altilly Bug Bounty Program


We will pay you for reporting valid security issues on altilly.com


Rules for you

Don't attempt to gain access to another user's account or data.

Don't perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.

Don't publicly disclose a bug before it has been fixed.

Only test for vulnerabilities on sites you know to be operated by altilly. We use other services for customer support and those websites should not be tested.

Don't use scanners or automated tools to find vulnerabilities. They're noisy and your IP address will probably get banned.

Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

When in doubt, contact us via the support ticket system.


Rules for us

We will respond as quickly as possible to your submission.

We will keep you updated as we work to fix the bug you submitted.

We will not take legal action against you if you play by the rules.


What does not qualify

Bugs that don't affect the latest version of modern browsers (Chrome, Firefox, Edge, Safari). Bugs related to browser extensions are also out of scope.

Bugs requiring exceedingly unlikely user interaction.

Insecure cookie settings for non-sensitive cookies.

Disclosure of public information and information that does not present significant risk.

Bugs that have already been submitted by another user, that we are already aware of, or that have been classified as ineligible.

Bugs in content/services that are not owned/operated by altilly. This includes third party services operating on subdomains of altilly.com.

Vulnerabilities that altilly determines to be an accepted risk will not be eligible for a paid bounty.

Scripting or other automation and brute forcing of intended functionality.

When in doubt, contact us via the support ticket system.


Rewards range from $25 up to $10,000 and are determined at our discretion based on a number of factors. For example, if you find a reflected XSS that is only possible in Opera, and Opera is <2% of our traffic, then the severity and reward will be lower. But a persistent XSS that works in Chrome, at >60% of our traffic, will earn a much larger reward.

Severity classifications. We will classify your report into one of the following severity classifications:

ClassificationTypical BountyDescription
No Bug$0If we determine it to be something that cannot effect a customer
Very Low$25Minimal effect to customer - no fund loss.
Low$50Minimal effect to customer - possible account actions, but no fund loss
Medium-Low$100Medium to low effect to a targeted customer, but does not necessarily effect all
Medium$250Medium effect to a targeted customer, but does not necessarily effect all
Medium-High$250 - $500Medium to high effect to a targeted customer, but does not necessarily effect all
High$500 - $1500Effects all customers or the integrity of our system and/or data
Very High$1500 - $5000Effects all customers or the integrity of our system and/or data
Critical$5000 - $10000Effects all customers or the integrity of our system and/or data

You can report your bugs via our customer support ticket system. Please make sure to include "Bug Bounty" in the subject of your ticket.

Historical Bug Reports (Resolved)

ID Summary Reported By Classification Report Date
19 Notification Emails: IP + Content-Spoofing Sajibe Medium-High 2018-10-15 00:00:00
18 Allowing insecure passwords Sajibe Medium 2018-10-13 00:00:00
17 Showing web server version Sajibe Low 2018-10-05 00:00:00
16 Vulnerable Jquery areeb Medium-Low 2018-09-26 00:00:00
15 Missing Rate Limit for a Current Password field areeb Low 2018-09-26 00:00:00
14 X-XSS-Protection Misconfiguration areeb Very Low 2018-09-18 00:00:00
13 Password Reset link Is Not Expiring areeb Very Low 2018-09-18 00:00:00
12 HTTP Strict transport security policy not enabled areeb Very Low 2018-09-18 00:00:00
11 Password change Noification areeb Very Low 2018-09-18 00:00:00
10 Old password can be new password bug areeb Low 2018-09-18 00:00:00
9 X-Content-Type-Options areeb Low 2018-09-18 00:00:00
8 No SMTP protection bug areeb Low 2018-09-18 00:00:00
7 Missing Content-Security-Policy (CSP) header areeb Medium-Low 2018-09-18 00:00:00
6 Browser cache management bug areeb Very Low 2018-09-18 00:00:00
5 Password reset expiration areeb Low 2018-09-18 00:00:00
4 Password length verification Bypass areeb Very Low 2018-09-18 00:00:00
3 User Session Expiration areeb Medium 2018-09-18 00:00:00
2 XSRF token problem areeb No Bug 2018-09-18 00:00:00
1 Missing DNSSEC areeb No Bug 2018-09-17 00:00:00