[{"id":3661418,"new_policy":"# MindGeek Bug Bounty Program Policy  \nSecurity is a top priority at MG Freesites Ltd (“MG”). MG loves to work with skilled security researchers to improve the security of MG’s Services. If you (also referred herein as the “Finder”) believe you have found a (“Vulnerability” or “Vulnerabilities”), as defined in the vulnerability disclosure guideline on  www.hackerone.com, in the services listed in MG’s scope, MG will be happy to work with you to resolve the issue promptly and ensure you are rewarded for your discovery.  \n \n\n# (The ”Scope”)  \nAt this time, the scope of this program is limited to Vulnerabilities found on assets listed under the  \"Program Scope\" section. Vulnerabilities reported on other assets are NOT eligible for Reward. \n\n**Important:**   \nContacting MG’s support team directly to inquire about the status of examination of a HackerOne report (“Report”) will result in an immediate disqualification from receiving a Reward. All communications must be conducted through HackerOne's communication system only.  \n\n**Severity**: \nSeverity of Vulnerability shall be assessed in accordance with the Common Vulnerability Scoring System (CVSS).  \n\n\n# Program Rules \n- You must avoid tests that could cause degradation or interruption of MG’s services;  \n- You must not access, leak, manipulate, or destroy any user data, including but not limited to, user information, metadata, preferences, configurations etc. “User Data”;  \n- You are only allowed to perform tests against your own accounts.  \n- The use of automated tools or scripted testing is not allowed. This includes but is not limited to vulnerability scanning tools such as OWASP ZAP and Vega, or any tools or scripts which may result in heavy traffic or flooding of any of MG’s services.; \n- Physical attacks against offices and data centers are prohibited; \n- Social engineering of MG’s support agents, service desk, employees or contractors is prohibited; \n- Do not compromise a user's or employee's account \n\n\n# Eligibility  \nYou will qualify for a Reward only if you are the first Finder to responsibly disclose an unknown Vulnerability. Note that posting details, conversations or any other Confidential Information about a vulnerability report or posting details that reflect negatively on the program will result in immediate removal from the program. We would also like to bring to your attention that this shall be treated as a breach of your confidentiality, therefore, disqualifies your eligibility for safe harbor as it is outlined in this policy. \n\n- Any Vulnerability found must be reported no later than 24 hours after discovery \n- Report on Vulnerability shall be disclosed to MG exclusively.  \n- To obtain any type of verified account on our platform your user's account must be created using the HackerOne alias email 'username@wearehackerone.com';  \n- You must send a clear textual description of the report along with steps to reproduce the vulnerability (proof of concept “PoC”) that must be included in the Report;  \n- You must Include attachments such as screenshots or PoC code as necessary. To be acceptable, any submitted Vulnerability report must include as a minimum:  \n- List the URL and any affected parameters;  \n- Describe the browser, OS, and/or app version;  \n- Describe the perceived impact. How could Vulnerability potentially be exploited? \n**Reports that only feature a video PoC without written reproduction steps will be refused. ** \n\n\n# The (“Reward(s)”)  \nMG may provide Rewards to eligible Finders of Vulnerabilities in accordance with this Policy. *Reward amounts may vary depending upon the severity of the Vulnerability reported at MG’s sole discretion. *  \n\nPromotional material (“Swag”) may be awarded as a bonus to triaged qualifying, in-scope reports. MG allows one Swag item per researcher. MG will not respond to repeated requests to be awarded Swag under any circumstances.  \n\nMG will, at its sole discretion, decide if the minimum severity threshold is met for each reported Vulnerabilities. MG shall use commercially reasonable efforts to inform Finder if the Vulnerability was previously reported. Rewards are granted entirely at the discretion of MG in accordance with this Policy.  \n\nIf your report was closed as duplicate, you cannot be invited in the original report to preserve its confidentiality.  \n\n\n# Disclosure Guidelines  \n- Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization. Informative or Duplicate reports are not eligible for disclosure. \n-Follow HackerOne's disclosure guidelines. \n\n\n#Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope: \n \n-Information Disclosure without significant and executable impact \n-Information leakage, data cached in search engines or the web archive \n-Cross-Origin Resource Sharing (CORS) \n-Self XSS and XSS without impact \n-Anything related to confirmation emails\n-Password and account recovery policies \n-Session Management, such as: session timeout, session hijacking, etc.\n-Clickjacking on pages with no sensitive actions \n-Cross-Site Request Forgery (CSRF) on forms with no sensitive actions or without a realistic exploitation scenario\n-Attacks requiring MITM or physical access to a user's device. \n-Previously known vulnerable libraries without a working Proof of Concept. \n-Comma Separated Values (CSV) injection without demonstrating vulnerability. \n-Missing best practices in SSL/TLS configuration. \n-Any activity that could lead to the disruption of our service (DoS). \n-Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS \n-Rate limiting or brute force issues on non-authentication endpoints \n-Missing best practices in Content Security Policy. \n-Missing HTTP Only or Secure flags on cookies \n-Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.) \n-Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version] \n-Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors). \n-Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis. \n-Tab nabbing \n-Open redirect - unless an additional security impact can be demonstrated \n-Issues that require unlikely user interaction \n-Physical testing (e.g., office access, open doors, tailgating), or any other non-technical vulnerability testing \n-Tests against Cloud Service Providers where no Vulnerability Disclosure Policy exists. \n-Phishing or Social Engineering \n-Third party services or systems used by MindGeek \n\n\n# Miscellaneous   \nYou must be at least 18 years old to participate in MG’s Bug bounty Program.   \n\nPayments are made through [HackerOne](https://hackerone.com/faq#for-hackers-question-how-do-i get-paid) only. You are legally bound by the Finders Terms and Conditions, The General Terms and Conditions, The Code of Conduct for Finders, Vulnerability Disclosure Guidelines as well as any other agreement found on https://www.hackerone.com/ that applies to Finders (the \"Agreements\") and these, as well as this Program Policy shall govern the legal relationship between you and MG. All terms used but not defined herein shall have the meaning ascribed to them in the Agreements.   \n\nCurrent and previous employees of MG, its affiliates, subsidiaries, agencies and divisions, partners, and their respective employees and immediate family members can responsibly disclose vulnerabilities by participating in MG’s Bug Bounty Program but are not eligible for monetary Rewards. The term (“Immediate Family”) includes spouses, siblings, parents, children, grandparents, and grandchildren, whether as “in-laws,” or by current or past marriages(s), remarriage(s), adoption, cohabitation or other family extension, and any other persons residing at the same household whether related or not.  \n\nMG reserves the right to modify the terms of this Policy or terminate this program at any time. By participating in this program, you agree to be bound by these rules. You must comply with all applicable laws in connection with your participation in this program.  \n\n\n#Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Thank you for helping keep MindGeek safe! \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-09T14:04:18.925Z"},{"id":3658764,"new_policy":"# MindGeek Bug Bounty Program Policy  \nSecurity is a top priority at MG Freesites Ltd (“MG”). MG loves to work with skilled security researchers to improve the security of MG’s Services. If you (also referred herein as the “Finder”) believe you have found a (“Vulnerability” or “Vulnerabilities”), as defined in the vulnerability disclosure guideline on  www.hackerone.com, in the services listed in MG’s scope, MG will be happy to work with you to resolve the issue promptly and ensure you are rewarded for your discovery.  \n \n\n# (The ”Scope”)  \nAt this time, the scope of this program is limited to Vulnerabilities found on assets listed under the  \"Program Scope\" section. Vulnerabilities reported on other assets are NOT eligible for Reward. \n\n**Important:**   \nContacting MG’s support team directly to inquire about the status of examination of a HackerOne report (“Report”) will result in an immediate disqualification from receiving a Reward. All communications must be conducted through HackerOne's communication system only.  \n\n**Severity**: \nSeverity of Vulnerability shall be assessed in accordance with the Common Vulnerability Scoring System (CVSS).  \n\n\n# Program Rules \n- You must avoid tests that could cause degradation or interruption of MG’s services;  \n- You must not access, leak, manipulate, or destroy any user data, including but not limited to, user information, metadata, preferences, configurations etc. “User Data”;  \n- You are only allowed to perform tests against your own accounts.  \n- The use of automated tools or scripted testing is not allowed. This includes but is not limited to vulnerability scanning tools such as OWASP ZAP and Vega, or any tools or scripts which may result in heavy traffic or flooding of any of MG’s services.; \n- Physical attacks against offices and data centers are prohibited; \n- Social engineering of MG’s support agents, service desk, employees or contractors is prohibited; \n- Do not compromise a user's or employee's account \n\n\n# Eligibility  \nYou will qualify for a Reward only if you are the first Finder to responsibly disclose an unknown Vulnerability. Note that posting details, conversations or any other Confidential Information about a vulnerability report or posting details that reflect negatively on the program will result in immediate removal from the program. We would also like to bring to your attention that this shall be treated as a breach of your confidentiality, therefore, disqualifies your eligibility for safe harbor as it is outlined in this policy. \n\n- Any Vulnerability found must be reported no later than 24 hours after discovery \n- Report on Vulnerability shall be disclosed to MG exclusively.  \n- To obtain any type of verified account on our platform your user's account must be created using the HackerOne alias email 'username@wearehackerone.com';  \n- You must send a clear textual description of the report along with steps to reproduce the vulnerability (proof of concept “PoC”) that must be included in the Report;  \n- You must Include attachments such as screenshots or PoC code as necessary. To be acceptable, any submitted Vulnerability report must include as a minimum:  \n- List the URL and any affected parameters;  \n- Describe the browser, OS, and/or app version;  \n- Describe the perceived impact. How could Vulnerability potentially be exploited? \n**Reports that only feature a video PoC without written reproduction steps will be refused. ** \n\n\n# The (“Reward(s)”)  \nMG may provide Rewards to eligible Finders of Vulnerabilities in accordance with this Policy. *Reward amounts may vary depending upon the severity of the Vulnerability reported at MG’s sole discretion. *  \n\nPromotional material (“Swag”) may be awarded as a bonus to triaged qualifying, in-scope reports. MG allows one Swag item per researcher. MG will not respond to repeated requests to be awarded Swag under any circumstances.  \n\nMG will, at its sole discretion, decide if the minimum severity threshold is met for each reported Vulnerabilities. MG shall use commercially reasonable efforts to inform Finder if the Vulnerability was previously reported. Rewards are granted entirely at the discretion of MG in accordance with this Policy.  \n\nIf your report was closed as duplicate, you cannot be invited in the original report to preserve its confidentiality.  \n\n\n# Disclosure Guidelines  \n- Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization. Informative or Duplicate reports are not eligible for disclosure. \n-Follow HackerOne's disclosure guidelines. \n\n\n#Out of scope vulnerabilities \nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope: \n \n-Information Disclosure without significant and executable impact \n-Information leakage, data cached in search engines or the web archive \n-Cross-Origin Resource Sharing (CORS) \n-Self XSS and XSS without impact \n-Anything related to confirmation emails \n-Clickjacking on pages with no sensitive actions \n-Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions \n-Attacks requiring MITM or physical access to a user's device. \n-Previously known vulnerable libraries without a working Proof of Concept. \n-Comma Separated Values (CSV) injection without demonstrating vulnerability. \n-Missing best practices in SSL/TLS configuration. \n-Any activity that could lead to the disruption of our service (DoS). \n-Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS \n-Rate limiting or brute force issues on non-authentication endpoints \n-Missing best practices in Content Security Policy. \n-Missing HTTP Only or Secure flags on cookies \n-Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.) \n-Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version] \n-Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors). \n-Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis. \n-Tab nabbing \n-Open redirect - unless an additional security impact can be demonstrated \n-Issues that require unlikely user interaction \n-Physical testing (e.g., office access, open doors, tailgating), or any other non-technical vulnerability testing \n-Tests against Cloud Service Providers where no Vulnerability Disclosure Policy exists. \n-Phishing or Social Engineering \n-Third party services or systems used by MindGeek \n\n\n# Miscellaneous   \nYou must be at least 18 years old to participate in MG’s Bug bounty Program.   \n\nPayments are made through [HackerOne](https://hackerone.com/faq#for-hackers-question-how-do-i get-paid) only. You are legally bound by the Finders Terms and Conditions, The General Terms and Conditions, The Code of Conduct for Finders, Vulnerability Disclosure Guidelines as well as any other agreement found on https://www.hackerone.com/ that applies to Finders (the \"Agreements\") and these, as well as this Program Policy shall govern the legal relationship between you and MG. All terms used but not defined herein shall have the meaning ascribed to them in the Agreements.   \n\nCurrent and previous employees of MG, its affiliates, subsidiaries, agencies and divisions, partners, and their respective employees and immediate family members can responsibly disclose vulnerabilities by participating in MG’s Bug Bounty Program but are not eligible for monetary Rewards. The term (“Immediate Family”) includes spouses, siblings, parents, children, grandparents, and grandchildren, whether as “in-laws,” or by current or past marriages(s), remarriage(s), adoption, cohabitation or other family extension, and any other persons residing at the same household whether related or not.  \n\nMG reserves the right to modify the terms of this Policy or terminate this program at any time. By participating in this program, you agree to be bound by these rules. You must comply with all applicable laws in connection with your participation in this program.  \n\n\n#Safe Harbor \nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Thank you for helping keep MindGeek safe! \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-22T21:35:23.969Z"},{"id":3652628,"new_policy":"Security is a top priority at MG Freesites Ltd (“MG”). MG loves to work with skilled security researchers to improve the security of MG’s Services. If you (also referred herein as the “Finder”) believe you have found a (“Vulnerability” or “Vulnerabilities”), as defined in the vulnerability disclosure guideline on www.hackerone.com, in the services listed in MG’s scope (as defined below), MG will be happy to work with you to resolve the issue promptly and ensure you are rewarded for your discovery.\n \n# (The ”Scope”)\n \nAt this time, the scope of this program is limited to Vulnerabilities found on the Tube8 and Tube8 Premium websites (The “Properties”). Vulnerabilities reported on other Properties are currently not eligible for Reward (as defined below). Reward for high impact Vulnerabilities outside of the Scope might be considered on a case by case basis and at the sole discretion of MG.\n \n**In-Scope Sub-Domains:**\n\u003e https://www.tube8.com/\n https://www.tube8.fr/\n https://www.tube8.es/\n https://de.tube8.com/\n https://jp.tube8.com/\n \n**Out-of-Scope Sub-Domains:**\n\u003e https://*.tube8.com/\n https://blog.tube8.com/\nhttps://www.tube8.com/contact.html\n\nFor all the programs CMS applications will be out of scope [not rewarded].\n \nFor account access issues or visual layout and website functionality (QA) bugs, please work with MG’s [Customer Support](https://www.tube8.com/contact.html) which will resolve those issues independently. \n \n**Important:** \nContacting MG’s support team directly to inquire about the status of examination of a HackerOne report (“Report”) will result in an immediate disqualification from receiving a Reward. All communications must be conducted through the HackerOne's communication system only.\n  \n# Eligibility\n\nYou will qualify for a Reward only if you are the first Finder to responsibly disclose an unknown Vulnerability. MG’s Security Team has up to 48 hours to first respond, up to 5 days to triage, 10 days to reward the report, and up to 90 days to implement a fix based on the severity of the Vulnerability. Severity of Vulnerability shall be assessed in accordance with the Common Vulnerability Scoring System (CVSS) Version 3.0.\n \nPlease allow for this process to fully complete before attempting to contact us again. Note that posting details, conversations or any other Confidential Information about a Vulnerability report or posting details that reflect negatively on the program and Tube8 will result in immediate removal from the program. We would also like to bring to your attention that this shall be treated as a breach of your confidentiality obligations as further detailed on www.hackerone.com and therefore, MG shall be allowed to seek the applicable remedies. \n \n-\tAny Vulnerability found must be reported no later than 24 hours after discovery;\n-\tReport on Vulnerability shall be disclosed to MG exclusively;\n-\tYou must avoid tests that could cause degradation or interruption of MG’s services;\n-\tYou must not access, leak, manipulate, or destroy any user data, including but not limited to, user information, metadata, preferences, configurations etc.“User Data”;\n-\tYou are only allowed to perform tests against your own accounts.\n-\tThe use of automated tools or scripted testing is not allowed. This includes but is not limited to vulnerability scanning tools such as OWASP ZAP and Vega, or any tools or scripts which may result in heavy traffic or flooding of any of MG’s services.\n-\tTo obtain any type of verified account on Tube8 your user's account must be created using the HackerOne alias email 'username@wearehackerone.com';\n-\tYou must Send a clear textual description of the report along with steps to reproduce the vulnerability (proof of concept “PoC”) that must be included in the Report;\n-\tYou must Include attachments such as screenshots or PoC code as necessary.\n\nTo be acceptable, any submitted Vulnerability report must include as a minimum:\n \n- List the URL and any affected parameters;\n- Describe the browser, OS, and/or app version;\n- Describe the perceived impact. How could the Vulnerability potentially be exploited?\n\n \n# The (“Reward(s)”)\n \nMG may provide Rewards to eligible Finders of Vulnerabilities in accordance with this Policy. \n\nMG’s minimum reward is $50 USD, and MG’s maximum reward amount is $25,000 USD. \n*Reward amounts may vary depending upon the severity of the Vulnerability reported at MG’s sole discretion. *\n \nPromotional material (“Swag”) may be awarded as a bonus to triaged qualifying, in-scope reports. MG allows one Swag item per researcher. MG will not respond to repeated requests to be awarded Swag under any circumstances.\n \nThe following Rewards Scheme is a reference for the _average_ rewards on specific classes of Vulnerabilities. Rewards are calculated based on the severity and impact. \n \n|Vulnerability Types|Core Tube8 *|All Other|\n|---|---|---|---|---|\n|Remote Shell / Command Execution|$15,000|$5,000|\n|Remote Code Execution|$10,000|$2,500|\n|SQL Injection (with output)|$5,000|$2,500|\n|Significant Authentication Bypass|$5,000|$1,000|\n|Local file Inclusion|$2,500|$1,000|\n|SQL Injection (blind)|$2,500|$1,000|\n|Insecure Direct Object References|$1,500|$750|\n|Server Side Request Forgery|$1,500|$750|\n|Stored Cross Site Scripting|$1,500|$500|\n|Other Cross Site Scripting|$250|$50|\n \n*\\* Core Tube8 covers https://www.tube8.com. It does not include any other domains, sub-domains, or services, including any Tube8 blogs such as [Blog](https://blog.tube8.com/) or Support systems.*\n \nMG will, at its sole discretion, decide if the minimum severity threshold is met for each reported Vulnerabilities. MG shall use commercially reasonable efforts to inform Finder if the Vulnerability was previously reported. Rewards are granted entirely at the discretion of Tube8 in accordance with this Policy.\nIf your report was closed as duplicate you cannot be invited in the original report to preserve its confidentiality.\n \n# HackerOne Vulnerability Disclosure\n \nIn order for your Report to be eligible for disclosure within HackerOne it should go through the Triage and Resolution steps. Any attempts to disclose unresolved, Informative or Duplicate reports will be rejected. \n\n# Additional conditions: \n\nThe following are strictly prohibited:\n \n-\tDenial of Service attacks.\n-\tPhysical attacks against offices and data centers.\n-\tSocial engineering of MG’s support agents, service desk, employees or contractors.\n-\tCompromise of a Tube8 user's or employee's account.\n-\tAutomated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.\n \nAdditionally, the following Vulnerabilities will not be considered for bounty:\n \n- Cross site request forgery (CSRF)\n- Cross domain leakage\n- Cross-Origin resource sharing (CORS)\n- Information disclosure\n- Information leakage, data cached in search engines or the web archive\n- Software version disclosure\n- Self-XSS and XSS without impact\n- Missing SPF or DMARC records\n- HttpOnly, SameSite and Secure Cookie flags\n- SSL/TLS related (such as HSTS, GET over HTTP, Password sent in HTTP)\n- Password and account recovery policies\n- Session timeout\n- Session Hijacking (cookie reuse)\n- Missing X-Frame or X-Content headers\n- Account enumeration\n- Click-jacking\n- Rate-limiting \n- Downloading video\n- Confirmation Email (anything related with)\n \n# Miscellaneous \n \nYou must be at least 18 years old to participate in MG’s Bug bounty Program. \n \nPayments are made through [HackerOne](https://hackerone.com/faq#for-hackers-question-how-do-i-get-paid) only. You are legally bound by the Finders Terms and Conditions, The General Terms and Conditions, The Code of Conduct for Finders, Vulnerability Disclosure Guidelines as well as any other agreement found on https://www.hackerone.com/ that applies to Finders (the \"Agreements\")  and these, as well as this Program Policy shall govern the legal relationship between you and MG. All terms used but not defined herein shall have the meaning ascribed to them in the Agreements. \n \nCurrent and previous employees of MG, its affiliates, subsidiaries, agencies and divisions, partners, and their respective employees and immediate family members can responsibly disclose vulnerabilities by participating in MG’s Bug Bounty Program but are not eligible for monetary Rewards. The term (“Immediate Family”) includes spouses, siblings, parents, children, grandparents, and grandchildren, whether as “in-laws,” or by current or past marriages(s), remarriage(s), adoption, co-habitation or other family extension, and any other persons residing at the same household whether or not related.\n \nMG reserve the right to modify the terms of this Policy or terminate this program at any time. By participating in this program, you agree to be bound by these rules. You must comply with all applicable laws in connection with your participation in this program.\n \nThank you for helping keep Tube8 safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-05-21T21:44:52.908Z"},{"id":3643491,"new_policy":"Security is a top priority at MG Freesites Ltd (“MG”). MG loves to work with skilled security researchers to improve the security of MG’s Services. If you (also referred herein as the “Finder”) believe you have found a (“Vulnerability” or “Vulnerabilities”), as defined in the vulnerability disclosure guideline on www.hackerone.com, in the services listed in MG’s scope (as defined below), MG will be happy to work with you to resolve the issue promptly and ensure you are rewarded for your discovery.\n \n# (The ”Scope”)\n \nAt this time, the scope of this program is limited to Vulnerabilities found on the Tube8 and Tube8 Premium websites (The “Properties”). Vulnerabilities reported on other Properties are currently not eligible for Reward (as defined below). Reward for high impact Vulnerabilities outside of the Scope might be considered on a case by case basis and at the sole discretion of MG.\n \n**In-Scope Sub-Domains:**\n\u003e https://www.tube8.com/\n https://www.tube8.fr/\n https://www.tube8.es/\n https://de.tube8.com/\n https://jp.tube8.com/\n \n**Out-of-Scope Sub-Domains:**\n\u003e https://*.tube8.com/\n https://blog.tube8.com/\nhttps://www.tube8.com/contact.html\n\nFor all the programs CMS applications will be out of scope [not rewarded].\n \nFor account access issues or visual layout and website functionality (QA) bugs, please work with MG’s [Customer Support](https://www.tube8.com/contact.html) which will resolve those issues independently. \n \n**Important:** \nContacting MG’s support team directly to inquire about the status of examination of a HackerOne report (“Report”) will result in an immediate disqualification from receiving a Reward. All communications must be conducted through the HackerOne's communication system only.\n  \n# Eligibility\n\nYou will qualify for a Reward only if you are the first Finder to responsibly disclose an unknown Vulnerability. MG’s Security Team has up to 48 hours to first respond, up to 5 days to triage, 10 days to reward the report, and up to 90 days to implement a fix based on the severity of the Vulnerability. Severity of Vulnerability shall be assessed in accordance with the Common Vulnerability Scoring System (CVSS) Version 3.0.\n \nPlease allow for this process to fully complete before attempting to contact us again. Note that posting details, conversations or any other Confidential Information about a Vulnerability report or posting details that reflect negatively on the program and Tube8 will result in immediate removal from the program. We would also like to bring to your attention that this shall be treated as a breach of your confidentiality obligations as further detailed on www.hackerone.com and therefore, MG shall be allowed to seek the applicable remedies. \n \n-\tAny Vulnerability found must be reported no later than 24 hours after discovery;\n-\tReport on Vulnerability shall be disclosed to MG exclusively;\n-\tYou must avoid tests that could cause degradation or interruption of MG’s services;\n-\tYou must not access, leak, manipulate, or destroy any user data, including but not limited to, user information, metadata, preferences, configurations etc.“User Data”;\n-\tYou are only allowed to perform tests against your own accounts.\n-\tThe use of automated tools or scripted testing is not allowed. This includes but is not limited to vulnerability scanning tools such as OWASP ZAP and Vega, or any tools or scripts which may result in heavy traffic or flooding of any of MG’s services.\n-\tTo obtain any type of verified account on Tube8 your user's account must be created using the HackerOne alias email 'username@wearehackerone.com';\n-\tYou must Send a clear textual description of the report along with steps to reproduce the vulnerability (proof of concept “PoC”) that must be included in the Report;\n-\tYou must Include attachments such as screenshots or PoC code as necessary.\n\nTo be acceptable, any submitted Vulnerability report must include as a minimum:\n \n- List the URL and any affected parameters;\n- Describe the browser, OS, and/or app version;\n- Describe the perceived impact. How could the Vulnerability potentially be exploited?\n\n \n# The (“Reward(s)”)\n \nMG may provide Rewards to eligible Finders of Vulnerabilities in accordance with this Policy. \n\nMG’s minimum reward is $50 USD, and MG’s maximum reward amount is $25,000 USD. \n*Reward amounts may vary depending upon the severity of the Vulnerability reported at MG’s sole discretion. *\n \nPromotional material (“Swag”) may be awarded as a bonus to triaged qualifying, in-scope reports. MG allows one Swag item per researcher. MG will not respond to repeated requests to be awarded Swag under any circumstances.\n \nThe following Rewards Scheme is a reference for the _average_ rewards on specific classes of Vulnerabilities. Rewards are calculated based on the severity and impact. \n \n|Vulnerability Types|Core Tube8 *|All Other|\n|---|---|---|---|---|\n|Remote Shell / Command Execution|$15,000|$5,000|\n|Remote Code Execution|$10,000|$2,500|\n|SQL Injection (with output)|$5,000|$2,500|\n|Significant Authentication Bypass|$5,000|$1,000|\n|Local file Inclusion|$2,500|$1,000|\n|SQL Injection (blind)|$2,500|$1,000|\n|Insecure Direct Object References|$1,500|$750|\n|Server Side Request Forgery|$1,500|$750|\n|Stored Cross Site Scripting|$1,500|$500|\n|Other Cross Site Scripting|$250|$50|\n \n*\\* Core Tube8 covers https://www.tube8.com. It does not include any other domains, sub-domains, or services, including any Tube8 blogs such as [Blog](https://blog.tube8.com/) or Support systems.*\n \nMG will, at its sole discretion, decide if the minimum severity threshold is met for each reported Vulnerabilities. MG shall use commercially reasonable efforts to inform Finder if the Vulnerability was previously reported. Rewards are granted entirely at the discretion of Tube8 in accordance with this Policy.\nIf your report was closed as duplicate you cannot be invited in the original report to preserve its confidentiality.\n \n# HackerOne Vulnerability Disclosure\n \nIn order for your Report to be eligible for disclosure within HackerOne it should go through the Triage and Resolution steps. Any attempts to disclose unresolved, Informative or Duplicate reports will be rejected. \n\n# Additional conditions: \n\nThe following are strictly prohibited:\n \n-\tDenial of Service attacks.\n-\tPhysical attacks against offices and data centers.\n-\tSocial engineering of MG’s support agents, service desk, employees or contractors.\n-\tCompromise of a Tube8 user's or employee's account.\n-\tAutomated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.\n \nAdditionally, the following Vulnerabilities will not be considered for bounty:\n \n- Cross site request forgery (CSRF)\n- Cross domain leakage\n- Cross-Origin resource sharing (CORS)\n- Information disclosure\n- Information leakage, data cached in search engines or the web archive\n- Software version disclosure\n- Self-XSS and XSS without impact\n- Missing SPF or DMARC records\n- HttpOnly, SameSite and Secure Cookie flags\n- SSL/TLS related (such as HSTS, GET over HTTP, Password sent in HTTP)\n- Password and account recovery policies\n- Session timeout\n- Session Hijacking (cookie reuse)\n- Missing X-Frame or X-Content headers\n- Account enumeration\n- Click-jacking\n- Rate-limiting \n- Downloading video\n- Confirmation Email (anything related with)\n \n# Miscellaneous \n \nYou must be at least 18 years old to participate in MG’s Bug bounty Program. \n \nPayments are made through [HackerOne](https://hackerone.com/faq#for-hackers-question-how-do-i-get-paid) only. You are legally bound by the Finders Terms and Conditions, The General Terms and Conditions, The Code of Conduct for Finders, Vulnerability Disclosure Guidelines as well as any other agreement found on https://www.hackerone.com/ that applies to Finders (the \"Agreements\")  and these, as well as this Program Policy shall govern the legal relationship between you and MG. All terms used but not defined herein shall have the meaning ascribed to them in the Agreements. \n \nEmployees of the MG, its affiliates, subsidiaries, agencies and divisions, partners, and their respective employees and immediate family members can responsibly disclose vulnerabilities by participating in MG’s Bug Bounty Program but are not eligible for Rewards. The term (“Immediate Family”) includes spouses, siblings, parents, children, grandparents, and grandchildren, whether as “in-laws,” or by current or past marriages(s), remarriage(s), adoption, co-habitation or other family extension, and any other persons residing at the same household whether or not related.\n \nMG reserve the right to modify the terms of this Policy or terminate this program at any time. By participating in this program, you agree to be bound by these rules. You must comply with all applicable laws in connection with your participation in this program.\n \nThank you for helping keep Tube8 safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-08T07:47:15.474Z"},{"id":3643265,"new_policy":"Security is a top priority at Tube8 (“MG”). MG loves to work with skilled security researchers to improve the security of MG’s Services. If you (also referred herein as the “Finder”) believe you have found a (“Vulnerability” or “Vulnerabilities”), as defined in the vulnerability disclosure guideline on www.hackerone.com, in the services listed in MG’s scope (as defined below), MG will be happy to work with you to resolve the issue promptly and ensure you are rewarded for your discovery.\n \n# (The ”Scope”)\n \nAt this time, the scope of this program is limited to Vulnerabilities found on the Tube8 and Tube8 Premium websites (The “Properties”). Vulnerabilities reported on other Properties are currently not eligible for Reward (as defined below). Reward for high impact Vulnerabilities outside of the Scope might be considered on a case by case basis and at the sole discretion of MG.\n \n**In-Scope Sub-Domains:**\n\u003e https://www.tube8.com/\n https://www.tube8.fr/\n https://www.tube8.es/\n https://de.tube8.com/\n https://jp.tube8.com/\n \n**Out-of-Scope Sub-Domains:**\n\u003e https://*.tube8.com/\n https://blog.tube8.com/\nhttps://www.tube8.com/contact.html\n\nFor all the programs CMS applications will be out of scope [not rewarded].\n \nFor account access issues or visual layout and website functionality (QA) bugs, please work with MG’s [Customer Support](https://www.tube8.com/contact.html) which will resolve those issues independently. \n \n**Important:** \nContacting MG’s support team directly to inquire about the status of examination of a HackerOne report (“Report”) will result in an immediate disqualification from receiving a Reward. All communications must be conducted through the HackerOne's communication system only.\n  \n# Eligibility\n\nYou will qualify for a Reward only if you are the first Finder to responsibly disclose an unknown Vulnerability. MG’s Security Team has up to 48 hours to first respond, up to 5 days to triage, 10 days to reward the report, and up to 90 days to implement a fix based on the severity of the Vulnerability. Severity of Vulnerability shall be assessed in accordance with the Common Vulnerability Scoring System (CVSS) Version 3.0.\n \nPlease allow for this process to fully complete before attempting to contact us again. Note that posting details, conversations or any other Confidential Information about a Vulnerability report or posting details that reflect negatively on the program and Tube8 will result in immediate removal from the program. We would also like to bring to your attention that this shall be treated as a breach of your confidentiality obligations as further detailed on www.hackerone.com and therefore, MG shall be allowed to seek the applicable remedies. \n \n-\tAny Vulnerability found must be reported no later than 24 hours after discovery;\n-\tReport on Vulnerability shall be disclosed to MG exclusively;\n-\tYou must avoid tests that could cause degradation or interruption of MG’s services;\n-\tYou must not access, leak, manipulate, or destroy any user data, including but not limited to, user information, metadata, preferences, configurations etc.“User Data”;\n-\tYou are only allowed to perform tests against your own accounts.\n-\tThe use of automated tools or scripted testing is not allowed. This includes but is not limited to vulnerability scanning tools such as OWASP ZAP and Vega, or any tools or scripts which may result in heavy traffic or flooding of any of MG’s services.\n-\tTo obtain any type of verified account on Tube8 your user's account must be created using the HackerOne alias email 'username@wearehackerone.com';\n-\tYou must Send a clear textual description of the report along with steps to reproduce the vulnerability (proof of concept “PoC”) that must be included in the Report;\n-\tYou must Include attachments such as screenshots or PoC code as necessary.\n\nTo be acceptable, any submitted Vulnerability report must include as a minimum:\n \n- List the URL and any affected parameters;\n- Describe the browser, OS, and/or app version;\n- Describe the perceived impact. How could the Vulnerability potentially be exploited?\n\n \n# The (“Reward(s)”)\n \nMG may provide Rewards to eligible Finders of Vulnerabilities in accordance with this Policy. \n\nMG’s minimum reward is $50 USD, and MG’s maximum reward amount is $25,000 USD. \n*Reward amounts may vary depending upon the severity of the Vulnerability reported at MG’s sole discretion. *\n \nPromotional material (“Swag”) may be awarded as a bonus to triaged qualifying, in-scope reports. MG allows one Swag item per researcher. MG will not respond to repeated requests to be awarded Swag under any circumstances.\n \nThe following Rewards Scheme is a reference for the _average_ rewards on specific classes of Vulnerabilities. Rewards are calculated based on the severity and impact. \n \n|Vulnerability Types|Core Tube8 *|All Other|\n|---|---|---|---|---|\n|Remote Shell / Command Execution|$15,000|$5,000|\n|Remote Code Execution|$10,000|$2,500|\n|SQL Injection (with output)|$5,000|$2,500|\n|Significant Authentication Bypass|$5,000|$1,000|\n|Local file Inclusion|$2,500|$1,000|\n|SQL Injection (blind)|$2,500|$1,000|\n|Insecure Direct Object References|$1,500|$750|\n|Server Side Request Forgery|$1,500|$750|\n|Stored Cross Site Scripting|$1,500|$500|\n|Other Cross Site Scripting|$250|$50|\n \n*\\* Core Tube8 covers https://www.tube8.com. It does not include any other domains, sub-domains, or services, including any Tube8 blogs such as [Blog](https://blog.tube8.com/) or Support systems.*\n \nMG will, at its sole discretion, decide if the minimum severity threshold is met for each reported Vulnerabilities. MG shall use commercially reasonable efforts to inform Finder if the Vulnerability was previously reported. Rewards are granted entirely at the discretion of Tube8 in accordance with this Policy.\nIf your report was closed as duplicate you cannot be invited in the original report to preserve its confidentiality.\n \n# HackerOne Vulnerability Disclosure\n \nIn order for your Report to be eligible for disclosure within HackerOne it should go through the Triage and Resolution steps. Any attempts to disclose unresolved, Informative or Duplicate reports will be rejected. \n\n# Additional conditions: \n\nThe following are strictly prohibited:\n \n-\tDenial of Service attacks.\n-\tPhysical attacks against offices and data centers.\n-\tSocial engineering of MG’s support agents, service desk, employees or contractors.\n-\tCompromise of a Tube8 user's or employee's account.\n-\tAutomated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.\n \nAdditionally, the following Vulnerabilities will not be considered for bounty:\n \n- Cross site request forgery (CSRF)\n- Cross domain leakage\n- Cross-Origin resource sharing (CORS)\n- Information disclosure\n- Information leakage, data cached in search engines or the web archive\n- Software version disclosure\n- Self-XSS and XSS without impact\n- Missing SPF or DMARC records\n- HttpOnly, SameSite and Secure Cookie flags\n- SSL/TLS related (such as HSTS, GET over HTTP, Password sent in HTTP)\n- Password and account recovery policies\n- Session timeout\n- Session Hijacking (cookie reuse)\n- Missing X-Frame or X-Content headers\n- Account enumeration\n- Click-jacking\n- Rate-limiting \n- Downloading video\n- Confirmation Email (anything related with)\n \n# Miscellaneous \n \nYou must be at least 18 years old to participate in MG’s Bug bounty Program. \n \nPayments are made through [HackerOne](https://hackerone.com/faq#for-hackers-question-how-do-i-get-paid) only. You are legally bound by the Finders Terms and Conditions, The General Terms and Conditions, The Code of Conduct for Finders, Vulnerability Disclosure Guidelines as well as any other agreement found on https://www.hackerone.com/ that applies to Finders (the \"Agreements\")  and these, as well as this Program Policy shall govern the legal relationship between you and MG. All terms used but not defined herein shall have the meaning ascribed to them in the Agreements. \n \nEmployees of the MG, its affiliates, subsidiaries, agencies and divisions, partners, and their respective employees and immediate family members can responsibly disclose vulnerabilities by participating in MG’s Bug Bounty Program but are not eligible for Rewards. The term (“Immediate Family”) includes spouses, siblings, parents, children, grandparents, and grandchildren, whether as “in-laws,” or by current or past marriages(s), remarriage(s), adoption, co-habitation or other family extension, and any other persons residing at the same household whether or not related.\n \nMG reserve the right to modify the terms of this Policy or terminate this program at any time. By participating in this program, you agree to be bound by these rules. You must comply with all applicable laws in connection with your participation in this program.\n \nThank you for helping keep Tube8 safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-06T09:52:32.610Z"},{"id":3640338,"new_policy":"Security is a top priority at Tube8. We love to work with skilled security researchers to improve the security of our service. If you believe you've found a security bug in the services listed in our scope, we will be happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.\n \n# Scope\n \nAt this time, the scope of this program is limited to security vulnerabilities found on the Tube8 [and Tube8 Premium websites] [as well as in the Tube8 Mobile application]. Vulnerabilities reported on other properties or applications are currently not eligible for monetary reward. High impact vulnerabilities outside of this scope might be considered on a case by case basis.\n \n**In-Scope Sub-Domains:**\n\u003e https://www.tube8.com/\n https://www.tube8.fr/\n https://www.tube8.es/\n https://de.tube8.com/\n https://jp.tube8.com/\n\n**Out-of-Scope Sub-Domains:**\n\u003e https://*.tube8.com/\n https://blog.tube8.com/\nhttps://www.tube8.com/contact.html\n\nFor account access issues or visual layout and website functionality (QA) bugs, please work with our [Customer Support](https://www.tube8.com/contact.html) which will resolve those issues independently. \n\n**Important:** \nContacting our support team about; the status of a HackerOne report or the decision of which your report was concluded, will result in an immediate disqualification from receiving a reward. All communications must be conducted through the HackerOne's communication system only.\n \n \n# Eligibility\n \nYou will qualify for a reward only if you are the first person to responsibly disclose an unknown issue. The Tube8 security team has up to 48 hours to first respond, up to 15 days to triage and reward the report, and up to 90 days to implement a fix based on the severity of the report.\n \nPlease allow for this process to fully complete before attempting to contact us again. Note that posting details or conversations about the report or posting details that reflect negatively on the program and the Tube8 brand will result in immediate removal from the program.\n \n- Any vulnerability found must be reported no later than 24 hours after discovery.\n- You are not allowed to disclose details about the vulnerability anywhere else.\n- You must avoid tests that could cause degradation or interruption of our services.\n- You must not access, leak, manipulate, or destroy any user data.\n- You are only allowed perform tests against accounts you own yourself.\n- The use of automated tools or scripted testing is not allowed. This includes vulnerability scanning tools such as OWASP ZAP and Vega, or any tools or scripts which may result in heavy traffic or flooding of any of our services.\n- To obtain any type of verified account on Tube8 your user's account must be created using the HackerOne alias email 'username@wearehackerone.com'. \n \n# Rewards\n \nTo qualify for a reward under this program, you should:\n \n- Be the first to report a vulnerability.\n- Send a clear textual description of the report along with steps to reproduce the vulnerability (PoC).\n- Include attachments such as screenshots or proof of concept code as necessary.\n- Disclose the vulnerability report directly and exclusively to us. \n \nTube8 may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $50 USD, and our maximum reward amount is $25,000 USD. \n*Reward amounts may vary depending upon the severity of the vulnerability reported. *\n \nSwag may be awarded as a bonus to qualifying, in-scope reports. We allow one swag item per researcher. We will not respond to repeated requests to be awarded swag under any circumstances.\n \nThe following table is a reference for the _average_ rewards of specific classes of vulnerabilities. Rewards are calculated based on the severity and impact.\n \n|Vulnerability Types|Core Tube8 *|All Other|\n|---|---|---|---|---|\n|Remote Shell / Command Execution|$15,000|$5,000|\n|Remote Code Execution|$10,000|$2,500|\n|SQL Injection (with output)|$5,000|$2,500|\n|Significant Authentication Bypass|$5,000|$1,000|\n|Local file Inclusion|$2,500|$1,000|\n|SQL Injection (blind)|$2,500|$1,000|\n|Insecure Direct Object References|$1,500|$750|\n|Server Side Request Forgery|$1,500|$750|\n|Stored Cross Site Scripting|$1,500|$500|\n|Other Cross Site Scripting|$250|$50|\n \n*\\* Core Tube8 covers https://www.tube8.com/ as well as the official Tube8 mobile application. It does not include any other domains, sub-domains, or services, including any Tube8 blogs such as [Blog](https://blog.tube8.com/) or Support systems.*\n \nTube8 reserves the right to decide if the minimum severity threshold is met and whether the report was previously reported. Rewards are granted entirely at the discretion of Tube8.\n \nA good bug report should include the following information at a minimum:\n \n- List the URL and any affected parameters\n- Describe the browser, OS, and/or app version\n- Describe the perceived impact. How could the bug potentially be exploited?\n \n# Exceptions \u0026 Rules\n \nOur bug bounty program is limited strictly to technical security vulnerabilities of Tube8 services listed in the scope. Any activity that would disrupt, damage or adversely affect any third-party data or account is not allowed.\n \nPlease do not mass create accounts to perform testing against Tube8 applications and services. Also do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n \n# HackerOne Vulnerability Disclosure\n \nIn order for your report to be eligible for disclosure within HackerOne it should go through the Triage and Resolution steps. Any attempts to disclose unresolved, Informative or Duplicate reports will be rejected. \n \nThe following are strictly prohibited:\n \n- Denial of Service attacks.\n- Physical attacks against offices and data centers.\n- Social engineering of our service desk, employees or contractors.\n- Compromise of a Tube8 user's or employee's account.\n- Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.\n \nAdditionally, the following vulnerabilities will not be considered for bounty:\n \n- Cross site request forgery (CSRF)\n- Cross domain leakage\n- Information disclosure\n- Information leakage, data cached in search engines or the web archive\n- Software version disclosure\n- Self-XSS and XSS without impact\n- Missing SPF or DMARC records\n- HttpOnly, SameSite and Secure cookie flags\n- SSL/TLS related (such as HSTS, GET over HTTP, Password sent in HTTP)\n- Password and account recovery policies\n- Session timeout\n- Session Hijacking (cookie reuse)\n- Missing X-Frame or X-Content headers\n- Account enumeration\n- Click-jacking\n- Rate-limiting \n- Downloading video\n- Confirmation Email (anything related with)\n \n**Legal Notes:** \n \nYou must be at least 18 years old to participate in our Bug bounty Program. \n \nPayments are made through [HackerOne](https://hackerone.com/faq#for-hackers-question-how-do-i-get-paid) only. You are responsible for paying any taxes associated with rewards.\n \nEmployees of the Company, its affiliates, subsidiaries, agencies and divisions, partners, and their respective employees and immediate family members can responsibly disclose vulnerabilities by participating in our Bug Bounty Program but are not eligible for monetary rewards. The term “immediate family” includes spouses, siblings, parents, children, grandparents, and grandchildren, whether as “in-laws,” or by current or past marriages(s), remarriage(s), adoption, co-habitation or other family extension, and any other persons residing at the same household whether or not related.\n \nWe reserve the right to modify the terms of this program or terminate this program at any time. By participating in this program, you agree to be bound by these rules. You must comply with all applicable laws in connection with your participation in this program.\n \nThank you for helping keep Tube8 safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-23T15:38:49.195Z"},{"id":3640337,"new_policy":"Security is a top priority at Tube8. We love to work with skilled security researchers to improve the security of our service. If you believe you've found a security bug in the services listed in our scope, we will be happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.\n \n# Scope\n \nAt this time, the scope of this program is limited to security vulnerabilities found on the Tube8 [and Tube8 Premium websites] [as well as in the Tube8 Mobile application]. Vulnerabilities reported on other properties or applications are currently not eligible for monetary reward. High impact vulnerabilities outside of this scope might be considered on a case by case basis.\n \n**In-Scope Sub-Domains:**\n\u003e https://www.tube8.com/\n https://www.tube8.fr/\n https://www.tube8.es/\n https://de.tube8.com/\n https://jp.tube8.com/\n\n**Out-of-Scope Sub-Domains:**\n\u003e https://*.tube8.com/\n https://blog.tube8.com/\nhttps://www.tube8.com/contact.html\n\nFor account access issues or visual layout and website functionality (QA) bugs, please work with our [Customer Support](https://www.tube8.com/contact.html) which will resolve those issues independently. \n\n**Important:** \nContacting our support team about; the status of a HackerOne report or the decision of which your report was concluded, will result in an immediate disqualification from receiving a reward. All communications must be conducted through the HackerOne's communication system only.\n \n \n# Eligibility\n \nYou will qualify for a reward only if you are the first person to responsibly disclose an unknown issue. The Tube8 security team has up to 48 hours to first respond, up to 15 days to triage and reward the report, and up to 90 days to implement a fix based on the severity of the report.\n \nPlease allow for this process to fully complete before attempting to contact us again. Note that posting details or conversations about the report or posting details that reflect negatively on the program and the Tube8 brand will result in immediate removal from the program.\n \n- Any vulnerability found must be reported no later than 24 hours after discovery.\n- You are not allowed to disclose details about the vulnerability anywhere else.\n- You must avoid tests that could cause degradation or interruption of our services.\n- You must not access, leak, manipulate, or destroy any user data.\n- You are only allowed perform tests against accounts you own yourself.\n- The use of automated tools or scripted testing is not allowed. This includes vulnerability scanning tools such as OWASP ZAP and Vega, or any tools or scripts which may result in heavy traffic or flooding of any of our services.\n- To obtain any type of verified account on Tube8 your user's account must be created using the HackerOne alias email 'username@wearehackerone.com'. \n \n# Rewards\n \nTo qualify for a reward under this program, you should:\n \n- Be the first to report a vulnerability.\n- Send a clear textual description of the report along with steps to reproduce the vulnerability (PoC).\n- Include attachments such as screenshots or proof of concept code as necessary.\n- Disclose the vulnerability report directly and exclusively to us. \n \nTube8 may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $XX USD, and our maximum reward amount is $XX,000 USD. \n*Reward amounts may vary depending upon the severity of the vulnerability reported. *\n \nSwag may be awarded as a bonus to qualifying, in-scope reports. We allow one swag item per researcher. We will not respond to repeated requests to be awarded swag under any circumstances.\n \nThe following table is a reference for the _average_ rewards of specific classes of vulnerabilities. Rewards are calculated based on the severity and impact.\n \n|Vulnerability Types|Core Tube8 *|All Other|\n|---|---|---|---|---|\n|Remote Shell / Command Execution|$15,000|$5,000|\n|Remote Code Execution|$10,000|$2,500|\n|SQL Injection (with output)|$5,000|$2,500|\n|Significant Authentication Bypass|$5,000|$1,000|\n|Local file Inclusion|$2,500|$1,000|\n|SQL Injection (blind)|$2,500|$1,000|\n|Insecure Direct Object References|$1,500|$750|\n|Server Side Request Forgery|$1,500|$750|\n|Stored Cross Site Scripting|$1,500|$500|\n|Other Cross Site Scripting|$250|$50|\n \n*\\* Core Tube8 covers https://www.tube8.com/ as well as the official Tube8 mobile application. It does not include any other domains, sub-domains, or services, including any Tube8 blogs such as [Blog](https://blog.tube8.com/) or Support systems.*\n \nTube8 reserves the right to decide if the minimum severity threshold is met and whether the report was previously reported. Rewards are granted entirely at the discretion of Tube8.\n \nA good bug report should include the following information at a minimum:\n \n- List the URL and any affected parameters\n- Describe the browser, OS, and/or app version\n- Describe the perceived impact. How could the bug potentially be exploited?\n \n# Exceptions \u0026 Rules\n \nOur bug bounty program is limited strictly to technical security vulnerabilities of Tube8 services listed in the scope. Any activity that would disrupt, damage or adversely affect any third-party data or account is not allowed.\n \nPlease do not mass create accounts to perform testing against Tube8 applications and services. Also do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n \n# HackerOne Vulnerability Disclosure\n \nIn order for your report to be eligible for disclosure within HackerOne it should go through the Triage and Resolution steps. Any attempts to disclose unresolved, Informative or Duplicate reports will be rejected. \n \nThe following are strictly prohibited:\n \n- Denial of Service attacks.\n- Physical attacks against offices and data centers.\n- Social engineering of our service desk, employees or contractors.\n- Compromise of a Tube8 user's or employee's account.\n- Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.\n \nAdditionally, the following vulnerabilities will not be considered for bounty:\n \n- Cross site request forgery (CSRF)\n- Cross domain leakage\n- Information disclosure\n- Information leakage, data cached in search engines or the web archive\n- Software version disclosure\n- Self-XSS and XSS without impact\n- Missing SPF or DMARC records\n- HttpOnly, SameSite and Secure cookie flags\n- SSL/TLS related (such as HSTS, GET over HTTP, Password sent in HTTP)\n- Password and account recovery policies\n- Session timeout\n- Session Hijacking (cookie reuse)\n- Missing X-Frame or X-Content headers\n- Account enumeration\n- Click-jacking\n- Rate-limiting \n- Downloading video\n- Confirmation Email (anything related with)\n \n**Legal Notes:** \n \nYou must be at least 18 years old to participate in our Bug bounty Program. \n \nPayments are made through [HackerOne](https://hackerone.com/faq#for-hackers-question-how-do-i-get-paid) only. You are responsible for paying any taxes associated with rewards.\n \nEmployees of the Company, its affiliates, subsidiaries, agencies and divisions, partners, and their respective employees and immediate family members can responsibly disclose vulnerabilities by participating in our Bug Bounty Program but are not eligible for monetary rewards. The term “immediate family” includes spouses, siblings, parents, children, grandparents, and grandchildren, whether as “in-laws,” or by current or past marriages(s), remarriage(s), adoption, co-habitation or other family extension, and any other persons residing at the same household whether or not related.\n \nWe reserve the right to modify the terms of this program or terminate this program at any time. By participating in this program, you agree to be bound by these rules. You must comply with all applicable laws in connection with your participation in this program.\n \nThank you for helping keep Tube8 safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-23T15:38:26.651Z"},{"id":3639403,"new_policy":"Security is a top priority at Tube8. We love to work with skilled security researchers to improve the security of our service. If you believe you've found a security bug in the services listed in our scope, we will be happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.\n \n# Scope\n \nAt this time, the scope of this program is limited to security vulnerabilities found on the Tube8 [and Tube8 Premium websites] [as well as in the Tube8 Mobile application]. Vulnerabilities reported on other properties or applications are currently not eligible for monetary reward. High impact vulnerabilities outside of this scope might be considered on a case by case basis.\n \n**In-Scope Sub-Domains:**\n\u003e https://www.tube8.com/\n https://www.tube8.fr/\n https://www.tube8.es/\n https://de.tube8.com/\n https://jp.tube8.com/\n\n**Out-of-Scope Sub-Domains:**\n\u003e https://*.tube8.com/\n https://blog.tube8.com/\nhttps://www.tube8.com/contact.html\n\nFor account access issues or visual layout and website functionality (QA) bugs, please work with our [Customer Support](https://www.tube8.com/contact.html) which will resolve those issues independently. \n\n**Important:** \nContacting our support team about; the status of a HackerOne report or the decision of which your report was concluded, will result in an immediate disqualification from receiving a reward. All communications must be conducted through the HackerOne's communication system only.\n \n \n# Eligibility\n \nYou will qualify for a reward only if you are the first person to responsibly disclose an unknown issue. The Tube8 security team has up to 48 hours to first respond, up to 15 days to triage and reward the report, and up to 90 days to implement a fix based on the severity of the report.\n \nPlease allow for this process to fully complete before attempting to contact us again. Note that posting details or conversations about the report or posting details that reflect negatively on the program and the Tube8 brand will result in immediate removal from the program.\n \n- Any vulnerability found must be reported no later than 24 hours after discovery.\n- You are not allowed to disclose details about the vulnerability anywhere else.\n- You must avoid tests that could cause degradation or interruption of our services.\n- You must not access, leak, manipulate, or destroy any user data.\n- You are only allowed perform tests against accounts you own yourself.\n- The use of automated tools or scripted testing is not allowed. This includes vulnerability scanning tools such as OWASP ZAP and Vega, or any tools or scripts which may result in heavy traffic or flooding of any of our services.\n- To obtain any type of verified account on Tube8 your user's account must be created using the HackerOne alias email 'username@wearehackerone.com'. \n \n# Rewards\n \nTo qualify for a reward under this program, you should:\n \n- Be the first to report a vulnerability.\n- Send a clear textual description of the report along with steps to reproduce the vulnerability (PoC).\n- Include attachments such as screenshots or proof of concept code as necessary.\n- Disclose the vulnerability report directly and exclusively to us. \n \nTube8 may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $XX USD, and our maximum reward amount is $XX,000 USD. \n*Reward amounts may vary depending upon the severity of the vulnerability reported. *\n \nSwag may be awarded as a bonus to qualifying, in-scope reports. We allow one swag item per researcher. We will not respond to repeated requests to be awarded swag under any circumstances.\n \nThe following table is a reference for the _average_ rewards of specific classes of vulnerabilities. Rewards are calculated based on the severity and impact.\n \n(TO be updated to reflect rewards per criticality according to the CVSS)\n|Vulnerability Types|Core Tube8 *|All Other|\n|---|---|---|---|---|\n|Remote Shell / Command Execution|$15,000|$5,000|\n|Remote Code Execution|$10,000|$2,500|\n|SQL Injection (with output)|$5,000|$2,500|\n|Significant Authentication Bypass|$5,000|$1,000|\n|Local file Inclusion|$2,500|$1,000|\n|SQL Injection (blind)|$2,500|$1,000|\n|Insecure Direct Object References|$1,500|$750|\n|Server Side Request Forgery|$1,500|$750|\n|Stored Cross Site Scripting|$1,500|$500|\n|Other Cross Site Scripting|$250|$50|\n \n*\\* Core Tube8 covers https://www.tube8.com/ as well as the official Tube8 mobile application. It does not include any other domains, sub-domains, or services, including any Tube8 blogs such as [Blog](https://blog.tube8.com/) or Support systems.*\n \nTube8 reserves the right to decide if the minimum severity threshold is met and whether the report was previously reported. Rewards are granted entirely at the discretion of Tube8.\n \nA good bug report should include the following information at a minimum:\n \n- List the URL and any affected parameters\n- Describe the browser, OS, and/or app version\n- Describe the perceived impact. How could the bug potentially be exploited?\n \n# Exceptions \u0026 Rules\n \nOur bug bounty program is limited strictly to technical security vulnerabilities of Tube8 services listed in the scope. Any activity that would disrupt, damage or adversely affect any third-party data or account is not allowed.\n \nPlease do not mass create accounts to perform testing against Tube8 applications and services. Also do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n \n# HackerOne Vulnerability Disclosure\n \nIn order for your report to be eligible for disclosure within HackerOne it should go through the Triage and Resolution steps. Any attempts to disclose unresolved, Informative or Duplicate reports will be rejected. \n \nThe following are strictly prohibited:\n \n- Denial of Service attacks.\n- Physical attacks against offices and data centers.\n- Social engineering of our service desk, employees or contractors.\n- Compromise of a Tube8 user's or employee's account.\n- Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.\n \nAdditionally, the following vulnerabilities will not be considered for bounty:\n \n- Cross site request forgery (CSRF)\n- Cross domain leakage\n- Information disclosure\n- Information leakage, data cached in search engines or the web archive\n- Software version disclosure\n- Self-XSS and XSS without impact\n- Missing SPF or DMARC records\n- HttpOnly, SameSite and Secure cookie flags\n- SSL/TLS related (such as HSTS, GET over HTTP, Password sent in HTTP)\n- Password and account recovery policies\n- Session timeout\n- Session Hijacking (cookie reuse)\n- Missing X-Frame or X-Content headers\n- Account enumeration\n- Click-jacking\n- Rate-limiting \n- Downloading video\n- Confirmation Email (anything related with)\n \n**Legal Notes:** \n \nYou must be at least 18 years old to participate in our Bug bounty Program. \n \nPayments are made through [HackerOne](https://hackerone.com/faq#for-hackers-question-how-do-i-get-paid) only. You are responsible for paying any taxes associated with rewards.\n \nEmployees of the Company, its affiliates, subsidiaries, agencies and divisions, partners, and their respective employees and immediate family members can responsibly disclose vulnerabilities by participating in our Bug Bounty Program but are not eligible for monetary rewards. The term “immediate family” includes spouses, siblings, parents, children, grandparents, and grandchildren, whether as “in-laws,” or by current or past marriages(s), remarriage(s), adoption, co-habitation or other family extension, and any other persons residing at the same household whether or not related.\n \nWe reserve the right to modify the terms of this program or terminate this program at any time. By participating in this program, you agree to be bound by these rules. You must comply with all applicable laws in connection with your participation in this program.\n \nThank you for helping keep Tube8 safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-09T15:37:32.894Z"},{"id":3639402,"new_policy":"Security is a top priority at Tube8. We love to work with skilled security researchers to improve the security of our service. If you believe you've found a security bug in the services listed in our scope, we will be happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.\n \n# Scope\n \nAt this time, the scope of this program is limited to security vulnerabilities found on the Tube8 [and Tube8 Premium websites] [as well as in the Tube8 Mobile application]. Vulnerabilities reported on other properties or applications are currently not eligible for monetary reward. High impact vulnerabilities outside of this scope might be considered on a case by case basis.\n \n**In-Scope Sub-Domains:**\n\u003e https://www.tube8.com/\n https://www.tube8.fr/\n https://www.tube8.es/\n https://de.tube8.com/\n https://jp.tube8.com/\n\n**Out-of-Scope Sub-Domains:**\n\u003e https://*.tube8.com/\n https://blog.tube8.com/\n\n\nFor account access issues or visual layout and website functionality (QA) bugs, please work with our [Customer Support](https://www.tube8.com/contact.html) which will resolve those issues independently. \n\n**Important:** \nContacting our support team about; the status of a HackerOne report or the decision of which your report was concluded, will result in an immediate disqualification from receiving a reward. All communications must be conducted through the HackerOne's communication system only.\n \n \n# Eligibility\n \nYou will qualify for a reward only if you are the first person to responsibly disclose an unknown issue. The Tube8 security team has up to 48 hours to first respond, up to 15 days to triage and reward the report, and up to 90 days to implement a fix based on the severity of the report.\n \nPlease allow for this process to fully complete before attempting to contact us again. Note that posting details or conversations about the report or posting details that reflect negatively on the program and the Tube8 brand will result in immediate removal from the program.\n \n- Any vulnerability found must be reported no later than 24 hours after discovery.\n- You are not allowed to disclose details about the vulnerability anywhere else.\n- You must avoid tests that could cause degradation or interruption of our services.\n- You must not access, leak, manipulate, or destroy any user data.\n- You are only allowed perform tests against accounts you own yourself.\n- The use of automated tools or scripted testing is not allowed. This includes vulnerability scanning tools such as OWASP ZAP and Vega, or any tools or scripts which may result in heavy traffic or flooding of any of our services.\n- To obtain any type of verified account on Tube8 your user's account must be created using the HackerOne alias email 'username@wearehackerone.com'. \n \n# Rewards\n \nTo qualify for a reward under this program, you should:\n \n- Be the first to report a vulnerability.\n- Send a clear textual description of the report along with steps to reproduce the vulnerability (PoC).\n- Include attachments such as screenshots or proof of concept code as necessary.\n- Disclose the vulnerability report directly and exclusively to us. \n \nTube8 may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $XX USD, and our maximum reward amount is $XX,000 USD. \n*Reward amounts may vary depending upon the severity of the vulnerability reported. *\n \nSwag may be awarded as a bonus to qualifying, in-scope reports. We allow one swag item per researcher. We will not respond to repeated requests to be awarded swag under any circumstances.\n \nThe following table is a reference for the _average_ rewards of specific classes of vulnerabilities. Rewards are calculated based on the severity and impact.\n \n(TO be updated to reflect rewards per criticality according to the CVSS)\n|Vulnerability Types|Core Tube8 *|All Other|\n|---|---|---|---|---|\n|Remote Shell / Command Execution|$15,000|$5,000|\n|Remote Code Execution|$10,000|$2,500|\n|SQL Injection (with output)|$5,000|$2,500|\n|Significant Authentication Bypass|$5,000|$1,000|\n|Local file Inclusion|$2,500|$1,000|\n|SQL Injection (blind)|$2,500|$1,000|\n|Insecure Direct Object References|$1,500|$750|\n|Server Side Request Forgery|$1,500|$750|\n|Stored Cross Site Scripting|$1,500|$500|\n|Other Cross Site Scripting|$250|$50|\n \n*\\* Core Tube8 covers https://www.tube8.com/ as well as the official Tube8 mobile application. It does not include any other domains, sub-domains, or services, including any Tube8 blogs such as [Blog](https://blog.tube8.com/) or Support systems.*\n \nTube8 reserves the right to decide if the minimum severity threshold is met and whether the report was previously reported. Rewards are granted entirely at the discretion of Tube8.\n \nA good bug report should include the following information at a minimum:\n \n- List the URL and any affected parameters\n- Describe the browser, OS, and/or app version\n- Describe the perceived impact. How could the bug potentially be exploited?\n \n# Exceptions \u0026 Rules\n \nOur bug bounty program is limited strictly to technical security vulnerabilities of Tube8 services listed in the scope. Any activity that would disrupt, damage or adversely affect any third-party data or account is not allowed.\n \nPlease do not mass create accounts to perform testing against Tube8 applications and services. Also do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n \n# HackerOne Vulnerability Disclosure\n \nIn order for your report to be eligible for disclosure within HackerOne it should go through the Triage and Resolution steps. Any attempts to disclose unresolved, Informative or Duplicate reports will be rejected. \n \nThe following are strictly prohibited:\n \n- Denial of Service attacks.\n- Physical attacks against offices and data centers.\n- Social engineering of our service desk, employees or contractors.\n- Compromise of a Tube8 user's or employee's account.\n- Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.\n \nAdditionally, the following vulnerabilities will not be considered for bounty:\n \n- Cross site request forgery (CSRF)\n- Cross domain leakage\n- Information disclosure\n- Information leakage, data cached in search engines or the web archive\n- Software version disclosure\n- Self-XSS and XSS without impact\n- Missing SPF or DMARC records\n- HttpOnly, SameSite and Secure cookie flags\n- SSL/TLS related (such as HSTS, GET over HTTP, Password sent in HTTP)\n- Password and account recovery policies\n- Session timeout\n- Session Hijacking (cookie reuse)\n- Missing X-Frame or X-Content headers\n- Account enumeration\n- Click-jacking\n- Rate-limiting \n- Downloading video\n- Confirmation Email (anything related with)\n \n**Legal Notes:** \n \nYou must be at least 18 years old to participate in our Bug bounty Program. \n \nPayments are made through [HackerOne](https://hackerone.com/faq#for-hackers-question-how-do-i-get-paid) only. You are responsible for paying any taxes associated with rewards.\n \nEmployees of the Company, its affiliates, subsidiaries, agencies and divisions, partners, and their respective employees and immediate family members can responsibly disclose vulnerabilities by participating in our Bug Bounty Program but are not eligible for monetary rewards. The term “immediate family” includes spouses, siblings, parents, children, grandparents, and grandchildren, whether as “in-laws,” or by current or past marriages(s), remarriage(s), adoption, co-habitation or other family extension, and any other persons residing at the same household whether or not related.\n \nWe reserve the right to modify the terms of this program or terminate this program at any time. By participating in this program, you agree to be bound by these rules. You must comply with all applicable laws in connection with your participation in this program.\n \nThank you for helping keep Tube8 safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-09T15:36:36.427Z"},{"id":3639401,"new_policy":"Security is a top priority at Tube8. We love to work with skilled security researchers to improve the security of our service. If you believe you've found a security bug in the services listed in our scope, we will be happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.\n \n# Scope\n \nAt this time, the scope of this program is limited to security vulnerabilities found on the Tube8 [and Tube8 Premium websites] [as well as in the Tube8 Mobile application]. Vulnerabilities reported on other properties or applications are currently not eligible for monetary reward. High impact vulnerabilities outside of this scope might be considered on a case by case basis.\n \n**In-Scope Sub-Domains:**\n\u003e https://www.tube8.com/\n https://www.tube8.fr/\n https://www.tube8.es/\n https://de.tube8.com/\n https://jp.tube8.com/\n\n**Out-of-Scope Sub-Domains:**\n\u003e https://*.tube8.com/\n https://blog.tube8.com/\n https://support.tube8.com/\n\nFor account access issues or visual layout and website functionality (QA) bugs, please work with our [Customer Support](https://www.tube8.com/contact.html) which will resolve those issues independently. \n\n**Important:** \nContacting our support team about; the status of a HackerOne report or the decision of which your report was concluded, will result in an immediate disqualification from receiving a reward. All communications must be conducted through the HackerOne's communication system only.\n \n \n# Eligibility\n \nYou will qualify for a reward only if you are the first person to responsibly disclose an unknown issue. The Tube8 security team has up to 48 hours to first respond, up to 15 days to triage and reward the report, and up to 90 days to implement a fix based on the severity of the report.\n \nPlease allow for this process to fully complete before attempting to contact us again. Note that posting details or conversations about the report or posting details that reflect negatively on the program and the Tube8 brand will result in immediate removal from the program.\n \n- Any vulnerability found must be reported no later than 24 hours after discovery.\n- You are not allowed to disclose details about the vulnerability anywhere else.\n- You must avoid tests that could cause degradation or interruption of our services.\n- You must not access, leak, manipulate, or destroy any user data.\n- You are only allowed perform tests against accounts you own yourself.\n- The use of automated tools or scripted testing is not allowed. This includes vulnerability scanning tools such as OWASP ZAP and Vega, or any tools or scripts which may result in heavy traffic or flooding of any of our services.\n- To obtain any type of verified account on Tube8 your user's account must be created using the HackerOne alias email 'username@wearehackerone.com'. \n \n# Rewards\n \nTo qualify for a reward under this program, you should:\n \n- Be the first to report a vulnerability.\n- Send a clear textual description of the report along with steps to reproduce the vulnerability (PoC).\n- Include attachments such as screenshots or proof of concept code as necessary.\n- Disclose the vulnerability report directly and exclusively to us. \n \nTube8 may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $XX USD, and our maximum reward amount is $XX,000 USD. \n*Reward amounts may vary depending upon the severity of the vulnerability reported. *\n \nSwag may be awarded as a bonus to qualifying, in-scope reports. We allow one swag item per researcher. We will not respond to repeated requests to be awarded swag under any circumstances.\n \nThe following table is a reference for the _average_ rewards of specific classes of vulnerabilities. Rewards are calculated based on the severity and impact.\n \n(TO be updated to reflect rewards per criticality according to the CVSS)\n|Vulnerability Types|Core Tube8 *|All Other|\n|---|---|---|---|---|\n|Remote Shell / Command Execution|$15,000|$5,000|\n|Remote Code Execution|$10,000|$2,500|\n|SQL Injection (with output)|$5,000|$2,500|\n|Significant Authentication Bypass|$5,000|$1,000|\n|Local file Inclusion|$2,500|$1,000|\n|SQL Injection (blind)|$2,500|$1,000|\n|Insecure Direct Object References|$1,500|$750|\n|Server Side Request Forgery|$1,500|$750|\n|Stored Cross Site Scripting|$1,500|$500|\n|Other Cross Site Scripting|$250|$50|\n \n*\\* Core Tube8 covers https://www.tube8.com/ as well as the official Tube8 mobile application. It does not include any other domains, sub-domains, or services, including any Tube8 blogs such as [Blog](https://blog.tube8.com/) or Support systems.*\n \nTube8 reserves the right to decide if the minimum severity threshold is met and whether the report was previously reported. Rewards are granted entirely at the discretion of Tube8.\n \nA good bug report should include the following information at a minimum:\n \n- List the URL and any affected parameters\n- Describe the browser, OS, and/or app version\n- Describe the perceived impact. How could the bug potentially be exploited?\n \n# Exceptions \u0026 Rules\n \nOur bug bounty program is limited strictly to technical security vulnerabilities of Tube8 services listed in the scope. Any activity that would disrupt, damage or adversely affect any third-party data or account is not allowed.\n \nPlease do not mass create accounts to perform testing against Tube8 applications and services. Also do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n \n# HackerOne Vulnerability Disclosure\n \nIn order for your report to be eligible for disclosure within HackerOne it should go through the Triage and Resolution steps. Any attempts to disclose unresolved, Informative or Duplicate reports will be rejected. \n \nThe following are strictly prohibited:\n \n- Denial of Service attacks.\n- Physical attacks against offices and data centers.\n- Social engineering of our service desk, employees or contractors.\n- Compromise of a Tube8 user's or employee's account.\n- Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.\n \nAdditionally, the following vulnerabilities will not be considered for bounty:\n \n- Cross site request forgery (CSRF)\n- Cross domain leakage\n- Information disclosure\n- Information leakage, data cached in search engines or the web archive\n- Software version disclosure\n- Self-XSS and XSS without impact\n- Missing SPF or DMARC records\n- HttpOnly, SameSite and Secure cookie flags\n- SSL/TLS related (such as HSTS, GET over HTTP, Password sent in HTTP)\n- Password and account recovery policies\n- Session timeout\n- Session Hijacking (cookie reuse)\n- Missing X-Frame or X-Content headers\n- Account enumeration\n- Click-jacking\n- Rate-limiting \n- Downloading video\n- Confirmation Email (anything related with)\n \n**Legal Notes:** \n \nYou must be at least 18 years old to participate in our Bug bounty Program. \n \nPayments are made through [HackerOne](https://hackerone.com/faq#for-hackers-question-how-do-i-get-paid) only. You are responsible for paying any taxes associated with rewards.\n \nEmployees of the Company, its affiliates, subsidiaries, agencies and divisions, partners, and their respective employees and immediate family members can responsibly disclose vulnerabilities by participating in our Bug Bounty Program but are not eligible for monetary rewards. The term “immediate family” includes spouses, siblings, parents, children, grandparents, and grandchildren, whether as “in-laws,” or by current or past marriages(s), remarriage(s), adoption, co-habitation or other family extension, and any other persons residing at the same household whether or not related.\n \nWe reserve the right to modify the terms of this program or terminate this program at any time. By participating in this program, you agree to be bound by these rules. You must comply with all applicable laws in connection with your participation in this program.\n \nThank you for helping keep Tube8 safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-09T15:35:38.336Z"},{"id":3639279,"new_policy":"Security is a top priority at Tube8. We love to work with skilled security researchers to improve the security of our service. If you believe you've found a security bug in the services listed in our scope, we will be happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.\n \n# Scope\n \nAt this time, the scope of this program is limited to security vulnerabilities found on the Tube8 [and Tube8 Premium websites] [as well as in the Tube8 Mobile application]. Vulnerabilities reported on other properties or applications are currently not eligible for monetary reward. High impact vulnerabilities outside of this scope might be considered on a case by case basis.\n \n**In-Scope Sub-Domains:**\n\n\u003e https://www.tube8.com/\n\u003e https://www.tube8.fr/\n\u003e https://www.tube8.es/\n\u003e https://de.tube8.com/\n\u003e https://jp.tube8.com/\n\n**Out-of-Scope Sub-Domains:**\n\n\u003e https://*.tube8.com/\n\u003e https://blog.tube8.com/\nFor account access issues or visual layout and website functionality (QA) bugs, please work with our [Customer Support](https://www.tube8.com/contact.html) which will resolve those issues independently. \n\n**Important:** \nContacting our support team about; the status of a HackerOne report or the decision of which your report was concluded, will result in an immediate disqualification from receiving a reward. All communications must be conducted through the HackerOne's communication system only.\n \n \n# Eligibility\n \nYou will qualify for a reward only if you are the first person to responsibly disclose an unknown issue. The Tube8 security team has up to 48 hours to first respond, up to 15 days to triage and reward the report, and up to 90 days to implement a fix based on the severity of the report.\n \nPlease allow for this process to fully complete before attempting to contact us again. Note that posting details or conversations about the report or posting details that reflect negatively on the program and the Tube8 brand will result in immediate removal from the program.\n \n- Any vulnerability found must be reported no later than 24 hours after discovery.\n- You are not allowed to disclose details about the vulnerability anywhere else.\n- You must avoid tests that could cause degradation or interruption of our services.\n- You must not access, leak, manipulate, or destroy any user data.\n- You are only allowed perform tests against accounts you own yourself.\n- The use of automated tools or scripted testing is not allowed. This includes vulnerability scanning tools such as OWASP ZAP and Vega, or any tools or scripts which may result in heavy traffic or flooding of any of our services.\n- To obtain any type of verified account on Tube8 your user's account must be created using the HackerOne alias email 'username@wearehackerone.com'. \n \n# Rewards\n \nTo qualify for a reward under this program, you should:\n \n- Be the first to report a vulnerability.\n- Send a clear textual description of the report along with steps to reproduce the vulnerability (PoC).\n- Include attachments such as screenshots or proof of concept code as necessary.\n- Disclose the vulnerability report directly and exclusively to us. \n \nTube8 may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $XX USD, and our maximum reward amount is $XX,000 USD. \n*Reward amounts may vary depending upon the severity of the vulnerability reported. *\n \nSwag may be awarded as a bonus to qualifying, in-scope reports. We allow one swag item per researcher. We will not respond to repeated requests to be awarded swag under any circumstances.\n \nThe following table is a reference for the _average_ rewards of specific classes of vulnerabilities. Rewards are calculated based on the severity and impact.\n \n(TO be updated to reflect rewards per criticality according to the CVSS)\n|Vulnerability Types|Core Tube8 *|All Other|\n|---|---|---|---|---|\n|Remote Shell / Command Execution|$15,000|$5,000|\n|Remote Code Execution|$10,000|$2,500|\n|SQL Injection (with output)|$5,000|$2,500|\n|Significant Authentication Bypass|$5,000|$1,000|\n|Local file Inclusion|$2,500|$1,000|\n|SQL Injection (blind)|$2,500|$1,000|\n|Insecure Direct Object References|$1,500|$750|\n|Server Side Request Forgery|$1,500|$750|\n|Stored Cross Site Scripting|$1,500|$500|\n|Other Cross Site Scripting|$250|$50|\n \n*\\* Core Tube8 covers https://www.tube8.com/ as well as the official Tube8 mobile application. It does not include any other domains, sub-domains, or services, including any Tube8 blogs such as [Blog](https://blog.tube8.com/) or Support systems.*\n \nTube8 reserves the right to decide if the minimum severity threshold is met and whether the report was previously reported. Rewards are granted entirely at the discretion of Tube8.\n \nA good bug report should include the following information at a minimum:\n \n- List the URL and any affected parameters\n- Describe the browser, OS, and/or app version\n- Describe the perceived impact. How could the bug potentially be exploited?\n \n# Exceptions \u0026 Rules\n \nOur bug bounty program is limited strictly to technical security vulnerabilities of Tube8 services listed in the scope. Any activity that would disrupt, damage or adversely affect any third-party data or account is not allowed.\n \nPlease do not mass create accounts to perform testing against Tube8 applications and services. Also do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n \n# HackerOne Vulnerability Disclosure\n \nIn order for your report to be eligible for disclosure within HackerOne it should go through the Triage and Resolution steps. Any attempts to disclose unresolved, Informative or Duplicate reports will be rejected. \n \nThe following are strictly prohibited:\n \n- Denial of Service attacks.\n- Physical attacks against offices and data centers.\n- Social engineering of our service desk, employees or contractors.\n- Compromise of a Tube8 user's or employee's account.\n- Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.\n \nAdditionally, the following vulnerabilities will not be considered for bounty:\n \n- Cross site request forgery (CSRF)\n- Cross domain leakage\n- Information disclosure\n- Information leakage, data cached in search engines or the web archive\n- Software version disclosure\n- Self-XSS and XSS without impact\n- Missing SPF or DMARC records\n- HttpOnly, SameSite and Secure cookie flags\n- SSL/TLS related (such as HSTS, GET over HTTP, Password sent in HTTP)\n- Password and account recovery policies\n- Session timeout\n- Session Hijacking (cookie reuse)\n- Missing X-Frame or X-Content headers\n- Account enumeration\n- Click-jacking\n- Rate-limiting \n- Downloading video\n- Confirmation Email (anything related with)\n \n**Legal Notes:** \n \nYou must be at least 18 years old to participate in our Bug bounty Program. \n \nPayments are made through [HackerOne](https://hackerone.com/faq#for-hackers-question-how-do-i-get-paid) only. You are responsible for paying any taxes associated with rewards.\n \nEmployees of the Company, its affiliates, subsidiaries, agencies and divisions, partners, and their respective employees and immediate family members can responsibly disclose vulnerabilities by participating in our Bug Bounty Program but are not eligible for monetary rewards. The term “immediate family” includes spouses, siblings, parents, children, grandparents, and grandchildren, whether as “in-laws,” or by current or past marriages(s), remarriage(s), adoption, co-habitation or other family extension, and any other persons residing at the same household whether or not related.\n \nWe reserve the right to modify the terms of this program or terminate this program at any time. By participating in this program, you agree to be bound by these rules. You must comply with all applicable laws in connection with your participation in this program.\n \nThank you for helping keep Tube8 safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-07T05:39:49.520Z"},{"id":3639278,"new_policy":"Security is a top priority at Tube8. We love to work with skilled security researchers to improve the security of our service. If you believe you've found a security bug in the services listed in our scope, we will be happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.\n \n# Scope\n \nAt this time, the scope of this program is limited to security vulnerabilities found on the Tube8 [and Tube8 Premium websites] [as well as in the Tube8 Mobile application]. Vulnerabilities reported on other properties or applications are currently not eligible for monetary reward. High impact vulnerabilities outside of this scope might be considered on a case by case basis.\n \n**In-Scope Sub-Domains:**\n\n\u003e https://www.tube8.com/\n\u003e https://www.tube8.fr/\n\u003e https://www.tube8.es/\n\u003e https://de.tube8.com/\n\u003e https://jp.tube8.com/\n\n**Out-of-Scope Sub-Domains:**\n\n\u003e https://*.tube8.com/\n\u003e https://blog.tube8.com/\nFor account access issues or visual layout and website functionality (QA) bugs, please work with our [Customer Support](https://www.tube8.com/contact.html) which will resolve those issues independently. \n\n**Important:** \nContacting our support team about; the status of a HackerOne report or the decision of which your report was concluded, will result in an immediate disqualification from receiving a reward. All communications must be conducted through the HackerOne's communication system only.\n \n \n# Eligibility\n \nYou will qualify for a reward only if you are the first person to responsibly disclose an unknown issue. The Tube8 security team has up to 48 hours to first respond, up to 15 days to triage and reward the report, and up to 90 days to implement a fix based on the severity of the report.\n \nPlease allow for this process to fully complete before attempting to contact us again. Note that posting details or conversations about the report or posting details that reflect negatively on the program and the Tube8 brand will result in immediate removal from the program.\n \n- Any vulnerability found must be reported no later than 24 hours after discovery.\n- You are not allowed to disclose details about the vulnerability anywhere else.\n- You must avoid tests that could cause degradation or interruption of our services.\n- You must not access, leak, manipulate, or destroy any user data.\n- You are only allowed perform tests against accounts you own yourself.\n- The use of automated tools or scripted testing is not allowed. This includes vulnerability scanning tools such as OWASP ZAP and Vega, or any tools or scripts which may result in heavy traffic or flooding of any of our services.\n- To obtain any type of verified account on Tube8 your user's account must be created using the HackerOne alias email 'username@wearehackerone.com'. \n \n# Rewards\n \nTo qualify for a reward under this program, you should:\n \n- Be the first to report a vulnerability.\n- Send a clear textual description of the report along with steps to reproduce the vulnerability (PoC).\n- Include attachments such as screenshots or proof of concept code as necessary.\n- Disclose the vulnerability report directly and exclusively to us. \n \nTube8 may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $XX USD, and our maximum reward amount is $XX,000 USD. \n*Reward amounts may vary depending upon the severity of the vulnerability reported. *\n \nSwag may be awarded as a bonus to qualifying, in-scope reports. We allow one swag item per researcher. We will not respond to repeated requests to be awarded swag under any circumstances.\n \nThe following table is a reference for the _average_ rewards of specific classes of vulnerabilities. Rewards are calculated based on the severity and impact.\n \n(TO be updated to reflect rewards per criticality according to the CVSS)\n|Vulnerability Types|Core Tube8 *|All Other|\n|---|---|---|---|---|\n|Remote Shell / Command Execution|$15,000|$5,000|\n|Remote Code Execution|$10,000|$2,500|\n|SQL Injection (with output)|$5,000|$2,500|\n|Significant Authentication Bypass|$5,000|$1,000|\n|Local file Inclusion|$2,500|$1,000|\n|SQL Injection (blind)|$2,500|$1,000|\n|Insecure Direct Object References|$1,500|$750|\n|Server Side Request Forgery|$1,500|$750|\n|Stored Cross Site Scripting|$1,500|$500|\n|Other Cross Site Scripting|$250|$50|\n \n*\\* Core Tube8 covers https://www.tube8.com/ as well as the official Tube8 mobile application. It does not include any other domains, sub-domains, or services, including any Tube8 blogs such as [Blog](https://blog.tube8.com/) or Support systems.*\n \nTube8 reserves the right to decide if the minimum severity threshold is met and whether the report was previously reported. Rewards are granted entirely at the discretion of Tube8.\n \nA good bug report should include the following information at a minimum:\n \n- List the URL and any affected parameters\n- Describe the browser, OS, and/or app version\n- Describe the perceived impact. How could the bug potentially be exploited?\n \n# Exceptions \u0026 Rules\n \nOur bug bounty program is limited strictly to technical security vulnerabilities of Tube8 services listed in the scope. Any activity that would disrupt, damage or adversely affect any third-party data or account is not allowed.\n \nPlease do not mass create accounts to perform testing against Tube8 applications and services. Also do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n \n# HackerOne Vulnerability Disclosure\n \nIn order for your report to be eligible for disclosure within HackerOne it should go through the Triage and Resolution steps. Any attempts to disclose unresolved, Informative or Duplicate reports will be rejected. \n \nThe following are strictly prohibited:\n \n- Denial of Service attacks.\n- Physical attacks against offices and data centers.\n- Social engineering of our service desk, employees or contractors.\n- Compromise of a Tube8 user's or employee's account.\n- Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.\n \nAdditionally, the following vulnerabilities will not be considered for bounty:\n \n- Cross site request forgery (CSRF)\n- Cross domain leakage\n- Information disclosure\n- Information leakage, data cached in search engines or the web archive\n- Software version disclosure\n- Self-XSS and XSS without impact\n- Missing SPF or DMARC records\n- HttpOnly, SameSite and Secure cookie flags\n- SSL/TLS related (such as HSTS, GET over HTTP, Password sent in HTTP)\n- Password and account recovery policies\n- Session timeout\n- Session Hijacking (cookie reuse)\n- Missing X-Frame or X-Content headers\n- Account enumeration\n- Click-jacking\n- Rate-limiting \n- Downloading video\n- Confirmation Email (anything related with)\n \n**Legal Notes:** \n \nYou must be at least 18 years old to participate in our Bug bounty Program. \n \nPayments are made through [HackerOne](https://hackerone.com/faq#for-hackers-question-how-do-i-get-paid) only. You are responsible for paying any taxes associated with rewards.\n \nEmployees of the Company, its affiliates, subsidiaries, agencies and divisions, partners, and their respective employees and immediate family members can responsibly disclose vulnerabilities by participating in our Bug Bounty Program but are not eligible for monetary rewards. The term “immediate family” includes spouses, siblings, parents, children, grandparents, and grandchildren, whether as “in-laws,” or by current or past marriages(s), remarriage(s), adoption, co-habitation or other family extension, and any other persons residing at the same household whether or not related.\n \nWe reserve the right to modify the terms of this program or terminate this program at any time. By participating in this program, you agree to be bound by these rules. You must comply with all applicable laws in connection with your participation in this program.\n \nThank you for helping keep Tube8 safe!\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-07T05:39:40.383Z"},{"id":3639277,"new_policy":"Security is a top priority at Tube8. We love to work with skilled security researchers to improve the security of our service. If you believe you've found a security bug in the services listed in our scope, we will be happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.\n \n# Scope\n \nAt this time, the scope of this program is limited to security vulnerabilities found on the Tube8 [and Tube8 Premium websites] [as well as in the Tube8 Mobile application]. Vulnerabilities reported on other properties or applications are currently not eligible for monetary reward. High impact vulnerabilities outside of this scope might be considered on a case by case basis.\n \n**In-Scope Sub-Domains:**\n\n\u003e https://www.tube8.com/\n\u003e https://www.tube8.fr/\n\u003e https://www.tube8.es/\n\u003e https://de.tube8.com/\n\u003e https://jp.tube8.com/\n\n**Out-of-Scope Sub-Domains:**\n\n\u003e https://*.tube8.com/\n\u003e https://blog.tube8.com/\n\nFor account access issues or visual layout and website functionality bugs, please work with our [Customer Support](https://www.tube8.com/contact.html) which will resolve those issues independently. \n\n**Important:** \nContacting our support team about; the status of a HackerOne report or the decision of which your report was concluded, will result in an immediate disqualification from receiving a reward. All communications must be conducted through the HackerOne's communication system only.\n \n \n# Eligibility\n \nYou will qualify for a reward only if you are the first person to responsibly disclose an unknown issue. The Tube8 security team has up to 48 hours to first respond, up to 15 days to triage and reward the report, and up to 90 days to implement a fix based on the severity of the report.\n \nPlease allow for this process to fully complete before attempting to contact us again. Note that posting details or conversations about the report or posting details that reflect negatively on the program and the Tube8 brand will result in immediate removal from the program.\n \n- Any vulnerability found must be reported no later than 24 hours after discovery.\n- You are not allowed to disclose details about the vulnerability anywhere else.\n- You must avoid tests that could cause degradation or interruption of our services.\n- You must not access, leak, manipulate, or destroy any user data.\n- You are only allowed perform tests against accounts you own yourself.\n- The use of automated tools or scripted testing is not allowed. This includes vulnerability scanning tools such as OWASP ZAP and Vega, or any tools or scripts which may result in heavy traffic or flooding of any of our services.\n- To obtain any type of verified account on Tube8 your user's account must be created using the HackerOne alias email 'username@wearehackerone.com'. \n \n# Rewards\n \nTo qualify for a reward under this program, you should:\n \n- Be the first to report a vulnerability.\n- Send a clear textual description of the report along with steps to reproduce the vulnerability (PoC).\n- Include attachments such as screenshots or proof of concept code as necessary.\n- Disclose the vulnerability report directly and exclusively to us. \n \nTube8 may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $XX USD, and our maximum reward amount is $XX,000 USD. \n*Reward amounts may vary depending upon the severity of the vulnerability reported. *\n \nSwag may be awarded as a bonus to qualifying, in-scope reports. We allow one swag item per researcher. We will not respond to repeated requests to be awarded swag under any circumstances.\n \nThe following table is a reference for the _average_ rewards of specific classes of vulnerabilities. Rewards are calculated based on the severity and impact.\n \n(TO be updated to reflect rewards per criticality according to the CVSS)\n|Vulnerability Types|Core Tube8 *|All Other|\n|---|---|---|---|---|\n|Remote Shell / Command Execution|$15,000|$5,000|\n|Remote Code Execution|$10,000|$2,500|\n|SQL Injection (with output)|$5,000|$2,500|\n|Significant Authentication Bypass|$5,000|$1,000|\n|Local file Inclusion|$2,500|$1,000|\n|SQL Injection (blind)|$2,500|$1,000|\n|Insecure Direct Object References|$1,500|$750|\n|Server Side Request Forgery|$1,500|$750|\n|Stored Cross Site Scripting|$1,500|$500|\n|Other Cross Site Scripting|$250|$50|\n \n*\\* Core Tube8 covers https://www.tube8.com/ as well as the official Tube8 mobile application. It does not include any other domains, sub-domains, or services, including any Tube8 blogs such as [Blog](https://blog.tube8.com/) or Support systems.*\n \nTube8 reserves the right to decide if the minimum severity threshold is met and whether the report was previously reported. Rewards are granted entirely at the discretion of Tube8.\n \nA good bug report should include the following information at a minimum:\n \n- List the URL and any affected parameters\n- Describe the browser, OS, and/or app version\n- Describe the perceived impact. How could the bug potentially be exploited?\n \n# Exceptions \u0026 Rules\n \nOur bug bounty program is limited strictly to technical security vulnerabilities of Tube8 services listed in the scope. Any activity that would disrupt, damage or adversely affect any third-party data or account is not allowed.\n \nPlease do not mass create accounts to perform testing against Tube8 applications and services. Also do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n \n# HackerOne Vulnerability Disclosure\n \nIn order for your report to be eligible for disclosure within HackerOne it should go through the Triage and Resolution steps. Any attempts to disclose unresolved, Informative or Duplicate reports will be rejected. \n \nThe following are strictly prohibited:\n \n- Denial of Service attacks.\n- Physical attacks against offices and data centers.\n- Social engineering of our service desk, employees or contractors.\n- Compromise of a Tube8 user's or employee's account.\n- Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.\n \nAdditionally, the following vulnerabilities will not be considered for bounty:\n \n- Cross site request forgery (CSRF)\n- Cross domain leakage\n- Information disclosure\n- Information leakage, data cached in search engines or the web archive\n- Software version disclosure\n- Self-XSS and XSS without impact\n- Missing SPF or DMARC records\n- HttpOnly, SameSite and Secure cookie flags\n- SSL/TLS related (such as HSTS, GET over HTTP, Password sent in HTTP)\n- Password and account recovery policies\n- Session timeout\n- Session Hijacking (cookie reuse)\n- Missing X-Frame or X-Content headers\n- Account enumeration\n- Click-jacking\n- Rate-limiting \n- Downloading video\n- Confirmation Email (anything related with)\n \n**Legal Notes:** \n \nYou must be at least 18 years old to participate in our Bug bounty Program. \n \nPayments are made through [HackerOne](https://hackerone.com/faq#for-hackers-question-how-do-i-get-paid) only. You are responsible for paying any taxes associated with rewards.\n \nEmployees of the Company, its affiliates, subsidiaries, agencies and divisions, partners, and their respective employees and immediate family members can responsibly disclose vulnerabilities by participating in our Bug Bounty Program but are not eligible for monetary rewards. The term “immediate family” includes spouses, siblings, parents, children, grandparents, and grandchildren, whether as “in-laws,” or by current or past marriages(s), remarriage(s), adoption, co-habitation or other family extension, and any other persons residing at the same household whether or not related.\n \nWe reserve the right to modify the terms of this program or terminate this program at any time. By participating in this program, you agree to be bound by these rules. You must comply with all applicable laws in connection with your participation in this program.\n \nThank you for helping keep Tube8 safe!\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-07T05:38:25.361Z"},{"id":3639276,"new_policy":"Security is a top priority at Tube8. We love to work with skilled security researchers to improve the security of our service. If you believe you've found a security bug in the services listed in our scope, we will be happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.\n \n# Scope\n \nAt this time, the scope of this program is limited to security vulnerabilities found on the Tube8 [and Tube8 Premium websites] [as well as in the Tube8 Mobile application]. Vulnerabilities reported on other properties or applications are currently not eligible for monetary reward. High impact vulnerabilities outside of this scope might be considered on a case by case basis.\n \n**In-Scope Sub-Domains:**\n\n\u003e https://www.tube8.com/\n\u003e https://www.tube8.fr/\n\u003e https://www.tube8.es/\n\u003e https://de.tube8.com/\n\u003e https://jp.tube8.com/\n\n**Out-of-Scope Sub-Domains:**\n\n- https://*.tube8.com/\n- https://blog.tube8.com/\n\nFor account access issues or visual layout and website functionality bugs, please work with our [Customer Support](https://www.tube8.com/contact.html) which will resolve those issues independently. \n\n**Important:** \nContacting our support team about; the status of a HackerOne report or the decision of which your report was concluded, will result in an immediate disqualification from receiving a reward. All communications must be conducted through the HackerOne's communication system only.\n \n \n# Eligibility\n \nYou will qualify for a reward only if you are the first person to responsibly disclose an unknown issue. The Tube8 security team has up to 48 hours to first respond, up to 15 days to triage and reward the report, and up to 90 days to implement a fix based on the severity of the report.\n \nPlease allow for this process to fully complete before attempting to contact us again. Note that posting details or conversations about the report or posting details that reflect negatively on the program and the Tube8 brand will result in immediate removal from the program.\n \n- Any vulnerability found must be reported no later than 24 hours after discovery.\n- You are not allowed to disclose details about the vulnerability anywhere else.\n- You must avoid tests that could cause degradation or interruption of our services.\n- You must not access, leak, manipulate, or destroy any user data.\n- You are only allowed perform tests against accounts you own yourself.\n- The use of automated tools or scripted testing is not allowed. This includes vulnerability scanning tools such as OWASP ZAP and Vega, or any tools or scripts which may result in heavy traffic or flooding of any of our services.\n- To obtain any type of verified account on Tube8 your user's account must be created using the HackerOne alias email 'username@wearehackerone.com'. \n \n# Rewards\n \nTo qualify for a reward under this program, you should:\n \n- Be the first to report a vulnerability.\n- Send a clear textual description of the report along with steps to reproduce the vulnerability (PoC).\n- Include attachments such as screenshots or proof of concept code as necessary.\n- Disclose the vulnerability report directly and exclusively to us. \n \nTube8 may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $XX USD, and our maximum reward amount is $XX,000 USD. \n*Reward amounts may vary depending upon the severity of the vulnerability reported. *\n \nSwag may be awarded as a bonus to qualifying, in-scope reports. We allow one swag item per researcher. We will not respond to repeated requests to be awarded swag under any circumstances.\n \nThe following table is a reference for the _average_ rewards of specific classes of vulnerabilities. Rewards are calculated based on the severity and impact.\n \n(TO be updated to reflect rewards per criticality according to the CVSS)\n|Vulnerability Types|Core Tube8 *|All Other|\n|---|---|---|---|---|\n|Remote Shell / Command Execution|$15,000|$5,000|\n|Remote Code Execution|$10,000|$2,500|\n|SQL Injection (with output)|$5,000|$2,500|\n|Significant Authentication Bypass|$5,000|$1,000|\n|Local file Inclusion|$2,500|$1,000|\n|SQL Injection (blind)|$2,500|$1,000|\n|Insecure Direct Object References|$1,500|$750|\n|Server Side Request Forgery|$1,500|$750|\n|Stored Cross Site Scripting|$1,500|$500|\n|Other Cross Site Scripting|$250|$50|\n \n*\\* Core Tube8 covers https://www.tube8.com/ as well as the official Tube8 mobile application. It does not include any other domains, sub-domains, or services, including any Tube8 blogs such as [Blog](https://blog.tube8.com/) or Support systems.*\n \nTube8 reserves the right to decide if the minimum severity threshold is met and whether the report was previously reported. Rewards are granted entirely at the discretion of Tube8.\n \nA good bug report should include the following information at a minimum:\n \n- List the URL and any affected parameters\n- Describe the browser, OS, and/or app version\n- Describe the perceived impact. How could the bug potentially be exploited?\n \n# Exceptions \u0026 Rules\n \nOur bug bounty program is limited strictly to technical security vulnerabilities of Tube8 services listed in the scope. Any activity that would disrupt, damage or adversely affect any third-party data or account is not allowed.\n \nPlease do not mass create accounts to perform testing against Tube8 applications and services. Also do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n \n# HackerOne Vulnerability Disclosure\n \nIn order for your report to be eligible for disclosure within HackerOne it should go through the Triage and Resolution steps. Any attempts to disclose unresolved, Informative or Duplicate reports will be rejected. \n \nThe following are strictly prohibited:\n \n- Denial of Service attacks.\n- Physical attacks against offices and data centers.\n- Social engineering of our service desk, employees or contractors.\n- Compromise of a Tube8 user's or employee's account.\n- Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.\n \nAdditionally, the following vulnerabilities will not be considered for bounty:\n \n- Cross site request forgery (CSRF)\n- Cross domain leakage\n- Information disclosure\n- Information leakage, data cached in search engines or the web archive\n- Software version disclosure\n- Self-XSS and XSS without impact\n- Missing SPF or DMARC records\n- HttpOnly, SameSite and Secure cookie flags\n- SSL/TLS related (such as HSTS, GET over HTTP, Password sent in HTTP)\n- Password and account recovery policies\n- Session timeout\n- Session Hijacking (cookie reuse)\n- Missing X-Frame or X-Content headers\n- Account enumeration\n- Click-jacking\n- Rate-limiting \n- Downloading video\n- Confirmation Email (anything related with)\n \n**Legal Notes:** \n \nYou must be at least 18 years old to participate in our Bug bounty Program. \n \nPayments are made through [HackerOne](https://hackerone.com/faq#for-hackers-question-how-do-i-get-paid) only. You are responsible for paying any taxes associated with rewards.\n \nEmployees of the Company, its affiliates, subsidiaries, agencies and divisions, partners, and their respective employees and immediate family members can responsibly disclose vulnerabilities by participating in our Bug Bounty Program but are not eligible for monetary rewards. The term “immediate family” includes spouses, siblings, parents, children, grandparents, and grandchildren, whether as “in-laws,” or by current or past marriages(s), remarriage(s), adoption, co-habitation or other family extension, and any other persons residing at the same household whether or not related.\n \nWe reserve the right to modify the terms of this program or terminate this program at any time. By participating in this program, you agree to be bound by these rules. You must comply with all applicable laws in connection with your participation in this program.\n \nThank you for helping keep Tube8 safe!\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-07T05:30:56.492Z"},{"id":3605635,"new_policy":"Security is a top priority at Tube8. We love to work with skilled security researchers to improve the security of our service. If you believe you've found a security bug in the services listed in our scope, we will be happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.\n\n# Scope\n\nAt this time, the scope of this program is limited to security vulnerabilities found on Tube8.com and its associated language-based domains and sub-domains. Vulnerabilities reported on other properties or applications are currently not eligible for monetary reward. High impact vulnerabilities outside of this scope might be considered on a case by case basis.\n\n**In-Scope Sub-Domains:**\n\n- https://www.tube8.com/\n- https://www.tube8.fr/\n- https://www.tube8.es/\n- https://de.tube8.com/\n- https://jp.tube8.com/\n\n**Out-of-Scope Sub-Domains:**\n\n- https://*.tube8.com/\n- https://blog.tube8.com/\n\nFor account access issues or visual layout and website functionality bugs, please work with our [Customer Support](https://www.tube8.com/contact.html) which will resolve those issues independently. \n\n**Note:** Contacting our support team about the status of a HackerOne report will result in an immediate disqualification from receiving a reward. All communications must be conducted through the HackerOne system only.\n\n# Eligibility\n\nYou will qualify for a reward only if you are the first person to responsibly disclose an unknown issue. The Tube8 security team has 30 days to respond to the report, and up to 120 days to implement a fix based on the severity of the report.\n\nPlease allow for this process to fully complete before attempting to contact us again. Note that posting details or conversations about the report or posting details that reflect negatively on the program and the Tube8 brand will result in immediate removal from the program.\n\n- Any vulnerability found must be reported no later than 24 hours after discovery.\n- You are not allowed to disclose details about the vulnerability anywhere else.\n- You must avoid tests that could cause degradation or interruption of our service.\n- You must not leak, manipulate, or destroy any user data.\n- You are only allowed to test against accounts you own yourself.\n- The use of automated tools or scripted testing is not allowed. This includes vulnerability scanning tools such as OWASP ZAP and Vega, or any tools or scripts which may result in heavy traffic or flooding of any of our services.\n\n# Rewards\n\nTube8 may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $50 USD, and our maximum reward amount is $25,000 USD. Reward amounts may vary depending upon the severity of the vulnerability reported. \n\nSwag may be awarded as a bonus to qualifying, in-scope reports. We allow one swag item per researcher. We will not respond to repeated requests to be awarded swag under any circumstances.\n\nThe following table outlines the _average_ rewards for specific classes of vulnerabilities:\n\n|Vulnerability Types|Core Tube8 *|\n|---|---|---|---|---|\n|Remote Shell / Command Execution|$15,000|\n|Remote Code Execution|$10,000|\n|SQL Injection (with output)|$5,000|\n|Significant Authentication Bypass|$5,000|\n|Local file Inclusion|$2,500|\n|SQL Injection (blind)|$2,500|\n|Insecure Direct Object References|$1,500|\n|Server Side Request Forgery|$1,500|\n|Stored Cross Site Scripting|$1,500|\n|Other Cross Site Scripting|$250|\n\n*\\* Core Tube8 covers tube8.com and its associated language-based domains and sub-domains (https://www.tube8.fr, https://www.tube8.es, https://de.tube8.com, https://jp.tube8.com). It does not include any other domains, sub-domains, or services such as the Tube8 Blog (https://blog.tube8.com).\n\nTube8 reserves the right to decide if the minimum severity threshold is met and whether it was previously reported. Rewards are granted entirely at the discretion of Tube8.\n\nTo qualify for a reward under this program, you should:\n\n- Be the first to report a vulnerability.\n- Send a clear textual description of the report along with steps to reproduce the vulnerability.\n- Include attachments such as screenshots or proof of concept code as necessary.\n- Disclose the vulnerability report directly and exclusively to us. \n\nA good bug report should include the following information at a minimum:\n\n- List the URL and any affected parameters\n- Describe the browser, OS, and/or app version\n- Describe the perceived impact. How could the bug potentially be exploited?\n\n# Exceptions \u0026 Rules\n\nOur bug bounty program is limited strictly to technical security vulnerabilities of Tube8 services listed in the scope. Any activity that would disrupt, damage or adversely affect any third-party data or account is not allowed.\n\nPlease do not mass create accounts to perform testing against Tube8 applications and services. Also do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.\n\nThe following are strictly prohibited:\n\n- Denial of Service attacks.\n- Physical attacks against offices and data centers.\n- Social engineering of our service desk, employees or contractors.\n- Compromise of a Tube8 user's or employee's account.\n- Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.\n\nAdditionally, the following vulnerabilities will not be considered for bounty:\n\n- Cross site request forgery (CSRF)\n- Cross domain leakage\n- Information disclosure\n- Software version disclosure\n- Self-XSS and XSS without impact\n- Missing SPF or DMARC records\n- HttpOnly and Secure cookie flags\n- SSL/TLS related (such as HSTS, GET over HTTP, Password sent in HTTP)\n- Password and account recovery policies\n- Session timeout\n- Session Hijacking (cookie reuse)\n- Missing X-Frame or X-Content headers\n- Account enumeration\n- Click-jacking\n- Rate-limiting \n- Downloading video\n- Confirmation Email (anything related with)\n\n**Legal Notes:** \n\nYou must be at least 18 years old to participate in our Bug bounty Program. \n\nPayments are made through [HackerOne](https://hackerone.com/faq#for-hackers-question-how-do-i-get-paid) only. You are responsible for paying any taxes associated with rewards.\n\nEmployees of the Company, its affiliates, subsidiaries, agencies and divisions, partners, and their respective employees and immediate family members can responsibly disclose vulnerabilities by participating in our Bug Bounty Program but are not eligible for monetary rewards. The term “immediate family” includes spouses, siblings, parents, children, grandparents, and grandchildren, whether as “in-laws,” or by current or past marriages(s), remarriage(s), adoption, co-habitation or other family extension, and any other persons residing at the same household whether or not related.\n\nWe reserve the right to modify the terms of this program or terminate this program at any time. By participating in this program, you agree to be bound by these rules. You must comply with all applicable laws in connection with your participation in this program.\n\nThank you for helping keep Tube8 safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-03-20T19:50:45.536Z"}]