Total Reports:236
Total Valid Reports:90
Opened
pixiv


- Program
- pixiv
pixiv is an illustrators' community with over 30,000,000 registered users. - Program Logo
-
- Period
- 2016/04/01 〜 2019/06/30
- Bounty Range
- ¥10,000 ~ ¥300,000
- Rules
- Only test for vulnerabilities on web application stipulated in scope section. Any vulnerabilities reported on web applications out-of-scope are not eligible for bounty rewards.
***************************************************************
This is a production environment. Do not create account more than necessary to perform tests, and please delete your account as soon as you finished your tests.
Please note that you should only perform tests against pages you created, never other users pages.
To be eligible for a bounty reward under this program you must to follow the rules stipulated above.
***************************************************************
Any vulnerability test against domains out-of-scope are explicitly prohibited.
Any violation of the Terms of the Service of the “BugBounty.jp”, and/or performance of DoS (Denial of Service)attack or equivalent act that can degrade the performance of our service are also explicitly prohibited.
***************************************************************
In addition to items listed in "Not Eligible For Bounty" section, below are out of scope for our program.
* Lack of security headers without an actual attack scenario
* Phishing attack via registration email (e.g. making username a URL)
* Tabnabbing
* Disclosure of pixiv's numeric ID such as user ID and illustration ID (unless it compromises user privacy)
* Lack of rate limit
***************************************************************
We will pay a fixed amount of bounty determined by the severity category as described below.
Critical: 300,000 JPY
Example: Compromising important infrastructure or data (RCE, DB/Filesystem breach)
High: 100,000 JPY
Example: Access to user privilege with little or no restriction (Account takeover, Payment flaw, Unsandboxed stored XSS)
Medium: 50,000 JPY
Example: Limited access to user privilege (CSRF, XSS with restrictions)
Low: 20,000 JPY
Example: Limited disclosure of user data or other attacks with low overall risk (Minor information leakage, Open redirect, etc.) - Scope
-
- Web application
- Name
- pixiv services
- URL
- https://www.pixiv.net/
- https://factory.pixiv.net/
- https://booth.pm/
- https://chatstory.pixiv.net/
- https://pay.pixiv.net/
- https://comic.pixiv.net/
- https://sensei.pixiv.net/
- https://sketch.pixiv.net/
- Domain
- *.booth.pm
- www.pixiv.net
- accounts.pixiv.net
- app-api.pixiv.net
- bungei-api.pixiv.net
- chatstory.pixiv-app.net
- chatstory.pixiv.net
- comic-api.pixiv.net
- embed.pixiv.net
- factory.pixiv.net
- m.pixiv.net
- oauth.secure.pixiv.net
- payment.pixiv.net
- pixiv.me
- public-api.secure.pixiv.net
- sensei.pixiv.net
- ssl.pixiv.net
- booth.pm
- iOS application
- Name
- pixiv PAY
- URL
- https://itunes.apple.com/app/pixiv-pay/id1261274472
- Android application
- Name
- pixiv PAY
- URL
- https://play.google.com/store/apps/details?id=jp.pxv.pay
- Eligible
For Bounty -
- Remote Code Execution up to 300,000yen
- SQL Injection up to 300,000yen
- Command Injection up to 300,000yen
- Authentication up to 100,000yen
- Cross-Site Scripting up to 100,000yen
- Privilege Escalation up to 100,000yen
- XML External Entities (XXE) up to 50,000yen
- Information Disclosure up to 50,000yen
- Cross-Site Request Forgery (CSRF) up to 50,000yen
- Server-Side Request Forgery (SSRF) up to 50,000yen
- HTTP Response Splitting up to 20,000yen
- Forced Browsing up to 20,000yen
- Path Traversal up to 20,000yen
- Cleartext Transmission of Sensitive Information up to 20,000yen
- Session Fixation up to 20,000yen
- UI Redressing (Clickjacking) up to 20,000yen
- Open Redirect up to 20,000yen
- Not Eligible
For Bounty -
- Vulnerabilities found through automated scans or tools
- Hypothetical or theoretical vulnerabilities without actual verification code
- Vulnerabilities with capability of Denial of Service attack
- Vulnerabilities with capability of brute force against password or tokens
- Password, email and account policies, such as email id verification, reset link expiration, password complexity
- Login/Logout CSRF
- Missing CSRF tokens
- CSRF on forms that are available to anonymous users (e.g. contact form)
- Missing security headers
- Vulnerabilities found in domains out-of-scope
- Vulnerabilities affecting outdated browsers or platforms
- Presence of autocomplete attribute on web forms
- Missing secure flags on non-sensitive cookies
- Reports of insecure SSL/TLS ciphers
- Vulnerabilities with capability of username/email enumeration
- Descriptive error messages (e.g. Stack traces, application or server errors)
- Banner disclosure on servers
- Misconfiguration of SPF record, DMARC and DKIM
- Notes
- For eligibility details, please refer to the "Terms of Service Article 4" of this site.
Bounty Reward History
-
2018/10/11 20:38
¥50,000 (50 pts) was paid for pea3nut 's report
-
2018/10/04 11:35
¥20,000 (20 pts) was paid for ooooooo_q 's report
-
2018/09/04 12:31
¥30,000 (30 pts) was paid for kusano 's report
-
2018/08/23 11:44
¥15,000 (15 pts) was paid for iruca3 's report
-
2018/08/23 11:43
¥15,000 (15 pts) was paid for iruca3 's report
-
2018/08/23 11:41
¥15,000 (15 pts) was paid for iruca3 's report
-
2018/08/23 11:38
¥15,000 (15 pts) was paid for mineo 's report
-
2018/05/24 12:05
¥5,000 (5 pts) was paid for iruca3 's report
-
2018/04/12 12:05
¥30,000 (30 pts) was paid for Private 's report
-
2018/04/12 11:57
¥50,000 (50 pts) was paid for Private 's report
-
2018/04/12 11:29
¥5,000 (5 pts) was paid for Private 's report
-
2018/04/05 11:21
¥5,000 (5 pts) was paid for Private 's report
-
2018/04/05 11:17
¥5,000 (5 pts) was paid for Private 's report
-
2018/03/29 12:08
¥5,000 (5 pts) was paid for Private 's report
-
2018/03/29 11:56
¥5,000 (5 pts) was paid for Chachi 's report
-
2018/03/29 11:52
¥5,000 (5 pts) was paid for Private 's report
-
2018/03/29 11:46
¥10,000 (10 pts) was paid for Todayisnew 's report
-
2018/03/29 11:36
¥10,000 (10 pts) was paid for haxormad 's report
-
2018/03/27 19:23
¥100,000 (100 pts) was paid for Private 's report
-
2018/03/13 12:30
¥5,000 (5 pts) was paid for Private 's report
-
2018/03/13 12:07
¥30,000 (30 pts) was paid for zer0 's report
-
2018/03/13 11:40
¥5,000 (5 pts) was paid for Private 's report
-
2018/03/13 11:38
¥100,000 (100 pts) was paid for Rey Mark Divino 's report
-
2018/01/18 11:48
¥10,000 (10 pts) was paid for Rey Mark Divino 's report
-
2017/12/19 15:08
¥5,000 (5 pts) was paid for no1zy 's report
-
2017/12/19 14:46
¥5,000 (5 pts) was paid for Private 's report
-
2017/12/19 14:28
¥10,000 (10 pts) was paid for Private 's report
-
2017/12/19 14:20
¥10,000 (10 pts) was paid for zer0 's report
-
2017/12/19 14:14
¥5,000 (5 pts) was paid for hfukuda 's report
-
2017/11/22 14:49
¥10,000 (10 pts) was paid for Private 's report
-
2017/11/22 14:42
¥10,000 (10 pts) was paid for Private 's report
-
2017/11/22 14:35
¥50,000 (50 pts) was paid for Todayisnew 's report
-
2017/11/22 14:30
¥10,000 (10 pts) was paid for Rey Mark Divino 's report
-
2017/11/22 14:25
¥30,000 (30 pts) was paid for Private 's report
-
2017/09/08 17:28
¥5,000 (5 pts) was paid for Rey Mark Divino 's report
-
2017/08/25 12:55
¥5,000 (5 pts) was paid for Rey Mark Divino 's report
-
2017/08/04 16:03
¥5,000 (5 pts) was paid for Rey Mark Divino 's report
-
2017/08/04 15:51
¥30,000 (30 pts) was paid for Rey Mark Divino 's report
-
2017/07/28 12:24
¥5,000 (5 pts) was paid for Todayisnew 's report
-
2017/07/28 11:54
¥5,000 (5 pts) was paid for Private 's report
-
2017/07/28 11:45
¥10,000 (10 pts) was paid for Private 's report
-
2017/07/20 13:02
¥5,000 (5 pts) was paid for Private 's report
-
2017/07/19 15:40
¥10,000 (10 pts) was paid for Private 's report
-
2017/07/19 15:38
¥5,000 (5 pts) was paid for Private 's report
-
2017/07/14 17:43
¥5,000 (5 pts) was paid for Private 's report
-
2017/06/20 18:56
¥5,000 (5 pts) was paid for yui540 's report
-
2017/06/20 18:49
¥5,000 (5 pts) was paid for Private 's report
-
2017/06/20 18:40
¥100,000 (100 pts) was paid for Private 's report
-
2017/05/31 16:33
¥30,000 (30 pts) was paid for Private 's report
-
2017/05/31 16:23
¥10,000 (10 pts) was paid for Private 's report
-
2017/04/20 16:58
¥5,000 (5 pts) was paid for kusano 's report
-
2017/04/20 16:46
¥5,000 (5 pts) was paid for ♠ Spade ♠ 's report
-
2017/03/29 17:40
¥5,000 (5 pts) was paid for Private 's report
-
2017/03/29 17:21
¥30,000 (30 pts) was paid for Mramydnei 's report
-
2017/03/22 15:21
¥5,000 (5 pts) was paid for ♠ Spade ♠ 's report
-
2017/03/22 15:11
¥10,000 (10 pts) was paid for Private 's report
-
2017/03/22 15:11
¥10,000 (10 pts) was paid for Private 's report
-
2017/03/22 15:10
¥10,000 (10 pts) was paid for Private 's report
-
2017/03/15 18:51
¥10,000 (10 pts) was paid for Private 's report
-
2017/03/15 18:10
¥5,000 (5 pts) was paid for Private 's report
-
2017/02/23 13:11
¥10,000 (10 pts) was paid for Private 's report
-
2017/02/23 12:57
¥30,000 (30 pts) was paid for Private 's report
-
2017/02/23 12:46
¥100,000 (100 pts) was paid for hfukuda 's report
-
2017/02/23 12:25
¥5,000 (5 pts) was paid for Private 's report
-
2017/02/13 19:47
¥10,000 (10 pts) was paid for kusano 's report
-
2017/01/27 12:03
¥50,000 (50 pts) was paid for Private 's report
-
2017/01/27 11:42
¥10,000 (10 pts) was paid for Private 's report
-
2017/01/25 18:32
¥10,000 (10 pts) was paid for Private 's report
-
2017/01/24 17:42
¥5,000 (5 pts) was paid for uruma 's report
-
2017/01/16 17:25
¥5,000 (5 pts) was paid for yoneyoneyo 's report
-
2016/12/19 19:05
¥5,000 (5 pts) was paid for gamermount56 's report
-
2016/12/19 18:24
¥5,000 (5 pts) was paid for gamermount56 's report
-
2016/12/09 16:14
¥5,000 (5 pts) was paid for Private 's report
-
2016/09/12 15:35
¥5,000 (5 pts) was paid for Private 's report
-
2016/08/01 17:33
¥5,000 (5 pts) was paid for Private 's report
-
2016/07/11 17:21
¥5,000 (5 pts) was paid for uruma 's report
-
2016/07/11 17:08
¥5,000 (5 pts) was paid for Private 's report
-
2016/06/20 17:47
¥5,000 (5 pts) was paid for kusano 's report
-
2016/06/16 19:13
¥10,000 (10 pts) was paid for shhnjk 's report
-
2016/06/13 17:50
¥5,000 (5 pts) was paid for kusano 's report
-
2016/06/07 19:46
¥10,000 (10 pts) was paid for shinkbr 's report
-
2016/06/07 17:39
¥5,000 (5 pts) was paid for uruma 's report
-
2016/05/31 17:23
¥10,000 (10 pts) was paid for shhnjk 's report
-
2016/05/24 17:34
¥5,000 (5 pts) was paid for Private 's report
-
2016/05/24 17:06
¥5,000 (5 pts) was paid for yujitounai 's report
-
2016/05/12 23:36
¥10,000 (10 pts) was paid for yujitounai 's report
-
2016/04/11 17:43
¥5,000 (5 pts) was paid for Private 's report
-
2016/04/11 17:34
¥5,000 (5 pts) was paid for Private 's report
-
2016/04/11 17:30
¥5,000 (5 pts) was paid for Private 's report
-
2016/04/11 17:24
¥5,000 (5 pts) was paid for Private 's report
pixiv
- Available Program:
- 1
- Closed Program:
- 0
- Bounties Range:
- ¥ 10,000 〜 ¥ 300,000
- Reward Type:
Top Hackers
-
1
Private
335pts
-
2
Rey Mark Divino
168 pts
-
3
hfukuda
105 pts
-
4
Private
70pts
-
5
Todayisnew
68 pts
-
6
kusano
56 pts
-
7
Private
50pts
-
8
iruca3
50 pts
-
9
pea3nut
50 pts
-
10
zer0
40 pts