BugBounty.jp - バグバウンティ・プラットフォーム

Total Reports：179
Total Valid Reports：83

Opened

pixiv

Program

pixiv
pixiv is an illustrators' community with over 30,000,000 registered users.

Program Logo

Period

2016/04/01 〜 2018/06/30

Bounty Range

¥5,000 ～ ¥200,000

Rules

Only test for vulnerabilities on web application stipulated in scope section. Any vulnerabilities reported on web applications out-of-scope are not eligible for bounty rewards.

***************************************************************
This is a production environment. Do not create account more than necessary to perform tests, and please delete your account as soon as you finished your tests.
Please note that you should only perform tests against pages you created, never other users pages.
To be eligible for a bounty reward under this program you must to follow the rules stipulated above.
***************************************************************

Any vulnerability test against domains out-of-scope are explicitly prohibited.

Any violation of the Terms of the Service of the “BugBounty.jp”, and/or performance of DoS （Denial of Service）attack or equivalent act that can degrade the performance of our service are also explicitly prohibited.

***************************************************************

In addition to items listed in "Not Eligible For Bounty" section, below are out of scope for our program.

* Lack of security headers without an actual attack scenario
* Phishing attack via registration email (e.g. making username a URL)
* Tabnabbing
* Disclosure of pixiv's numeric ID such as user ID and illustration ID (unless it compromises user privacy)

Scope

Web application

Name

pixiv services

URL

https://www.pixiv.net/
https://factory.pixiv.net/
https://booth.pm/
https://chatstory.pixiv.net/
https://pay.pixiv.net/
https://comic.pixiv.net/
https://sensei.pixiv.net/
https://sketch.pixiv.net/

Domain

www.pixiv.net
accounts.pixiv.net
app-api.pixiv.net
bungei-api.pixiv.net
chatstory.pixiv-app.net
chatstory.pixiv.net
comic-api.pixiv.net
embed.pixiv.net
factory.pixiv.net
m.pixiv.net
oauth.secure.pixiv.net
payment.pixiv.net
pixiv.me
public-api.secure.pixiv.net
sensei.pixiv.net
ssl.pixiv.net
booth.pm
*.booth.pm

Eligible For Bounty: Command Injection　up to 200,000yen
Remote Code Execution　up to 200,000yen
SQL Injection　up to 150,000yen
Authentication　up to 120,000yen
Cross-Site Scripting　up to 80,000yen
Server-Side Request Forgery (SSRF)　up to 50,000yen
XML External Entities (XXE)　up to 50,000yen
Information Disclosure　up to 50,000yen
Privilege Escalation　up to 30,000yen
Cross-Site Request Forgery (CSRF)　up to 30,000yen
HTTP Response Splitting　up to 20,000yen
Forced Browsing　up to 10,000yen
Open Redirect　up to 10,000yen
Cleartext Transmission of Sensitive Information　up to 10,000yen
Path Traversal　up to 10,000yen
No Rate Limiting　up to 10,000yen
Session Fixation　up to 10,000yen
UI Redressing (Clickjacking)　up to 10,000yen
Not Eligible For Bounty: Vulnerabilities found through automated scans or tools
Hypothetical or theoretical vulnerabilities without actual verification code
Vulnerabilities with capability of Denial of Service attack
Vulnerabilities with capability of brute force against password or tokens
Password, email and account policies, such as email id verification, reset link expiration, password complexity
Login/Logout CSRF
Missing CSRF tokens
CSRF on forms that are available to anonymous users (e.g. contact form)
Missing security headers
Vulnerabilities found in domains out-of-scope
Vulnerabilities affecting outdated browsers or platforms
Presence of autocomplete attribute on web forms
Missing secure flags on non-sensitive cookies
Reports of insecure SSL/TLS ciphers
Vulnerabilities with capability of username/email enumeration
Descriptive error messages (e.g. Stack traces, application or server errors)
Banner disclosure on servers
Misconfiguration of SPF record, DMARC and DKIM
Notes: For eligibility details, please refer to the "Terms of Service Article 4" of this site.