Dimar FZC LLC
Flamingo Villas A-32-01-05-03 25314 United Arab Emirates, Ajman
+971585072431, https://smsactivate.s3.eu-central-1.amazonaws.com/assets/img/icons/logo/logo.svg, [email protected]
Didn't find the service you need?
Selecting a service

Infrastructure, Web Services, SMS-Activate apps

You need to find vulnerabilities of infrastructure, services and applications that deal with private data. The hunting area: domains, mobile and desktop applications.
Report an error
bug-hunter-image

Rules of participation in the Bug Bounty program

Welcome to the Bug Bounty program! Your participation helps improve the security of our products and services. Please, familiarize yourself with the following rules to ensure effective and ethical collaboration

Registration and Verification

  • Registration: to participate in the program you first need to sign up for the website sms-activate.org Provide your Telegram account during the registration process for easy communication;
  • Verification: You have to go through the verification process to receive payments. Detailed instructions will be sent to you via Telegram once your report is approved.

Providing reports

  • Studying the Rules: Before submitting your report, please familiarize yourself with the rules of participation and the types of vulnerabilities that can be considered;
  • Reporting Form: use the form on the page sms-activate.org/bugBountyForm to submit your report. Your report should contain a clear description of the vulnerability, steps to reproduce it, evidence (screenshots, videos) and recommendations for fixing it;
  • Additional files: attach additional files to confirm the vulnerability if necessary;

Reviewing reports process

Your report will be carefully analyzed by our security specialists. This process can take up to three months. During this time, the report may be assigned one of the following statuses: "pending", "sorted", "rejected by moderator", "more information required", and others.

Types of vulnerabilities

IN you will find the list of vulnerabilities' types that are not eligible for getting a reward. In criteria for assessing the importance level of a vulnerability are specified.

Verification and privacy

All personal data provided by you for verification purposes will be used solely for identification purposes, and will not be disclosed to third parties without your agreement. We make all our best to ensure privacy and security of your data.

Payments

After successful verification and confirmation of the vulnerability, you will be offered a reward. The amount of the reward is determined based on the level of importance of the vulnerability and the quality of the provided report.

Ethical norms

We expect participants to act responsibly and ethically. It is not permitted to exploit found vulnerabilities to cause damage, gain unauthorized access to data or systems, or spread information about the vulnerability until it is fixed.

Conclusion

We value your contribution to improving the security of our products and services. Your participation helps create a safer digital space for all of us.
We wish you luck in searching for vulnerabilities! Your contribution is priceless, so we are grateful for your help in securing our systems.

Appendix A

Types of vulnerabilities that are not the objects of a reward (low-level vulnerabilities that do not have critical consequences if exploited, including):
  • IDOR (reports on this type of vulnerability are accepted only in case of a high level of criticality; the level of criticality is determined by our specialist when the vulnerability is confirmed);
  • Any kind of XSS vulnerabilities, except for Stored XSS (Stored XSS vulnerability reports are accepted depending on the importance of the web resource);
  • Clickjacking;
  • Insecure Redirect URI;
  • Directory Listing Enabled (passwords, backups) and Sensitive data exposure (depending on the disclosed data; reports on this vulnerability are accepted if critical data is found);
  • Enabled debug mode, that doesn't disclose critical data;
  • CSRF vulnerabilities, found within a function that is not critical;
  • Disclosure of the admin panel (if the bug hunter finds the admin dashboard, but is unable to perform account takeover or obtain other critical information);
  • User Enumeration with no disclosing critical data;
  • Security Misconfiguration, in case there is no evidence that the threat has been realized;
  • Refuse to provide services;
  • Spam;
  • Social engineering, aimed at employees, contractors or customers;
  • Any physical attempts to gain access to property or data centers
  • System's owner;
  • Report created by using automated tools and scans;
  • Errors in a third-party software;
  • Absence of security headers that don't lead directly to a vulnerability;
  • SSL / TLS trust violation;
  • Vulnerabilities affecting only users of outdated or unlicensed browsers and platforms;
  • Password and account recovery policies, such as the expiration date of a reset link or password strength;
  • Outdated DNS record, pointing to a system that does not belong to the system owner.

Contents

Appendix B

Types of vulnerabilities by the level of criticality:
Vulnerability
Low
Medium
High
Path Traversal
10
40
70
Directory Listing Enabled
10
40
Insecure Redirect URI
5
10
Clickjacking
5
Brute Force
5
SQL Injection (empty database, useful database)
10
40
70
XML External Entity Injection
50
70
Local File Inclusion
50
Remote Code Execution
10
50
100
Authentication Bypass
50
90
Account Takeover
50
90
Insecure Direct Object References
10
Stored XSS
20-30
Reflected XSS
10-20
Server-Side Request
40-60
Cross-Site Request Forgery
10-20
Race Condition
10
90
Server-Side Template Injection
20
80
Path Traversal
Low
10
Medium
40
High
70
Directory Listing Enabled
Low
10
Medium
40
High
Insecure Redirect URI
Low
5
Medium
10
High
Clickjacking
Low
5
Medium
High
Brute Force
Low
5
Medium
High
SQL Injection (empty database, useful database)
Low
10
Medium
40
High
70
XML External Entity Injection
Low
Medium
50
High
70
Local File Inclusion
Low
Medium
50
High
Remote Code Execution
Low
10
Medium
50
High
100
Authentication Bypass
Low
Medium
50
High
90
Account Takeover
Low
Medium
50
High
90
Insecure Direct Object References
Low
10
Medium
High
Stored XSS
Low
20-30
Medium
High
Reflected XSS
Low
10-20
Medium
High
Server-Side Request
Low
Medium
40-60
High
Cross-Site Request Forgery
Low
10-20
Medium
High
Race Condition
Low
10
Medium
High
90
Server-Side Template Injection
Low
20
Medium
High
80

Points according to the vulnerability critical level are awarded as follows:

  1. Low level of importance - from 0 to 30 points;
  2. Medium level of importance - from 31 to 60 points;
  3. High level of importance - from 61 to 100 points.
  • sms-activate.org
  • hstock.org
  • ipkings.io

Rewards

Amount of the reward depends on the criticality of the vulnerability, the ease of exploitation, and the impact on user data. The level of criticality is often decided together with developers and can take longer time.
Vulnerability
Reward
Remote Code Execution (RCE)
$1500 - $5000
Local files access and other (LFR, RFI, XXE)
$500 - $3000
Injections
$500 - $3000
Cross-Site Scripting (XSS), excluding Self-XSS
$100 - $500
SSRF, except for the blind
$300 - $1000
Blind SSRF
$100 - $500
Memory leaks / IDORs / Disclosure of information with protected personal data or sensitive user information
$70 - $1150
Other confirmed vulnerabilities
Depends on the criticality
All SMS-Activate apps that deal with user data are involved. Our applications can be found in Google Play and App Store by the name SMS-Activate

Apps

Vulnerability
Reward
Remote Code Execution (RCE)
$1500 - $5000
Local files access and other (LFR, RFI, XXE)
$500 - $3000
Injections
$500 - $3000
SSRF, except for the blind
$300 - $1000
Blind SSRF
$100 - $500
Memory leaks / IDORs / Disclosure of information with protected personal data or sensitive user information
$70 - $1150
Cross-Site Request Forgery (СSRF, Flash crossdomain requests, CORS)
$35 — $300
Other confirmed vulnerabilities
Depends on the criticality

An option for registration in services where you need to enter the last digits of the incoming number for confirmation.

The number is provided for 5 minutes. You need to enter it in the service where you need to pass verification within this time. Then a code will be displayed on the page "Activation" at SMS-Activate. If you have problems with activation, cancel the purchase of the number before 5 minutes pass.

If you purchase the service, you can also receive unlimited SMS to the purchased number within 20 minutes. Verification service is provided at the same favorable price for all services.

*Only 1 number can be received. If you receive an incoming call and confirmation numbers, no refund is possible.

{{ texts.verificationVoiceTextFirst }}

{{ texts.verificationVoiceTextSecond }}

{{ texts.verificationVoiceTextThird }}