BugBounty.jp - バグバウンティ・プラットフォーム

Total Reports：244
Total Valid Reports：91

pixiv

Program

pixiv
pixiv is an illustrators' community with over 30,000,000 registered users.

Program Logo

Period

2016/04/01 〜 2019/06/30

Bounty Range

¥10,000 ～ ¥300,000

Rules

Only test for vulnerabilities on web application stipulated in scope section. Any vulnerabilities reported on web applications out-of-scope are not eligible for bounty rewards.

***************************************************************
This is a production environment. Do not create account more than necessary to perform tests, and please delete your account as soon as you finished your tests.
Please note that you should only perform tests against pages you created, never other users pages.
To be eligible for a bounty reward under this program you must to follow the rules stipulated above.
***************************************************************

Any vulnerability test against domains out-of-scope are explicitly prohibited.

Any violation of the Terms of the Service of the “BugBounty.jp”, and/or performance of DoS （Denial of Service）attack or equivalent act that can degrade the performance of our service are also explicitly prohibited.

***************************************************************

In addition to items listed in "Not Eligible For Bounty" section, below are out of scope for our program.

* Lack of security headers without an actual attack scenario
* Phishing attack via registration email (e.g. making username a URL)
* Tabnabbing
* Disclosure of pixiv's numeric ID such as user ID and illustration ID (unless it compromises user privacy)
* Lack of rate limit

***************************************************************

We will pay a fixed amount of bounty determined by the severity category as described below.
Critical: 300,000 JPY
Example: Compromising important infrastructure or data (RCE, DB/Filesystem breach)

High: 100,000 JPY
Example: Access to user privilege with little or no restriction (Account takeover, Payment flaw, Unsandboxed stored XSS)

Medium: 50,000 JPY
Example: Limited access to user privilege (CSRF, XSS with restrictions)

Low: 20,000 JPY
Example: Limited disclosure of user data or other attacks with low overall risk (Minor information leakage, Open redirect, etc.)

Scope

Web application

Name

pixiv services

URL

https://www.pixiv.net/
https://factory.pixiv.net/
https://booth.pm/
https://chatstory.pixiv.net/
https://pay.pixiv.net/
https://comic.pixiv.net/
https://sensei.pixiv.net/
https://sketch.pixiv.net/

Domain

*.booth.pm
www.pixiv.net
accounts.pixiv.net
app-api.pixiv.net
bungei-api.pixiv.net
chatstory.pixiv-app.net
chatstory.pixiv.net
comic-api.pixiv.net
embed.pixiv.net
factory.pixiv.net
m.pixiv.net
oauth.secure.pixiv.net
payment.pixiv.net
pixiv.me
public-api.secure.pixiv.net
sensei.pixiv.net
ssl.pixiv.net
booth.pm

iOS application

Name

pixiv PAY

URL

https://itunes.apple.com/app/pixiv-pay/id1261274472

Android application

Name

pixiv PAY

URL

https://play.google.com/store/apps/details?id=jp.pxv.pay

Eligible For Bounty: Remote Code Execution　up to 300,000yen
SQL Injection　up to 300,000yen
Command Injection　up to 300,000yen
Authentication　up to 100,000yen
Cross-Site Scripting　up to 100,000yen
Privilege Escalation　up to 100,000yen
XML External Entities (XXE)　up to 50,000yen
Information Disclosure　up to 50,000yen
Cross-Site Request Forgery (CSRF)　up to 50,000yen
Server-Side Request Forgery (SSRF)　up to 50,000yen
HTTP Response Splitting　up to 20,000yen
Forced Browsing　up to 20,000yen
Path Traversal　up to 20,000yen
Cleartext Transmission of Sensitive Information　up to 20,000yen
Session Fixation　up to 20,000yen
UI Redressing (Clickjacking)　up to 20,000yen
Open Redirect　up to 20,000yen
Not Eligible For Bounty: Vulnerabilities found through automated scans or tools
Hypothetical or theoretical vulnerabilities without actual verification code
Vulnerabilities with capability of Denial of Service attack
Vulnerabilities with capability of brute force against password or tokens
Password, email and account policies, such as email id verification, reset link expiration, password complexity
Login/Logout CSRF
Missing CSRF tokens
CSRF on forms that are available to anonymous users (e.g. contact form)
Missing security headers
Vulnerabilities found in domains out-of-scope
Vulnerabilities affecting outdated browsers or platforms
Presence of autocomplete attribute on web forms
Missing secure flags on non-sensitive cookies
Reports of insecure SSL/TLS ciphers
Vulnerabilities with capability of username/email enumeration
Descriptive error messages (e.g. Stack traces, application or server errors)
Banner disclosure on servers
Misconfiguration of SPF record, DMARC and DKIM
Notes: For eligibility details, please refer to the "Terms of Service Article 4" of this site.