Welcome to SquareX Bug Bounty!
SquareX, founded and led by serial cyber security entrepreneur Vivek Ramachandran, is building a browser-based cyber security solution with a vision to make consumers fearless online (“Product”). Our aim is to provide users control, freedom, and security while browsing the web fearlessly!
Unlike traditional security companies, which would launch the product first, then discover security bugs and vulnerabilities, we are taking an unconventional step by announcing a bug bounty program (“Bug Bounty Program”) before our Product's official launch globally. We invite hackers and researchers to uncover potential security vulnerabilities, helping us improve our Product before launching it globally.
If you discover any security issues, please notify us. We value your input and look forward to working together to strengthen our Product. By participating, you agree to follow the program rules set out in this document (“Terms”).
Bug Bounty Details
The following domains and applications are within the scope of this program:
- malware.rip website, domain and subdomains
- malwareriplabs.com domain and subdomains
- Disposable File Viewer launched via Malware.rip
- Container breakout to host
- Getting Internet access inside the container
- Breaking multitenancy i.e viewing other user sessions
- Attacks on Kubernetes
- Extending the lifetime of the container
- Email and DNS related issues
- Denial of service
- Crashing the container
- Firebase Configurations Leaks
- Server Error Messages (unless critical information is leaked)
- File restriction bypass
- Cross-Origin Resource Sharing (CORS) issues
- Cookie flags and header related issues
- Bugs without security implications
- Google Analytics (any interaction with malware.rip/track/*)
- Anything hosted on sqrx.com or subdomains of sqrx.com
Low USD 100, Medium USD 500, Hard USD 1,000, Critical USD 2,000
Successfully submit the bug/ findings:
To help us evaluate and review your findings, please give us the following information:
- Vulnerability details
- URL Endpoint - The affected web application/api endpoint, e.g https://malware.rip/display/
- Describe the vulnerability and its impact
- Steps to replicate the problem
- Proof of concept (anything you want us to know that helps us understand the findings better)
- Attachment - Screenshots and video recordings
- Administrative matters – Paypal account details and scanned copy of government identity card / document (When asked)
The report with the information above should be sent by email to email@example.com (“Report”). The subject of your email needs to follow the format "[Severity] Vulnerability - Malware.rip", where "Severity" is replaced with the level of vulnerability detected. For instance, if you've found a Critical vulnerability, the email subject must be "[Critical] Vulnerability - Malware.rip".
In order to be eligible for a bounty, you must meet the following requirements:
- You must be the first reporter of the vulnerability
- Vulnerability must be associated with a domain or application listed above and not applicable to the above exclusions
- Vulnerability must have a clearly identified security impact and presented with enough information for investigation and reproduction by SquareX team
- You are not a person who is:
- included on, or affiliated with any person on, the United States Treasury Department’s Office of Foreign Assets Control (OFAC) list of “Specially Designated Nationals and Blocked Persons”, the Specially Designated Narcotics Traffickers or Specially Designated Terrorists, or the Annex to Executive Order No. 13224; the Department of State’s Debarred List; the United Nations Security Council Consolidated List; the United States Commerce Department’s Denied Parties List; or on any other list of targeted persons issued under the economic sanctions laws of any other country; and/or
- resident of any country or other territory subject to a general export, import, financial or investment embargo or sanctions administered by OFAC, the United States State Department, the United Nations, the European Union, the United Kingdom, or any member state thereof (e.g. Cuba, Iran, North Korea, Sudan, Syria and the Crimea Region of Ukraine).
Submissions are evaluated based on their severity in the context of SquareX’s technical environment. Please beware that not all submissions may be eligible for a reward/ bounty. The decision made by SquareX's team will be final and binding.
SquareX will strive hard to meet the following response targets for participants of the Bug Bounty Program:
- First response – Within 2 business days from the date the Report is submitted.
- Time to triage – Within 5 business days from the date the Report is submitted.
- Time to make the payment if bug found is accepted – Within 10 business days from the date the Report is confirmed as vulnerability by the SquareX Team, provided that the participants provide all necessary information and respond to any follow up queries promptly.
We appreciate your efforts, and we aim to process your rewards within 10 working days after the Report is submitted and accepted. As we will need to verify your identity before processing any payment, please provide your Paypal account details and a scanned copy of a valid government ID when asked. If you are unable to receive the payment via Paypal, you can opt to donate the bounty to a charitable cause of your choosing, provided we can pay them via Paypal as well.
Legal terms and conditions:
- SquareX reserves the right to limit or refuse your eligibility to participate in the Bug Bounty Program, or amend, withhold or cancel any Bug Bounty Program payment granted to you, for any reason in its sole discretion including but not limited to where your participation is prohibited by any applicable laws or if there is any violation of these Terms.
- SquareX hereby reserves the right to amend, suspend or terminate the Bug Bounty Program at any time with or without prior notice or consent.
- Administration of the Bug Bounty Program is at the sole discretion of SquareX, subject to applicable laws. Any questions or disputes relating to the Bug Bounty Program or these Terms (including whether the reported vulnerability is eligible for a bounty and the severity level of the reported vulnerability) will be resolved by SquareX at its sole discretion and its decision will be final and binding with respect thereto.
- By participating in the Bug Bounty Program, you hereby agree that:
- you are not breaching any applicable laws (including infringement of any third party intellectual property rights or any other rights); and
- you shall keep confidential and not disclose to any third parties any vulnerabilities, data and/or information accessed and/or obtained through or in connection with your participation in the Bug Bounty Program, except with prior written consent from SquareX.
- By participating in the Bug Bounty Program, you hereby grant to SquareX: (i) the right to use your name, country of residence, email address and any other information you provide to SquareX for the purposes of administrating the Bug Bounty Program, and (ii) the right to use such information for publicity, promotional, marketing and advertising purposes relating to the Bug Bounty Program without further compensation.
- By participating in the Bug Bounty Program, you hereby agree to release and hold harmless SquareX, its affiliates and their respective officers, directors, and employees from and against any claim or cause of action arising out of your participation in the Bug Bounty Program and/or any determination made about your eligibility in the Bug Bounty Program and/or any payment thereunder. You agree that SquareX, its affiliates and their respective officers, directors, and employees are not liable for injuries, losses or damages of any kind arising from your participation in the Bug Bounty Program and acceptance, possession and use of the benefits or payments received under the Bug Bounty Program.
Please review the scope carefully. If you believe you've found a security issue in our services not explicitly defined in the scope of this program please submit via our Responsible Disclosure Program.