Multiservice ?
SELECT A COUNTRY
CHOOSE OPERATOR
Service Price wholesale/retail

By clicking the "Buy" button you agree to project rules

You must register or log in
SELECTING A SERVICE
Haven't found a new service? Offer

By clicking the "Buy" button you agree to project rules

You must register or log in
Verification by call ?
SELECT A COUNTRY
(we have )
CHOOSE OPERATOR
Service Price wholesale/retail

No favorites

By clicking the "Buy" button you agree to project rules

Bug Hunting

You need to find vulnerabilities in infrastructure, services and applications that work with private data. Hunting territory: domains, mobile and desktop applications.

  • sms-activate.org
  • hstock.org
  • proxy.sms-activate.org

Rewards

The amount of remuneration depends on the criticality of the vulnerability, the ease of its operation and the impact on user data. The decision on the level of criticality is often made jointly with the developers, and this may take some time.

VulnerabilityReward
Remote code execution (RCE)$1500 - $5000
Local files access and more. (LFR, RFI, XXE)$500 - $3000
Injections$500 - $3000
Cross-Site Scripting (XSS), excluding self-XSS$100 - $500
SSRF, except for the blind$300 - $1000
Blind SSRF$100 - $500
Memory Leaks / IDORs / Disclosure of information with protected personal data or confidential user information$70 - $1150
Other confirmed vulnerabilitiesDepends on the criticality

All SMS-Activate applications that deal with user data are involved. Our applications can be found in Google Play и App Store by name SMS-Activate

Mobile applications

The amount of remuneration depends on the criticality of the vulnerability, the ease of its operation and the impact on user data. The decision on the level of criticality is often made jointly with the developers, and this may take some time.

VulnerabilityReward
Remote code execution (RCE)$1500 - $5000
Local files access and more. (LFR, RFI, XXE)$500 - $3000
Injections$500 - $3000
SSRF, except for the blind$300 - $1000
Blind SSRF$100 - $500
Memory Leaks / IDORs / Disclosure of information with protected personal data or confidential user information$70 - $1150
Cross-Site Request Forgery (СSRF, Flash crossdomain requests, CORS)$35 — $300
Other confirmed vulnerabilitiesDepends on the criticality

Exceptions from the program

SMS-Activate does not pay remuneration for:

  • reports of security scanners and other automated tools;
  • disclosure of non-critical information, such as the name of the software or its version;
  • disclosure of public user information;
  • problems and vulnerabilities that are based on the version of the product used, without demonstration of operation;
  • information about IP addresses, DNS records and open ports SMS-Activate;
  • zero-day error messages in TLS;
  • reports on insecure SSL/TLS ciphers without demonstration of operation;
  • lack of SSL and other BCP (best current practice);
  • physical attacks on the SMS-Activate property or its data centers;
  • problems of lack of security mechanisms without demonstration of exploitation that may affect user data. For example, the absence of CSRF tokens, Clickjacking, etc.;
  • Login/Logout CSRF or other actions without proven security impact;
  • open redirects, but unless the problem affects the security of the service, for example, allows you to steal a user authentication token. With this problem, you can qualify for being added to the Hall of Fame;
  • CSV and Excel formula injections;
  • absence of CSP policies on the domain or unsafe CSP configuration;
  • XSS and CSRF, which require additional actions from the user. The reward is paid only if they affect sensitive user data and are triggered immediately when going to a specially generated page, without requiring additional actions from the user;
  • XSS, which requires the introduction or forgery of some header, for example, Host, User-Agent, Referer, Cookie, etc.;
  • Tabnabbing — target="_blank" in links with no proven security impact;
  • Content spoofing, content injection, or text injection with no proven security impact;
  • no flags on insensitive cookies;
  • the presence of the autofill attribute on web forms;
  • No Rate Limit without proven security impact;
  • presence or absence of SPF and DKIM records;
  • using a known vulnerable library without demonstrating exploitation;
  • problems that require the use of social engineering techniques, phishing reports;
  • social engineering of employees or contractors SMS-activate.org;
  • vulnerabilities in partner services if user data is not affected SMS-activate.org;
  • vulnerability messages about passwords or password policies and other user authentication data;
  • vulnerabilities on mobile devices that require root privileges, jailbreak and any other modification of applications or devices to be exploited;
  • disclosure of Access keys that have restrictions or are sewn into the apk and do not give access to personal data;
  • vulnerabilities that affect only users of outdated or vulnerable browsers and platforms;
  • attacks that require physical access to the user's device;
  • the fact that it is possible to decompile or use reverse application development;