BugBounty.jp - バグバウンティ・プラットフォーム

Total Reports：169
Total Valid Reports：82

Opened

pixiv

Program

pixiv
pixiv is an illustrators' community with over 30,000,000 registered users.

Program Logo

Period

2016/04/01 〜 2018/06/30

Bounty Range

¥5,000 ～ ¥100,000

Rules

Only test for vulnerabilities on web application stipulated in scope section. Any vulnerabilities reported on web applications out-of-scope are not eligible for bounty rewards.

***************************************************************
This is a production environment. Do not create account more than necessary to perform tests, and please delete your account as soon as you finished your tests.
Please note that you should only perform tests against pages you created, never other users pages.
To be eligible for a bounty reward under this program you must to follow the rules stipulated above.
***************************************************************

Any vulnerability test against domains out-of-scope are explicitly prohibited.

Any violation of the Terms of the Service of the “BugBounty.jp”, and/or performance of DoS （Denial of Service）attack or equivalent act that can degrade the performance of our service are also explicitly prohibited.

***************************************************************

Below cases are not considered vulnerability.

* Phishing attack by registration email (for example by making username an URL)
* Tabnabbing
* Lack of security headers (particular attack pattern will be considered vulnerability depending on the risk)

Scope

Web application

Name

pixiv services

URL

factory.pixiv.net
payment.pixiv.net
accounts.pixiv.net
app-api.pixiv.net
bungei-api.pixiv.net
comic-api.pixiv.net
embed.pixiv.net
m.pixiv.net
pixiv.me
oauth.secure.pixiv.net
public-api.secure.pixiv.net
sensei.pixiv.net
ssl.pixiv.net
*.booth.pm
chatstory.pixiv.net

Domain

www.pixiv.net
factory.pixiv.net
payment.pixiv.net
accounts.pixiv.net
app-api.pixiv.net
bungei-api.pixiv.net
comic-api.pixiv.net
embed.pixiv.net
m.pixiv.net
pixiv.me
oauth.secure.pixiv.net
public-api.secure.pixiv.net
sensei.pixiv.net
ssl.pixiv.net
*.booth.pm
chatstory.pixiv.net

Eligible For Bounty: Cleartext Transmission of Sensitive Information　〜100,000yen
Missing HTTPOnly Flag　〜100,000yen
Missing Best practice　〜100,000yen
Path Traversal　〜20,000yen
No Rate Limiting　〜20,000yen
Open Redirect　〜20,000yen
UI Redressing (Clickjacking)　〜20,000yen
XML External Entities (XXE)　〜20,000yen
Forced Browsing　〜100,000yen
Authentication　〜100,000yen
Cross-Site Request Forgery (CSRF)　〜100,000yen
Cross-Site Scripting　〜100,000yen
Information Disclosure　〜100,000yen
Privilege Escalation　〜100,000yen
Remote Code Execution　〜100,000yen
SQL Injection　〜100,000yen
Session Fixation　〜100,000yen
Missing Secure Flag　〜100,000yen
HTTP Response Splitting　〜100,000yen
Command Injection　〜100,000yen
Server-Side Request Forgery (SSRF)　〜100,000yen
Not Eligible For Bounty: Vulnerabilities with capability of Denial of Service attack
Vulnerabilities with capability of brute force against password or tokens
Login/Logout CSRF
CSRF on forms that are available to anonymous users (e.g. contact form)
Missing secure flags on non-sensitive cookies
Vulnerabilities with capability of username/email enumeration
Banner disclosure on servers
Notes: For eligibility details, please refer to the "Terms of Service Article 4" of this site.