[{"id":3767626,"new_policy":"Vulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $15,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Retrieve arbitrary users' AI interaction logs, with no user-interaction\n - Unauthenticated RCE on Burp Suite DAST\n - Complete authentication bypass on portswigger.net\n       \n#### High  - $5,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n - A project file loaded in untrusted mode can achieve make Burp execute arbitrary code with no user-interaction\n\n#### Medium - $2,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n- A project file loaded in untrusted mode can write or retrieve files from the filesystem with no user-interaction.\n - CSRF on critical actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n- CSP bypass via trusted domain, JSONP, etc\n - Header injection in Burp Suite\n - Open redirect\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nForbidden activities\n--\n\nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Attacks targeting PortSwigger employees or customers. If you obtain employee credentials indirectly, eg via a public password dump, please report these including the source. Leaked customer credentials are not in scope but can be reported by email.\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** \n\nHere are some examples:\n\n- Prompt injection with no security impact. Note that prompts are not considered private.\n - Broken links\n - Denial of service vulnerabilities\n- Missing rate-limits\n - Local privilege escalation that requires write access to the installer/program directory (eg most DLL hijacking)\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- You can use prompt injection to obtain prompts. \n- Generic N-day vulnerabilities in the embedded Chromium browser will not typically be rewarded. \n- Upstream TLS verification needs hardening\n- Project files and configuration files may contain passwords, and are stored in plaintext by design. We recommend using full-disk encryption.\n\nSome other caveats and common mistaken reports:\n- Issues relating to license enforcement and free-trial abuse are out of scope.\n- Non-whitelisted subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n- Our [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, it's excluded from our bounty program.\n- If you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- Just like extensions, Bambdas can execute arbitrary code by design\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Collections can be accessed by anyone who is given the link until they expire - the encryption key is stored in the URL fragment. Support for in-product deletion will be added in the future.\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Deleting a request in Burp does not overwrite it in the underlying project file. If you want to remove a request from a project file before sharing it, delete it then use Project-\u003eSave Copy to create a sanitised project file.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- The collaborator server creates an interaction for every valid ID it sees in a message, so one message can create multiple interactions.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, and configuration files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files of the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability.  Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation/free-trial issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nProject files are trusted by default. If a project file is loaded in non-trusted mode, it should be harmless provided you don't proxy traffic through it, or use it to send requests. Please note that users will be automatically prompted to load unrecognised project files in non-trusted mode, but this prompt is not a security boundary and can be bypassed in some scenarios.\n\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"License enforcement and free-trial abuse\",\"details\":\"Issues relating to license enforcement and free-trial abuse are out of scope.\"}"],"timestamp":"2025-12-19T13:19:04.753Z"},{"id":3767623,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Software: Burp Suite Professional, Burp Suite DAST, and Burp Suite Community Edition\n- Infrastructure: https://ai.portswigger.net\n\nTo help you find vulnerabilities in Burp Suite Enterprise Edition, you may test our demo site at https://enterprise-demo.portswigger.net/\n\nIssues relating to license enforcement and free-trial abuse are out of scope.\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, it's excluded from our bounty program.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $15,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Retrieve arbitrary users' AI interaction logs, with no user-interaction\n - Unauthenticated RCE on Burp Suite DAST\n - Complete authentication bypass on portswigger.net\n       \n#### High  - $5,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n - A project file loaded in untrusted mode can achieve make Burp execute arbitrary code with no user-interaction\n\n#### Medium - $2,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n- A project file loaded in untrusted mode can write or retrieve files from the filesystem with no user-interaction.\n - CSRF on critical actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n- CSP bypass via trusted domain, JSONP, etc\n - Header injection in Burp Suite\n - Open redirect\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nForbidden activities\n--\n\nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Attacks targeting PortSwigger employees or customers. If you obtain employee credentials indirectly, eg via a public password dump, please report these including the source. Leaked customer credentials are not in scope but can be reported by email.\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n- Prompt injection with no security impact. Note that prompts are not considered private.\n - Broken links\n - Denial of service vulnerabilities\n- Missing rate-limits\n - Local privilege escalation that requires write access to the installer/program directory (eg most DLL hijacking)\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- You can use prompt injection to obtain prompts. \n- Generic N-day vulnerabilities in the embedded Chromium browser will not typically be rewarded. \n- Upstream TLS verification needs hardening\n- Project files and configuration files may contain passwords, and are stored in plaintext by design. We recommend using full-disk encryption.\n\nSome other caveats and common mistaken reports:\n\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- Just like extensions, Bambdas can execute arbitrary code by design\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Collections can be accessed by anyone who is given the link until they expire - the encryption key is stored in the URL fragment. Support for in-product deletion will be added in the future.\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Deleting a request in Burp does not overwrite it in the underlying project file. If you want to remove a request from a project file before sharing it, delete it then use Project-\u003eSave Copy to create a sanitised project file.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- The collaborator server creates an interaction for every valid ID it sees in a message, so one message can create multiple interactions.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, and configuration files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files of the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability.  Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation/free-trial issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nProject files are trusted by default. If a project file is loaded in non-trusted mode, it should be harmless provided you don't proxy traffic through it, or use it to send requests. Please note that users will be automatically prompted to load unrecognised project files in non-trusted mode, but this prompt is not a security boundary and can be bypassed in some scenarios.\n\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"License enforcement and free-trial abuse\",\"details\":\"Issues relating to license enforcement and free-trial abuse are out of scope.\"}"],"timestamp":"2025-12-19T10:40:00.772Z"},{"id":3753936,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Software: Burp Suite Professional, Burp Suite DAST, and Burp Suite Community Edition\n- Infrastructure: https://ai.portswigger.net\n\nTo help you find vulnerabilities in Burp Suite Enterprise Edition, you may test our demo site at https://enterprise-demo.portswigger.net/\n\nIssues relating to license enforcement and free-trial abuse are out of scope.\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, it's excluded from our bounty program.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $15,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Retrieve arbitrary users' AI interaction logs, with no user-interaction\n - Unauthenticated RCE on Burp Suite DAST\n - Complete authentication bypass on portswigger.net\n       \n#### High  - $5,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n - A project file loaded in untrusted mode can achieve make Burp execute arbitrary code with no user-interaction\n\n#### Medium - $2,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n- A project file loaded in untrusted mode can write or retrieve files from the filesystem with no user-interaction.\n - CSRF on critical actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n- CSP bypass via trusted domain, JSONP, etc\n - Header injection in Burp Suite\n - Open redirect\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nForbidden activities\n--\n\nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Attacks targeting PortSwigger employees or customers. If you obtain employee credentials indirectly, eg via a public password dump, please report these including the source. Leaked customer credentials are not in scope but can be reported by email.\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n- Prompt injection with no security impact. Note that prompts are not considered private.\n - Broken links\n - Denial of service vulnerabilities\n- Missing rate-limits\n - Local privilege escalation that requires write access to the installer/program directory (eg most DLL hijacking)\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- You can use prompt injection to obtain prompts. \n- Generic N-day vulnerabilities in the embedded Chromium browser will not typically be rewarded. \n- Upstream TLS verification needs hardening\n- Project files and configuration files may contain passwords, and are stored in plaintext by design. We recommend using full-disk encryption.\n\nSome other caveats and common mistaken reports:\n\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- Just like extensions, Bambdas can execute arbitrary code by design\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Deleting a request in Burp does not overwrite it in the underlying project file. If you want to remove a request from a project file before sharing it, delete it then use Project-\u003eSave Copy to create a sanitised project file.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- The collaborator server creates an interaction for every valid ID it sees in a message, so one message can create multiple interactions.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, and configuration files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files of the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability.  Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation/free-trial issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nProject files are trusted by default. If a project file is loaded in non-trusted mode, it should be harmless provided you don't proxy traffic through it, or use it to send requests. Please note that users will be automatically prompted to load unrecognised project files in non-trusted mode, but this prompt is not a security boundary and can be bypassed in some scenarios.\n\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"License enforcement and free-trial abuse\",\"details\":\"Issues relating to license enforcement and free-trial abuse are out of scope.\"}"],"timestamp":"2025-04-17T07:23:15.183Z"},{"id":3753935,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Software: Burp Suite Professional, Burp Suite DAST, and Burp Suite Community Edition\n- Infrastructure: https://ai.portswigger.net\n\nTo help you find vulnerabilities in Burp Suite Enterprise Edition, you may test our demo site at https://enterprise-demo.portswigger.net/\n\nIssues relating to license enforcement and free-trial abuse are out of scope.\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, it's excluded from our bounty program.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $15,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Retrieve arbitrary users' AI interaction logs, with no user-interaction\n - Unauthenticated RCE on Burp Suite DAST\n - Complete authentication bypass on portswigger.net\n       \n#### High  - $5,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n - A project file loaded in untrusted mode can achieve make Burp execute arbitrary code with no user-interaction\n\n#### Medium - $2,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n- A project file loaded in untrusted mode can write or retrieve files from the filesystem with no user-interaction.\n - CSRF on critical actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - Header injection in Burp Suite\n - Open redirect\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nForbidden activities\n--\n\nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Attacks targeting PortSwigger employees or customers. If you obtain employee credentials indirectly, eg via a public password dump, please report these including the source. Leaked customer credentials are not in scope but can be reported by email.\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n- Prompt injection with no security impact. Note that prompts are not considered private.\n - Broken links\n - Denial of service vulnerabilities\n- Missing rate-limits\n - Local privilege escalation that requires write access to the installer/program directory (eg most DLL hijacking)\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- You can use prompt injection to obtain prompts. \n- Generic N-day vulnerabilities in the embedded Chromium browser will not typically be rewarded. \n- Upstream TLS verification needs hardening\n- Project files and configuration files may contain passwords, and are stored in plaintext by design. We recommend using full-disk encryption.\n\nSome other caveats and common mistaken reports:\n\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- Just like extensions, Bambdas can execute arbitrary code by design\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Deleting a request in Burp does not overwrite it in the underlying project file. If you want to remove a request from a project file before sharing it, delete it then use Project-\u003eSave Copy to create a sanitised project file.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- The collaborator server creates an interaction for every valid ID it sees in a message, so one message can create multiple interactions.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, and configuration files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files of the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability.  Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation/free-trial issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nProject files are trusted by default. If a project file is loaded in non-trusted mode, it should be harmless provided you don't proxy traffic through it, or use it to send requests. Please note that users will be automatically prompted to load unrecognised project files in non-trusted mode, but this prompt is not a security boundary and can be bypassed in some scenarios.\n\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"License enforcement and free-trial abuse\",\"details\":\"Issues relating to license enforcement and free-trial abuse are out of scope.\"}"],"timestamp":"2025-04-17T07:21:03.944Z"},{"id":3753412,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n- Infrastructure: https://ai.portswigger.net\n\nTo help you find vulnerabilities in Burp Suite Enterprise Edition, you may test our demo site at https://enterprise-demo.portswigger.net/\n\nIssues relating to license enforcement and free-trial abuse are out of scope.\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, it's excluded from our bounty program.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n - Complete authentication bypass on portswigger.net\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n - A project file loaded in untrusted mode can achieve make Burp execute arbitrary code with no user-interaction\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n- A project file loaded in untrusted mode can write or retrieve files from the filesystem with no user-interaction.\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - Header injection in Burp Suite\n - Open redirect\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nForbidden activities\n--\n\nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Attacks targeting PortSwigger employees or customers. If you obtain employee credentials indirectly, eg via a public password dump, please report these including the source. Leaked customer credentials are not in scope but can be reported by email.\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n- Prompt injection with no security impact. Note that prompts are not considered private.\n - Broken links\n - Denial of service vulnerabilities\n- Missing rate-limits\n - Local privilege escalation that requires write access to the installer/program directory (eg most DLL hijacking)\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Upstream TLS verification needs hardening\n- Generic N-day vulnerabilities in the embedded Chromium browser will not typically be rewarded. \n- Project files and configuration files may contain passwords, and are stored in plaintext by design. We recommend using full-disk encryption.\n- Spectre\n\nSome other caveats and common mistaken reports:\n- You can use prompt injection to obtain prompts. This is an accepted risk.\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- Just like extensions, Bambdas can execute arbitrary code by design\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Deleting a request in Burp does not overwrite it in the underlying project file. If you want to remove a request from a project file before sharing it, delete it then use Project-\u003eSave Copy to create a sanitised project file.\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- The collaborator server creates an interaction for every valid ID it sees in a message, so one message can create multiple interactions.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, and configuration files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files of the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability.  Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation/free-trial issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nProject files are trusted by default. If a project file is loaded in non-trusted mode, it should be harmless provided you don't proxy traffic through it, or use it to send requests. Please note that users will be automatically prompted to load unrecognised project files in non-trusted mode, but this prompt is not a security boundary and can be bypassed in some scenarios.\n\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"License enforcement and free-trial abuse\",\"details\":\"Issues relating to license enforcement and free-trial abuse are out of scope.\"}"],"timestamp":"2025-04-09T08:32:54.813Z"},{"id":3752893,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n- Infrastructure: https://ai.portswigger.net\n\nTo help you find vulnerabilities in Burp Suite Enterprise Edition, you may test our demo site at https://enterprise-demo.portswigger.net/\n\nIssues relating to license enforcement and free-trial abuse are out of scope.\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, it's excluded from our bounty program.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n - Complete authentication bypass on portswigger.net\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n - A project file loaded in untrusted mode can achieve make Burp execute arbitrary code with no user-interaction\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n- A project file loaded in untrusted mode can write or retrieve files from the filesystem with no user-interaction.\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - Header injection in Burp Suite\n - Open redirect\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nForbidden activities\n--\n\nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Attacks targeting PortSwigger employees. If you obtain employee credentials indirectly, eg via a public password dump, please email us.\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n- Prompt injection with no security impact. Note that prompts are not considered private.\n - Broken links\n - Denial of service vulnerabilities\n- Missing rate-limits\n - Local privilege escalation that requires write access to the installer/program directory (eg most DLL hijacking)\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Upstream TLS verification needs hardening\n- Generic N-day vulnerabilities in the embedded Chromium browser will not typically be rewarded. \n- Project files and configuration files may contain passwords, and are stored in plaintext by design. We recommend using full-disk encryption.\n- Spectre\n\nSome other caveats and common mistaken reports:\n- You can use prompt injection to obtain prompts. This is an accepted risk.\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- Just like extensions, Bambdas can execute arbitrary code by design\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Deleting a request in Burp does not overwrite it in the underlying project file. If you want to remove a request from a project file before sharing it, delete it then use Project-\u003eSave Copy to create a sanitised project file.\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- The collaborator server creates an interaction for every valid ID it sees in a message, so one message can create multiple interactions.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, and configuration files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files of the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability.  Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation/free-trial issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nProject files are trusted by default. If a project file is loaded in non-trusted mode, it should be harmless provided you don't proxy traffic through it, or use it to send requests. Please note that users will be automatically prompted to load unrecognised project files in non-trusted mode, but this prompt is not a security boundary and can be bypassed in some scenarios.\n\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"License enforcement and free-trial abuse\",\"details\":\"Issues relating to license enforcement and free-trial abuse are out of scope.\"}"],"timestamp":"2025-04-02T13:53:29.811Z"},{"id":3746330,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nTo help you find vulnerabilities in Burp Suite Enterprise Edition, you may test our demo site at https://enterprise-demo.portswigger.net/\n\nIssues relating to license enforcement and free-trial abuse are out of scope.\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, it's excluded from our bounty program.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n - Complete authentication bypass on portswigger.net\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n - A project file loaded in untrusted mode can achieve make Burp execute arbitrary code with no user-interaction\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n- A project file loaded in untrusted mode can write or retrieve files from the filesystem with no user-interaction.\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - Header injection in Burp Suite\n - Open redirect\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nForbidden activities\n--\n\nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Attacks targeting PortSwigger employees. If you obtain employee credentials indirectly, eg via a public password dump, please email us.\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Broken links\n - Denial of service vulnerabilities\n- Missing rate-limits\n - Local privilege escalation that requires write access to the installer/program directory (eg most DLL hijacking)\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Upstream TLS verification needs hardening\n- Generic N-day vulnerabilities in the embedded Chromium browser will not typically be rewarded. \n- Project files and configuration files may contain passwords, and are stored in plaintext by design. We recommend using full-disk encryption.\n- Spectre\n\nSome other caveats and common mistaken reports:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- Just like extensions, Bambdas can execute arbitrary code by design\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Deleting a request in Burp does not overwrite it in the underlying project file. If you want to remove a request from a project file before sharing it, delete it then use Project-\u003eSave Copy to create a sanitised project file.\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- The collaborator server creates an interaction for every valid ID it sees in a message, so one message can create multiple interactions.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, and configuration files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files of the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability.  Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation/free-trial issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nProject files are trusted by default. If a project file is loaded in non-trusted mode, it should be harmless provided you don't proxy traffic through it, or use it to send requests. Please note that users will be automatically prompted to load unrecognised project files in non-trusted mode, but this prompt is not a security boundary and can be bypassed in some scenarios.\n\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"License enforcement and free-trial abuse\",\"details\":\"Issues relating to license enforcement and free-trial abuse are out of scope.\"}"],"timestamp":"2024-12-10T12:21:32.448Z"},{"id":3713582,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nTo help you find vulnerabilities in Burp Suite Enterprise Edition, you may test our demo site at https://enterprise-demo.portswigger.net/\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, it's excluded from our bounty program.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n - Complete authentication bypass on portswigger.net\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n - A project file loaded in untrusted mode can achieve make Burp execute arbitrary code with no user-interaction\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n- A project file loaded in untrusted mode can write or retrieve files from the filesystem with no user-interaction.\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - Header injection in Burp Suite\n - Open redirect\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nForbidden activities\n--\n\nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Attacks targeting PortSwigger employees. If you obtain employee credentials indirectly, eg via a public password dump, please email us.\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Broken links\n - Denial of service vulnerabilities\n- Missing rate-limits\n - Local privilege escalation that requires write access to the installer/program directory (eg most DLL hijacking)\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Upstream TLS verification needs hardening\n- Generic N-day vulnerabilities in the embedded Chromium browser will not typically be rewarded. \n- Project files and configuration files may contain passwords, and are stored in plaintext by design. We recommend using full-disk encryption.\n- Spectre\n\nSome other caveats and common mistaken reports:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- Just like extensions, Bambdas can execute arbitrary code by design\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Deleting a request in Burp does not overwrite it in the underlying project file. If you want to remove a request from a project file before sharing it, delete it then use Project-\u003eSave Copy to create a sanitised project file.\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- The collaborator server creates an interaction for every valid ID it sees in a message, so one message can create multiple interactions.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, and configuration files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files of the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability.  Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation/free-trial issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nProject files are trusted by default. If a project file is loaded in non-trusted mode, it should be harmless provided you don't proxy traffic through it, or use it to send requests. Please note that users will be automatically prompted to load unrecognised project files in non-trusted mode, but this prompt is not a security boundary and can be bypassed in some scenarios.\n\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-04T14:19:37.433Z"},{"id":3708148,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nTo help you find vulnerabilities in Burp Suite Enterprise Edition, you may test our demo site at https://enterprise-demo.portswigger.net/\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, it's excluded from our bounty program.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n - Complete authentication bypass on portswigger.net\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n - A project file loaded in untrusted mode can achieve make Burp execute arbitrary code with no user-interaction\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n- A project file loaded in untrusted mode can write or retrieve files from the filesystem with no user-interaction.\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - Header injection in Burp Suite\n - Open redirect\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nForbidden activities\n--\n\nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Broken links\n - Denial of service vulnerabilities\n- Missing rate-limits\n - Local privilege escalation that requires write access to the installer/program directory (eg most DLL hijacking)\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Upstream TLS verification needs hardening\n- Generic N-day vulnerabilities in the embedded Chromium browser will not typically be rewarded. \n- Project files and configuration files may contain passwords, and are stored in plaintext by design. We recommend using full-disk encryption.\n- Spectre\n\nSome other caveats and common mistaken reports:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- Just like extensions, Bambdas can execute arbitrary code by design\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Deleting a request in Burp does not overwrite it in the underlying project file. If you want to remove a request from a project file before sharing it, delete it then use Project-\u003eSave Copy to create a sanitised project file.\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- The collaborator server creates an interaction for every valid ID it sees in a message, so one message can create multiple interactions.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, and configuration files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files of the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability.  Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation/free-trial issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nProject files are trusted by default. If a project file is loaded in non-trusted mode, it should be harmless provided you don't proxy traffic through it, or use it to send requests. Please note that users will be automatically prompted to load unrecognised project files in non-trusted mode, but this prompt is not a security boundary and can be bypassed in some scenarios.\n\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-28T15:36:46.761Z"},{"id":3701853,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nTo help you find vulnerabilities in Burp Suite Enterprise Edition, you may test our demo site at https://enterprise-demo.portswigger.net/\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, it's excluded from our bounty program.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n - Complete authentication bypass on portswigger.net\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n - A project file loaded in untrusted mode can achieve make Burp execute arbitrary code with no user-interaction\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n- A project file loaded in untrusted mode can write or retrieve files from the filesystem with no user-interaction.\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - Header injection in Burp Suite\n - Open redirect\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nForbidden activities\n--\n\nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Broken links\n - Denial of service vulnerabilities\n- Missing rate-limits\n - Local privilege escalation that requires write access to the installer/program directory (eg most DLL hijacking)\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Upstream TLS verification needs hardening\n- Generic N-day vulnerabilities in the embedded Chromium browser will not typically be rewarded. \n- Project files and configuration files may contain passwords, and are stored in plaintext by design. We recommend using full-disk encryption.\n- Spectre\n\nSome other caveats and common mistaken reports:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Deleting a request in Burp does not overwrite it in the underlying project file. If you want to remove a request from a project file before sharing it, delete it then use Project-\u003eSave Copy to create a sanitised project file.\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- The collaborator server creates an interaction for every valid ID it sees in a message, so one message can create multiple interactions.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, and configuration files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files of the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability.  Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation/free-trial issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nProject files are trusted by default. If a project file is loaded in non-trusted mode, it should be harmless provided you don't proxy traffic through it, or use it to send requests. Please note that users will be automatically prompted to load unrecognised project files in non-trusted mode, but this prompt is not a security boundary and can be bypassed in some scenarios.\n\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-09-11T07:16:52.845Z"},{"id":3698434,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nTo help you find vulnerabilities in Burp Suite Enterprise Edition, you may test our demo site at https://enterprise-demo.portswigger.net/\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, it's excluded from our bounty program.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n - Complete authentication bypass on portswigger.net\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n - A project file loaded in untrusted mode can achieve make Burp execute arbitrary code with no user-interaction\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n- A project file loaded in untrusted mode can write or retrieve files from the filesystem with no user-interaction.\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - Header injection in Burp Suite\n - Open redirect\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Broken links\n - Denial of service vulnerabilities\n - Local privilege escalation that requires write access to the installer/program directory (eg most DLL hijacking)\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Upstream TLS verification needs hardening\n- Generic N-day vulnerabilities in the embedded Chromium browser will not typically be rewarded. \n- Project files and configuration files may contain passwords, and are stored in plaintext by design. We recommend using full-disk encryption.\n- Spectre\n\nSome other caveats and common mistaken reports:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Deleting a request in Burp does not overwrite it in the underlying project file. If you want to remove a request from a project file before sharing it, delete it then use Project-\u003eSave Copy to create a sanitised project file.\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- The collaborator server creates an interaction for every valid ID it sees in a message, so one message can create multiple interactions.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, and configuration files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files of the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability.  Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation/free-trial issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nProject files are trusted by default. If a project file is loaded in non-trusted mode, it should be harmless provided you don't proxy traffic through it, or use it to send requests. Please note that users will be automatically prompted to load unrecognised project files in non-trusted mode, but this prompt is not a security boundary and can be bypassed in some scenarios.\n\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-07-18T13:43:41.544Z"},{"id":3698433,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nTo help you find vulnerabilities in Burp Suite Enterprise Edition, you may test our demo site at https://enterprise-demo.portswigger.net/\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, it's excluded from our bounty program.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n - Complete authentication bypass on portswigger.net\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n - A project file loaded in untrusted mode can achieve make Burp execute arbitrary code with no user-interaction\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n- A project file loaded in untrusted mode can write or retrieve files from the filesystem with no user-interaction.\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - Header injection in Burp Suite\n - Open redirect\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Broken links\n - Denial of service vulnerabilities\n - Local privilege escalation that requires write access to the installer/program directory (eg most DLL hijacking)\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Upstream TLS verification needs hardening\n- Generic N-day vulnerabilities in the embedded Chromium browser will not typically be rewarded. \n- Project files and configuration files may contain passwords, and are stored in plaintext by design. We recommend using full-disk encryption.\n- Spectre\n\nSome other caveats and common mistaken reports:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Deleting a request in Burp does not overwrite it in the underlying project file. If you want to remove a request from a project file before sharing it, delete it then use Project-\u003eSave Copy to create a sanitised project file.\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- The collaborator server creates an interaction for every valid ID it sees in a message, so one message can create multiple interactions.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, and configuration files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files of the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability.  Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation/free-trial issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nProject files\n-- \nProject files are trusted by default. If a project file is loaded in non-trusted mode, it should be harmless provided you don't proxy traffic through it, or use it to send requests. Please note that users will be automatically prompted to load unrecognised project files in non-trusted mode, but this prompt is not a security boundary and can be bypassed in some scenarios.\n\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-07-18T13:42:20.092Z"},{"id":3698430,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nTo help you find vulnerabilities in Burp Suite Enterprise Edition, you may test our demo site at https://enterprise-demo.portswigger.net/\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, it's excluded from our bounty program.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n- A project file loaded in untrusted mode can write or retrieve files from the filesystem with no user-interaction.\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - Header injection in Burp Suite\n - Open redirect\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Broken links\n - Denial of service vulnerabilities\n - Local privilege escalation that requires write access to the installer/program directory (eg most DLL hijacking)\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Upstream TLS verification needs hardening\n- Generic N-day vulnerabilities in the embedded Chromium browser will not typically be rewarded. \n- Project files and configuration files may contain passwords, and are stored in plaintext by design. We recommend using full-disk encryption.\n- Spectre\n\nSome other caveats and common mistaken reports:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Deleting a request in Burp does not overwrite it in the underlying project file. If you want to remove a request from a project file before sharing it, delete it then use Project-\u003eSave Copy to create a sanitised project file.\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- The collaborator server creates an interaction for every valid ID it sees in a message, so one message can create multiple interactions.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, and configuration files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files of the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability.  Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation/free-trial issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nProject files\n-- \nProject files are trusted by default. If a project file is loaded in non-trusted mode, it should be harmless provided you don't proxy traffic through it, or use it to send requests. Please note that users will be automatically prompted to load unrecognised project files in non-trusted mode, but this prompt is not a security boundary and can be bypassed in some scenarios.\n\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-07-18T13:36:38.107Z"},{"id":3682607,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nTo help you find vulnerabilities in Burp Suite Enterprise Edition, you may test our demo site at https://enterprise-demo.portswigger.net/\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, it's excluded from our bounty program.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - Header injection in Burp Suite\n - Open redirect\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Broken links\n - Denial of service vulnerabilities\n - Local privilege escalation that requires write access to the installer/program directory (eg most DLL hijacking)\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Upstream TLS verification needs hardening\n- Generic N-day vulnerabilities in the embedded Chromium browser will not typically be rewarded. \n- Project files and configuration files may contain passwords, and are stored in plaintext by design. We recommend using full-disk encryption.\n- Spectre\n\nSome other caveats and common mistaken reports:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Deleting a request in Burp does not overwrite it in the underlying project file. If you want to remove a request from a project file before sharing it, delete it then use Project-\u003eSave Copy to create a sanitised project file.\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- The collaborator server creates an interaction for every valid ID it sees in a message, so one message can create multiple interactions.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability.  Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation/free-trial issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-27T10:03:15.326Z"},{"id":3676747,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nTo help you find vulnerabilities in Burp Suite Enterprise Edition, you may test our demo site at https://enterprise-demo.portswigger.net/\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, it's excluded from our bounty program.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Broken links\n - Denial of service vulnerabilities\n - Local privilege escalation that requires write access to the installer/program directory (eg most DLL hijacking)\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Upstream TLS verification needs hardening\n- Generic N-day vulnerabilities in the embedded Chromium browser will not typically be rewarded. \n- Project files and configuration files may contain passwords, and are stored in plaintext by design. We recommend using full-disk encryption.\n- Spectre\n\nSome other caveats and common mistaken reports:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Deleting a request in Burp does not overwrite it in the underlying project file. If you want to remove a request from a project file before sharing it, delete it then use Project-\u003eSave Copy to create a sanitised project file.\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- The collaborator server creates an interaction for every valid ID it sees in a message, so one message can create multiple interactions.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability.  Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation/free-trial issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-08-30T07:49:10.281Z"},{"id":3675049,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nTo help you find vulnerabilities in Burp Suite Enterprise Edition, you may test our demo site at https://enterprise-demo.portswigger.net/\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, it's excluded from our bounty program.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Broken links\n - Denial of service vulnerabilities\n - Local privilege escalation that requires write access to the installer/program directory (eg most DLL hijacking)\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Upstream TLS verification needs hardening\n- Generic N-day vulnerabilities in the embedded Chromium browser will not typically be rewarded. \n- Project files and configuration files may contain passwords, and are stored in plaintext by design. We recommend using full-disk encryption.\n- Spectre\n\nSome other caveats and common mistaken reports:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Deleting a request in Burp does not overwrite it in the underlying project file. If you want to remove a request from a project file before sharing it, delete it then use Project-\u003eSave Copy to create a sanitised project file.\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability.  Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation/free-trial issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-07-21T12:54:59.904Z"},{"id":3672613,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nTo help you find vulnerabilities in Burp Suite Enterprise Edition, you may test our demo site at https://enterprise-demo.portswigger.net/\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, it's excluded from our bounty program.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Broken links\n - Denial of service vulnerabilities\n - Local privilege escalation that requires write access to the installer/program directory (eg most DLL hijacking)\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Upstream TLS verification needs hardening\n- Generic N-day vulnerabilities in the embedded Chromium browser will not typically be rewarded. \n- Project files and configuration files may contain passwords, and are stored in plaintext by design. We recommend using full-disk encryption.\n- Spectre\n\nSome other caveats and common mistaken reports:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability.  Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation/free-trial issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-06-10T13:25:23.880Z"},{"id":3667497,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nTo help you find vulnerabilities in Burp Suite Enterprise Edition, you may test our demo site at https://enterprise-demo.portswigger.net/\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, it's excluded from our bounty program.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Broken links\n - Denial of service vulnerabilities\n - Local privilege escalation that requires write access to the installer/program directory (eg most DLL hijacking)\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Generic N-day vulnerabilities in the embedded Chromium browser will not typically be rewarded. \n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n- Spectre\n- Project files and configuration files may contain passwords, and are stored in plaintext by design. We recommend using full-disk encryption.\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation/free-trial issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-03-02T13:36:17.343Z"},{"id":3662135,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nTo help you find vulnerabilities in Burp Suite Enterprise Edition, you may test our demo site at https://enterprise-demo.portswigger.net/\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, it's excluded from our bounty program.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This only applies to DLLs dropped in the Downloads folder, and other folders a remote unauthenticated attacker plausibly has access to.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Broken links\n - Denial of service vulnerabilities\n - Local privilege escalation\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Generic N-day vulnerabilities in the embedded Chromium browser will not typically be rewarded. \n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n- Spectre\n- Project files and configuration files may contain passwords, and are stored in plaintext by design. We recommend using full-disk encryption.\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation/free-trial issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-24T12:04:08.565Z"},{"id":3653619,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Web Security Academy https://portswigger.net/web-security (certain vulnerabilities only)\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nTo help you find vulnerabilities in Burp Suite Enterprise Edition, you may test our demo site at https://enterprise-demo.portswigger.net/\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This only applies to DLLs dropped in the Downloads folder, and other folders a remote unauthenticated attacker plausibly has access to.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Broken links\n - Denial of service vulnerabilities\n - Local privilege escalation\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Generic N-day vulnerabilities in the embedded Chromium browser will not typically be rewarded. \n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n- Spectre\n- Project files and configuration files may contain passwords, and are stored in plaintext by design. We recommend using full-disk encryption.\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation/free-trial issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nWhat constitutes an eligible vulnerability in the Web Security Academy?\n--\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, we are only interested in two possibilities: escalating privileges to root inside a container, and escaping out of a container entirely. \n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-06-18T08:35:29.647Z"},{"id":3652129,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Web Security Academy https://portswigger.net/web-security (certain vulnerabilities only)\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nTo help you find vulnerabilities in Burp Suite Enterprise Edition, you may test our demo site at https://enterprise-demo.portswigger.net/\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This only applies to DLLs dropped in the Downloads folder, and other folders a remote unauthenticated attacker plausibly has access to.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Broken links\n - Denial of service vulnerabilities\n - Local privilege escalation\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Generic N-day vulnerabilities in the embedded Chromium browser will not typically be rewarded. \n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n- Spectre\n- Project files and configuration files may contain passwords, and are stored in plaintext by design. We recommend using full-disk encryption.\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nWhat constitutes an eligible vulnerability in the Web Security Academy?\n--\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, we are only interested in two possibilities: escalating privileges to root inside a container, and escaping out of a container entirely. These would quality as 'low' and 'medium' severity respectively.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-05-10T15:08:49.662Z"},{"id":3651516,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Web Security Academy https://portswigger.net/web-security (certain vulnerabilities only)\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This only applies to DLLs dropped in the Downloads folder, and other folders a remote unauthenticated attacker plausibly has access to.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Broken links\n - Denial of service vulnerabilities\n - Local privilege escalation\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Generic N-day vulnerabilities in the embedded Chromium browser will not typically be rewarded. \n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n- Spectre\n- Project files and configuration files may contain passwords, and are stored in plaintext by design. We recommend using full-disk encryption.\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nWhat constitutes an eligible vulnerability in the Web Security Academy?\n--\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, we are only interested in two possibilities: escalating privileges to root inside a container, and escaping out of a container entirely. These would quality as 'low' and 'medium' severity respectively.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-26T10:55:11.192Z"},{"id":3649875,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Web Security Academy https://portswigger.net/web-security (certain vulnerabilities only)\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This only applies to DLLs dropped in the Downloads folder, and other folders a remote unauthenticated attacker plausibly has access to.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Broken links\n - Denial of service vulnerabilities\n - Local privilege escalation\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Vulnerabilities related to the embedded Chromium browser will not typically be rewarded unless you can provide a working PoC demonstrating RCE.\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n- Spectre\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nWhat constitutes an eligible vulnerability in the Web Security Academy?\n--\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, we are only interested in two possibilities: escalating privileges to root inside a container, and escaping out of a container entirely. These would quality as 'low' and 'medium' severity respectively.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-12T15:23:23.125Z"},{"id":3649869,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Web Security Academy https://portswigger.net/web-security (certain vulnerabilities only)\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This only applies to DLLs dropped in the Downloads folder, and other folders a remote unauthenticated attacker plausibly has access to.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Broken links\n - Denial of service vulnerabilities\n - Local privilege escalation\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Client-side caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Vulnerabilities related to the embedded Chromium browser will not typically be rewarded unless you can provide a working PoC demonstrating RCE.\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nWhat constitutes an eligible vulnerability in the Web Security Academy?\n--\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, we are only interested in two possibilities: escalating privileges to root inside a container, and escaping out of a container entirely. These would quality as 'low' and 'medium' severity respectively.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-12T08:27:35.055Z"},{"id":3648001,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Web Security Academy https://portswigger.net/web-security (certain vulnerabilities only)\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This only applies to DLLs dropped in the Downloads folder, and other folders a remote unauthenticated attacker plausibly has access to.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - Local privilege escalation\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Vulnerabilities related to the embedded Chromium browser will not typically be rewarded unless you can provide a working PoC demonstrating RCE.\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n- Our voting system under /polls/ makes a token effort to discourage people from voting multiple times. We know you can bypass this.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nWhat constitutes an eligible vulnerability in the Web Security Academy?\n--\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, we are only interested in two possibilities: escalating privileges to root inside a container, and escaping out of a container entirely. These would quality as 'low' and 'medium' severity respectively.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-01-25T11:52:02.563Z"},{"id":3644778,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Web Security Academy https://portswigger.net/web-security (certain vulnerabilities only)\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This only applies to DLLs dropped in the Downloads folder, and other folders a remote unauthenticated attacker plausibly has access to.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - Local privilege escalation\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Vulnerabilities related to the embedded Chromium browser will not typically be rewarded unless you can provide a working PoC demonstrating RCE.\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Some scanners report a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nWhat constitutes an eligible vulnerability in the Web Security Academy?\n--\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, we are only interested in two possibilities: escalating privileges to root inside a container, and escaping out of a container entirely. These would quality as 'low' and 'medium' severity respectively.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-05T10:06:50.697Z"},{"id":3644777,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Web Security Academy https://portswigger.net/web-security (certain vulnerabilities only)\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This only applies to DLLs dropped in the Downloads folder, and other folders a remote unauthenticated attacker plausibly has access to.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - Local privilege escalation\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Vulnerabilities related to the embedded Chromium browser will not typically be rewarded unless you can provide a working PoC demonstrating RCE.\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n- Nessus reports a [false positive STARTTLS vulnerability](https://hackerone.com/reports/953219) on the Collaborator Server.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nWhat constitutes an eligible vulnerability in the Web Security Academy?\n--\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, we are only interested in two possibilities: escalating privileges to root inside a container, and escaping out of a container entirely. These would quality as 'low' and 'medium' severity respectively.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-05T09:52:37.335Z"},{"id":3634257,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Web Security Academy https://portswigger.net/web-security (certain vulnerabilities only)\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This only applies to DLLs dropped in the Downloads folder, and other folders a remote unauthenticated attacker plausibly has access to.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - Local privilege escalation\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- Vulnerabilities related to the embedded Chromium browser will not typically be rewarded unless you can provide a working PoC demonstrating RCE.\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nWhat constitutes an eligible vulnerability in the Web Security Academy?\n--\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, we are only interested in two possibilities: escalating privileges to root inside a container, and escaping out of a container entirely. These would quality as 'low' and 'medium' severity respectively.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-30T07:32:59.185Z"},{"id":3631704,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Web Security Academy https://portswigger.net/web-security (certain vulnerabilities only)\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This only applies to DLLs dropped in the Downloads folder, and other folders a remote unauthenticated attacker plausibly has access to.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - Local privilege escalation\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- The embedded Chromium browser in Burp Suite 2.* receives non-critical security updates after a delay, and as such may have known vulnerabilities. These will not typically be rewarded unless you can provide a working PoC demonstrating RCE.\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- We deliberately allow unauthenticated access to Academy lab URLs (*.web-security-academy.net).\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nWhat constitutes an eligible vulnerability in the Web Security Academy?\n--\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, we are only interested in two possibilities: escalating privileges to root inside a container, and escaping out of a container entirely. These would quality as 'low' and 'medium' severity respectively.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-02-27T09:34:15.732Z"},{"id":3630767,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/ and https://forum.portswigger.net/\n - Web Security Academy https://portswigger.net/web-security (certain vulnerabilities only)\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nAll other subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This only applies to DLLs dropped in the Downloads folder, and other folders a remote unauthenticated attacker plausibly has access to.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - Local privilege escalation\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- The embedded Chromium browser in Burp Suite 2.* receives non-critical security updates after a delay, and as such may have known vulnerabilities. These will not typically be rewarded unless you can provide a working PoC demonstrating RCE.\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nWhat constitutes an eligible vulnerability in the Web Security Academy?\n--\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, we are only interested in two possibilities: escalating privileges to root inside a container, and escaping out of a container entirely. These would quality as 'low' and 'medium' severity respectively.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-02-17T16:55:22.052Z"},{"id":3612947,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Web Security Academy https://portswigger.net/web-security (certain vulnerabilities only)\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nAll subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This only applies to DLLs dropped in the Downloads folder, and other folders a remote unauthenticated attacker plausibly has access to.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - Local privilege escalation\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- The embedded Chromium browser in Burp Suite 2.* receives non-critical security updates after a delay, and as such may have known vulnerabilities. These will not typically be rewarded unless you can provide a working PoC demonstrating RCE.\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nWhat constitutes an eligible vulnerability in the Web Security Academy?\n--\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, we are only interested in two possibilities: escalating privileges to root inside a container, and escaping out of a container entirely. These would quality as 'low' and 'medium' severity respectively.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-06-28T13:01:20.932Z"},{"id":3612946,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Web Security Academy https://portswigger.net/web-security (certain vulnerabilities only)\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nOur public beta releases are within scope.\n\nAll subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This only applies to DLLs dropped in the Downloads folder, and other folders a remote unauthenticated attacker plausibly has access to.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - Local privilege escalation\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- The embedded Chromium browser in Burp Suite 2.* receives non-critical security updates after a delay, and as such may have known vulnerabilities. These will not typically be rewarded unless you can provide a working PoC demonstrating RCE.\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nWhat constitutes an eligible vulnerability in the Web Security Academy?\n--\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, we are only interested in two possibilities: escalating privileges to root inside a container, and escaping out of a container entirely. These would quality as 'low' and 'medium' severity respectively.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-06-28T12:59:56.155Z"},{"id":3611730,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Web Security Academy https://portswigger.net/web-security (certain vulnerabilities only)\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nOur public beta releases are within scope.\n\nAll subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This only applies to DLLs dropped in the Downloads folder, and other folders a remote unauthenticated attacker plausibly has access to.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - Local privilege escalation\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- The embedded Chromium browser in Burp Suite 2.* receives security updates after a delay, and as such may have known vulnerabilities. These will not typically be rewarded unless you can provide a working PoC demonstrating critical impact and a practical mitigation.\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nWhat constitutes an eligible vulnerability in the Web Security Academy?\n--\nOur [Web Security Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, we are only interested in two possibilities: escalating privileges to root inside a container, and escaping out of a container entirely. These would quality as 'low' and 'medium' severity respectively.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-06-12T10:04:28.725Z"},{"id":3611729,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Web Security Academy https://portswigger.net/web-security (certain vulnerabilities only)\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nOur public beta releases are within scope.\n\nAll subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This only applies to DLLs dropped in the Downloads folder, and other folders a remote unauthenticated attacker plausibly has access to.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - Local privilege escalation\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- The embedded Chromium browser in Burp Suite 2.* receives security updates after a delay, and as such may have known vulnerabilities. These will not typically be rewarded unless you can provide a working PoC demonstrating critical impact and a practical mitigation.\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nWhat constitutes an eligible vulnerability in the Web Security Academy?\n--\n[PortSwigger Academy](https://portswigger.net/web-security) is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, we are only interested in two possibilities: escalating privileges to root inside a container, and escaping out of a container entirely. These would quality as 'low' and 'medium' severity respectively.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-06-12T10:03:11.766Z"},{"id":3611728,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Infrastructure: *.web-security-academy.net (certain vulnerabilities only)\n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nOur public beta releases are within scope.\n\nAll subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This only applies to DLLs dropped in the Downloads folder, and other folders a remote unauthenticated attacker plausibly has access to.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - Local privilege escalation\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- The embedded Chromium browser in Burp Suite 2.* receives security updates after a delay, and as such may have known vulnerabilities. These will not typically be rewarded unless you can provide a working PoC demonstrating critical impact and a practical mitigation.\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nWhat constitutes an eligible vulnerability in PortSwigger Academy?\n--\nPortSwigger Academy is full of intentional vulnerabilities including SSRF and RCE, and completely isolated from the rest of our infrastructure. As such, we are only interested in two possibilities: escalating privileges to root inside a container, and escaping out of a container entirely. These would quality as 'low' and 'medium' severity respectively.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-06-12T09:25:28.019Z"},{"id":3606609,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nOur public beta releases are within scope but may receive reduced payouts. Payouts will increase to the usual level when releases are officially out of beta.\n\nAll subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This only applies to DLLs dropped in the Downloads folder, and other folders a remote unauthenticated attacker plausibly has access to.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - Local privilege escalation\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- The embedded Chromium browser in Burp Suite 2.* receives security updates after a delay, and as such may have known vulnerabilities. These will not typically be rewarded unless you can provide a working PoC demonstrating critical impact and a practical mitigation.\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-04-01T09:03:27.621Z"},{"id":3588522,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nOur public beta releases are within scope but may receive reduced payouts. Payouts will increase to the usual level when releases are officially out of beta.\n\nAll subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract cross-domain data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This does not include post-installation files as they are launched from a trusted folder.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- The embedded Chromium browser in Burp Suite 2.* receives security updates after a delay, and as such may have known vulnerabilities. These will not typically be rewarded unless you can provide a working PoC demonstrating critical impact and a practical mitigation.\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-09-12T14:14:49.393Z"},{"id":3588391,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nOur public beta releases are within scope but may receive reduced payouts. Payouts will increase to the usual level when releases are officially out of beta.\n\nAll subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or the Burp Suite Enterprise Edition web interface\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This does not include post-installation files as they are launched from a trusted folder.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- The embedded Chromium browser in Burp Suite 2.* receives security updates after a delay, and as such may have known vulnerabilities. These will not typically be rewarded unless you can provide a working PoC demonstrating critical impact and a practical mitigation.\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-09-11T08:24:22.078Z"},{"id":3587441,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Software: Burp Suite Professional, Burp Suite Enterprise Edition, and Burp Suite Community Edition\n\nOur public beta releases are within scope but may receive reduced payouts. Payouts will increase to the usual level when releases are officially out of beta.\n\nAll subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Suite Enterprise Edition\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or Burp Suite Enterprise Edition\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Suite Enterprise Edition\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This does not include post-installation files as they are launched from a trusted folder.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- The embedded Chromium browser in Burp Suite 2.* receives security updates after a delay, and as such may have known vulnerabilities. These will not typically be rewarded unless you can provide a working PoC demonstrating critical impact and a practical mitigation.\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-08-31T08:14:57.323Z"},{"id":3586588,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Software: Burp Suite Professional, Burp Enterprise, and Burp Suite Community Edition\n\nOur public beta releases are within scope but may receive reduced payouts. Payouts will increase to the usual level when releases are officially out of beta.\n\nAll subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n - Unauthenticated RCE on Burp Enterprise\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net or Burp Enterprise\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net or Burp Enterprise\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This does not include post-installation files as they are launched from a trusted folder.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- The embedded Chromium browser in Burp Suite 2.* receives security updates after a delay, and as such may have known vulnerabilities. These will not typically be rewarded unless you can provide a working PoC demonstrating critical impact and a practical mitigation.\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-08-23T08:00:29.359Z"},{"id":3584626,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Software: Burp Suite Professional and Burp Suite Free Edition\n\nAll subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This does not include post-installation files as they are launched from a trusted folder.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, or want to report a vulnerability without opting in to the reward program, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-08-03T10:01:28.909Z"},{"id":3579896,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Software: Burp Suite Professional and Burp Suite Free Edition\n\nAll subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This does not include post-installation files as they are launched from a trusted folder.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n- Verified SSL connections should be stricter about which protocols/ciphers are tolerated\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-06-13T21:23:09.746Z"},{"id":3579385,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Software: Burp Suite Professional and Burp Suite Free Edition\n\nAll subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract data from Burp's sitemap\n - Given a collaborator payload, an attacker can retrieve interactions generated from the same key\n - Exploitable reflected XSS on portswigger.net\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This does not include post-installation files as they are launched from a trusted folder.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-06-07T10:03:50.205Z"},{"id":3575997,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Software: Burp Suite Professional and Burp Suite Free Edition\n\nAll subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract data from Burp's sitemap\n - Exploitable reflected XSS on portswigger.net\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This does not include post-installation files as they are launched from a trusted folder.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - Content Security Policy is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-05-09T09:53:18.114Z"},{"id":3575908,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Software: Burp Suite Professional and Burp Suite Free Edition\n\nAll subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract data from Burp's sitemap\n - Exploitable reflected XSS on portswigger.net\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This does not include post-installation files as they are launched from a trusted folder.\n - Header injection in Burp Suite\n\n#### CSP Bypass - $100-$1000\n - CSP is a significant part of our security so we will reward CSP bypasses through trusted domains, JSONP, etc. We are less interested in reports of hypothetical dangling markup attacks, and reports like \"CSP headers are missing from static page X\" but will consider these on a case by case basis.\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-05-08T15:47:10.898Z"},{"id":3555810,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Software: Burp Suite Professional and Burp Suite Free Edition\n\nAll subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract data from Burp's sitemap\n - Exploitable reflected XSS on portswigger.net\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This does not include post-installation files as they are launched from a trusted folder.\n - Header injection in Burp Suite\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions first, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-06-16T10:59:48.181Z"},{"id":3555809,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Software: Burp Suite Professional and Burp Suite Free Edition\n\nAll subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $10,000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n       \n#### High  - $3,000  \n - Stored XSS on portswigger.net\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1,000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract data from Burp's sitemap\n - Exploitable reflected XSS on portswigger.net\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This does not include post-installation files as they are launched from a trusted folder.\n - Header injection in Burp Suite\n\n#### Significant vulnerabilities in BApps  - $0\n- We will work to resolve serious vulnerabilities in extensions in the BApp store, but do not offer cash rewards. If you're searching for issues in core Burp, we highly recommend disabling all extensions before testing Burp, to save yourself from wasting time.\n\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-06-16T10:58:37.656Z"},{"id":3555808,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Software: Burp Suite Professional and Burp Suite Free Edition\n\nAll subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $5000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n       \n#### High  - $3000  \n - Stored XSS on portswigger.net\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract data from Burp's sitemap\n - Exploitable reflected XSS on portswigger.net\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10. This does not include post-installation files as they are launched from a trusted folder.\n - Header injection in Burp Suite\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- Extensions including those in the BApp Store are out of scope. We highly recommend disabling all extensions before testing Burp, to save yourself from wasting time.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-06-16T10:39:38.237Z"},{"id":3548132,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Software: Burp Suite Professional and Burp Suite Free Edition\n\nAll subdomains of portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $5000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n       \n#### High  - $3000  \n - Stored XSS on portswigger.net\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract data from Burp's sitemap\n - Exploitable reflected XSS on portswigger.net\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10\n - Header injection in Burp Suite\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- Extensions including those in the BApp Store are out of scope. We highly recommend disabling all extensions before testing Burp, to save yourself from wasting time.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-03-03T15:09:08.635Z"},{"id":3546210,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Software: Burp Suite Professional and Burp Suite Free Edition\n\nSubdomains of portswigger.net like support.portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $5000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n       \n#### High  - $3000  \n - Stored XSS on portswigger.net\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract data from Burp's sitemap\n - Exploitable reflected XSS on portswigger.net\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10\n - Header injection in Burp Suite\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - HTTP Options header\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- Extensions including those in the BApp Store are out of scope. We highly recommend disabling all extensions before testing Burp, to save yourself from wasting time.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-02-06T09:10:13.005Z"},{"id":3544064,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Software: Burp Suite Professional and Burp Suite Free Edition\n\nSubdomains of portswigger.net like support.portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $5000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n       \n#### High  - $3000  \n - Stored XSS on portswigger.net\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract data from Burp's sitemap\n - Exploitable reflected XSS on portswigger.net\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $100-$1000\n - Reflected XSS that is unexploitable due to CSP\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10\n - Header injection in Burp Suite\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- Extensions including those in the BApp Store are out of scope. We highly recommend disabling all extensions before testing Burp, to save yourself from wasting time.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-01-03T13:20:01.008Z"},{"id":3543539,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Software: Burp Suite Professional and Burp Suite Free Edition\n\nSubdomains of portswigger.net like support.portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $5000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n       \n#### High  - $3000  \n - Stored XSS on portswigger.net\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract data from Burp's sitemap\n - Exploitable reflected XSS on portswigger.net\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $350\n - Reflected XSS that is unexploitable due to CSP\n - A website scanned using Burp Suite can inject JavaScript into reports exported from the scanner as HTML\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\n**We are not interested in low severity, purely theoretical and best-practice issues.** Here are some examples:\n\n - Denial of service vulnerabilities\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- Extensions including those in the BApp Store are out of scope. We highly recommend disabling all extensions before testing Burp, to save yourself from wasting time.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-12-20T09:24:44.239Z"},{"id":3543024,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Software: Burp Suite Professional and Burp Suite Free Edition\n\nSubdomains of portswigger.net like support.portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $5000\n - SQL injection on portswigger.net\n - Remotely retrieving arbitrary users' Burp Collaborator interactions\n       \n#### High  - $3000  \n - Stored XSS on portswigger.net\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract data from Burp's sitemap\n - Exploitable reflected XSS on portswigger.net\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $350\n - Reflected XSS that is unexploitable due to CSP\n - A website scanned using Burp Suite can inject JavaScript into reports exported from the scanner as HTML\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\nWe are not interested in low severity, purely theoretical and best-practice issues. Here are some examples:\n\n - Denial of service vulnerabilities\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- Extensions including those in the BApp Store are out of scope. We highly recommend disabling all extensions before testing Burp, to save yourself from wasting time.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-12-09T11:39:52.428Z"},{"id":3542804,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Software: Burp Suite Professional and Burp Suite Free Edition\n\nSubdomains of portswigger.net like support.portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $5000\n - SQL injection on portswigger.net\n - Remotely retrieving other users' Burp Collaborator interactions\n       \n#### High  - $3000  \n - Stored XSS on portswigger.net\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract data from Burp's sitemap\n - Exploitable reflected XSS on portswigger.net\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $350\n - Reflected XSS that is unexploitable due to CSP\n - A website scanned using Burp Suite can inject JavaScript into reports exported from the scanner as HTML\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\nWe are not interested in low severity, purely theoretical and best-practice issues. Here are some examples:\n\n - Denial of service vulnerabilities\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, DoS, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n- Plug 'n Hack discloses the port the proxy is listening on by design\n- Changing the proxy settings to listen on a non-loopback IP exposes the web interface to people with network access by design.\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). We pay for HTML/JavaScript injection regardless but to maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- Extensions including those in the BApp Store are out of scope. We highly recommend disabling all extensions before testing Burp, to save yourself from wasting time.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-12-06T14:50:06.789Z"},{"id":3542581,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Software: Burp Suite Professional and Burp Suite Free Edition\n\nSubdomains of portswigger.net like support.portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $5000\n - SQL injection on portswigger.net\n - Remotely retrieving other users' Burp Collaborator interactions\n       \n#### High  - $3000  \n - Stored XSS on portswigger.net\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract data from Burp's sitemap\n - Exploitable reflected XSS on portswigger.net\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $350\n - Reflected XSS that is unexploitable due to CSP\n - A website scanned using Burp Suite can inject JavaScript into reports exported from the scanner as HTML\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\nWe are not interested in low severity, purely theoretical and best-practice issues. Here are some examples:\n\n - Denial of service vulnerabilities\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). To maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- Extensions including those in the BApp Store are out of scope. We highly recommend disabling all extensions before testing Burp, to save yourself from wasting time.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-12-01T16:46:09.091Z"},{"id":3542515,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Software: Burp Suite Professional and Burp Suite Free Edition\n\nSubdomains of portswigger.net like support.portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $5000\n - SQL injection on portswigger.net\n - Remotely retrieving other users' Burp Collaborator interactions\n       \n#### High  - $3000  \n - Stored XSS on portswigger.net\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract data from Burp's sitemap\n - Exploitable reflected XSS on portswigger.net\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $350\n - Reflected XSS that is unexploitable due to CSP\n - A website scanned using Burp Suite can inject JavaScript into reports exported from the scanner as HTML\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\nWe are not interested in low severity, purely theoretical and best-practice issues. Here are some examples:\n\n - Denial of service vulnerabilities\n - Server errors with no sensitive information like https://portswigger.net/careers%22%3E\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). To maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- Extensions including those in the BApp Store are out of scope.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-11-30T16:26:45.501Z"},{"id":3542507,"new_policy":"Scope\n--\n\n - Website: https://portswigger.net/    \n - Software: Burp Suite Professional and Burp Suite Free Edition\n\nSubdomains of portswigger.net like support.portswigger.net are **strictly out of scope**. Do not test these.\n\nIf you wish to test the Burp Collaborator functionality, please configure your own private Collaborator server and test that. \n       \nVulnerabilities of interest\n--\nHere are some examples of vulnerabilities that we could consider to be valid, and rough guidelines as to what kind of payout you can expect:\n\n#### Critical - $5000\n - SQL injection on portswigger.net\n - Remotely retrieving other users' Burp Collaborator interactions\n       \n#### High  - $3000  \n - Stored XSS on portswigger.net\n - File path traversal on portswigger.net\n - Complete authentication bypass on portswigger.net\n - A website accessed through Burp Suite can make Burp execute arbitrary code\n\n#### Medium - $1000\n - A website accessed through Burp Suite can retrieve local files from the user's system\n - A website accessed through Burp Suite can extract data from Burp's sitemap\n - Exploitable reflected XSS on portswigger.net\n - CSRF on significant actions\n\n#### Any medium severity issue involving unlikely user interaction - $350\n - Reflected XSS that is unexploitable due to CSP\n - A website scanned using Burp Suite can inject JavaScript into reports exported from the scanner as HTML\n - DLL hijacking on the Burp Suite installer, on fully patched Windows 7/8.1/10\n\nIf a report does not qualify but we find it useful, we may reward it with reputation or swag as a goodwill gesture.\n\nIssues not of interest\n==      \nThe following are strictly forbidden and may result in you being barred from the program, the website, or both:\n\n- Denial of service attacks\n- Physical or social engineering attempts\n- Targeting subdomains of portswigger.net\n- Bruteforcing subdomains\n- Spamming orders\n- Unthrottled automated scanning - please throttle all tools to one request per second.\n\nWe are not interested in low severity, purely theoretical and best-practice issues. Here are some examples:\n\n - Denial of service vulnerabilities\n - Headers like Server/X-Powered-By disclosing version information\n - XSS issues in non-current browsers\n - window.opener related issues\n - Unvalidated reports from automated vulnerability scanners\n - CSRF with minimal security implications (logout, etc.)\n - Issues related to email spoofing (eg SPF/DMARC)\n - DNS issues\n - Content spoofing\n - Reports that state that software is out of date or vulnerable without a proof of concept\n - Missing autocomplete attributes\n - Missing cookie flags on non-security sensitive cookies\n - SSL/TLS scan reports (this means output from sites such as SSL Labs)\n - Caching issues\n - Concurrent sessions\n - HPKP / HSTS preloading\n - Implausible bruteforce attacks \n\nThere are a few known issues we consider to be low severity, but may fix eventually:\n\n- As customer numbers are emailed out in plaintext, users should be encouraged to regenerate them on first login\n- Generating a new customer number should kill all associated sessions\n- Invoices, quotations and receipts can be accessed by anyone who is given the link. This is an intentional design decision to enable sharing (the ability to view someone's invoice without being given the link would be considered a serious vulnerability)\n\nSome other caveats:\n- The Paypal price can be tampered with but underpayment will result in product non-delivery so this isn't a security issue.\n- We use Content-Security-Policy (CSP) site-wide. This means you will have a hard time doing alert(1). To maximize your payout, see if you can make a payload that will steal some sensitive information.\n- As the makers of Burp Suite, we can assure you that we have already scanned our website with it. Don't waste your bandwidth.\n- Extensions including those in the BApp Store are out of scope.\n\nWhat constitutes a vulnerability in Burp Suite?\n--\nThe system that Burp Suite runs on is trusted, and every system that can access the Proxy listener is trusted to access the data within Burp. Extensions, configuration files and project files are also trusted. Websites accessed through Burp are untrusted, so anything a website could do to read files off the user's computer, read data out of Burp Suite, or gain remote code execution would be considered a vulnerability. Also, any way to get someone else's Collaborator interactions would be considered a vulnerability. Burp doesn't enforce upstream SSL trust by design, so we're not currently concerned about issues like weak SSL ciphers that would be considered a vulnerability in a web browser. Detection of Burp usage, denial of service vulnerabilities, and license enforcement/obfuscation issues are all out of scope. Please refer to the payout guidelines for some example vulnerabilities.\n\nContact\n--\nIf you have any questions, you can contact us at support@portswigger.net\n\nGood luck and have fun!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-11-30T12:03:24.450Z"}]