the severity of the issue and quality of the report.

Scope:

Brainstorm Force Store https://store.brainstormforce.com/
Astra WordPress theme (https://wordpress.org/themes/astra/)
License and Updates APIs https://support.brainstormforce.com
Starter Templates WordPress plugin (https://wordpress.org/plugins/starter-templates/)
Ultimate Addons for GutenbergWordPress plugin (ultimategutenberg.com)
Ultimate Addons for elementorWordPress Plugin (ultimateelementor.com)
Schema ProWordPress Plugin (wpschema.com)
Convert ProWordPress Plugin (www.convertpro.net)
WP PortfolioWordPress Plugin (wpportfolio.net)
Convert PlusWordPress Plugin (convertplug.com/plus/)
Ultimate Addons for WPBakery Page BuilderWordPress plugin (ultimate.brainstormforce.com)
Multipurpose Before After SliderWordPress Plugin (baslider.brainstormforce.com)
CartFlowsCartFlows WordPress plugin (cartflows.com, my.cartflows.com)
ProjectHuddleWordPress plugin – https://wordpress.org/plugins/projecthuddle-child-site/
WordPress.org Pluginshttps://profiles.wordpress.org/brainstormforce/#content-plugins

If you believe you have found a bug in our property that is not mentioned in the scope above, and would like to report it: please send us an email on [email protected] and we’re happy to confirm.

As we’re a growing organization, we might have a property that was built recently and is missed out from the list above.

General Guidelines:

Vulnerability reports which will not include manual validation – for example, reports based only on results from automated tools and scanners or which describe theoretical attack vectors without proof of exploitability – will be rejected.

Indicate steps to reproduce and verify you demonstrate a working proof of concept.

Submissions without sufficient details – will be rejected.

Since we use same stack for all the websites, a vulnerability which exists across all the websites will be considered one report when it comes for a bounty.

Qualifying Vulnerabilities:

Any reproducible vulnerability that affects the security of our users is likely to be in scope for the program. Common examples include:

  1. Cross Site Scripting (XSS)
  2. Cross Site Request Forgery (CSRF)
  3. Server Side Request Forgery (SSRF)
  4. Remote Code Execution (RCE)
  5. SQL Injection (SQLi)
  6. Privilege Escalation

Exclusion List:

  1. We are generally not interested in DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. As a web-scale service, our threshold for rate limiting is higher than you would probably expect. Of course, if you think you have found an exception to this rule, please let us know.
  2. Any contact or support forms
  3. Anything SSL (related attacks, insecure cipher suites, etc.)
  4. Weak Captcha / Captcha Bypass
  5. Username / Email Enumeration
  6. Brute Force attacks on our Login or Forgot Password pages
  7. Account lockout enforcement and related attacks
  8. HTTP security headers and Cookies related Issues
  9. Weak password policies
  10. CSRF on forms that are available to anonymous users (e.g. login or contact forms)
  11. Clickjacking
  12. Anything related to Mail Server Domain Misconfiguration (Email spoofing, missing DMARC, SPF/DKIM, etc.)
  13. Vulnerabilities impacting only old or end-of-life platforms, browsers and plugins
  14. Cross Site Scripting (XSS) is out of scope for all impactless domains.
  15. Missing Best Practices that don’t pose a direct security threat will most likely not be accepted.
  16. We are generally not looking for any reports for our marketing/product websites and would rather prefer reports for the actual products. That being said, If you believe some vulnerability is serious do report it to us, although our security team will review and decide the severity of the report for websites from our prespective.

Crafting a Report:

If our  team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:

  1. Description of the vulnerability
  2. Steps to reproduce the reported vulnerability
  3. Proof of exploitability (e.g. screenshot, video)
  4. Perceived impact to another user or the organization
  5. Proposed CVSSv3 Vector & Score (without environmental and temporal modifiers)
  6. List of URLs and affected parameters
  7. Other vulnerable URLs, additional payloads, Proof-of-Concept code
  8. Browser, OS and/or app version used during testing
  9. Impact of the bug

Security reports should be sent to [email protected]

Once again, thank you for helping us improve security. We really appreciate it.

Great News! We Have Openings.

We are an enthusiastic team of trailblazers, innovators, disruptors and risk-takers who are creatively moving the industry forward. We are committed to the well-being and growth of our people and encourage everyone to explore and learn.
Come. Be a part of us. We will work with you to develop a career path worthy of your talents and our legacy.