TripleA Bug Bounty Program
No technology is perfect, and TripleA believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you’ve found a security issue in our product or service, we encourage you to notify us. We welcome you to work with us in resolving the issue promptly. Please review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.
TripleA looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.
Please contact us at firstname.lastname@example.org.
The following domains and applications are within the scope of this program:
- WooCommerce plugin (provided via wordpress plugins directory)
- OpenCart plugin (provided via opencart plugins directory)
Out of scope of this program:
- (www.)triple-a.io website,
- any prototype or test instances that may temporarily be reachable.
Third-party applications that are hosted on a subdomain are eligible for our program. Only severe vulnerabilities that affect our users, service, or infrastructure will be accepted for third-party applications and others will be reported/forwarded to the third-party vendor for the application.
- Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
- Give us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
- Vulnerabilities that are exposed publicly as a part of putting together a proof of concept (e.g. website defacement, stored XSS on a public site) are not eligible for a bounty.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
- If any sensitive information is accessed as a part of exploitation, it must not be stored, transferred or otherwise processed after the initial discovery. All copies of sensitive information must be returned to TripleA and may not be retained
- Always limit exploitation to minimal proof of concept required to demonstrate the vulnerability. Do not attempt to access TripleA or users’ accounts or data or post-exploitation of other vulnerabilities. Stop and report what you have found and request additional testing permission
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact
- Reports that include clear steps to reproduce and proof of concept code will be more likely to be accepted
While researching, we’d like to ask you to refrain from:
- Denial of service to TripleA services or our merchants’ and partners’ services
- Degrading performance or service of TripleA services or our merchants’ and partners’ services
- Spamming (even self-spamming)
- Social engineering (including phishing) of any TripleA staff or contractors
- Any physical attempts against TripleA or TripleA merchants’ and partners’ property or data centers
- Accessing private information of TripleA merchants and partners
In order to be eligible for a bounty, you must meet the following requirements:
- You must be the first reporter of the vulnerability
- Vulnerability must be associated with a domain or application listed above and not applicable to the above exclusions
- You must not publicly disclose the vulnerability without our prior discretion
- Vulnerability must have a clearly identified security impact and presented with enough information for investigation and reproduction by TripleA staff
Any vulnerabilities reported with the following criteria are not eligible for a bounty:
- Affecting an ineligible scope
- Bugs caused by a third-party website that our JS client is embedded on
- Only affecting outdated browsers/platforms
- Only affecting the executing user (self-XSS and similar)
- Caused by misbehaving third-party software/website
- Applicable only through social engineering
- Pretense being you already have access to affected account (or user’s browser)
- Vulnerabilities considered by TripleA to be of low severity
Tool outputs are not enough. Scanners and automation tools are common trade practice in the security community. They often produce many results for further investigation and can yield many false positives. Reports from automated tools or scans must include additional analysis to demonstrate the exploitability of the vulnerability to be eligible for bounty awards.
- When duplicates occur, we only award the first report that we receive
- If a vulnerability is fixed in the beta version we will consider it as duplicate
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty
|Remote Code Execution (RCE)||$250||$1500|
|Injection (SQLi or equivalent)||$200||$1000|
|Local/Remote File Inclusion (LFI, RFI)||$200||$1000|
|Account Takeover (depends on the complexity of user interaction)||$200||$1000|
|Sensitive Data Disclosure or Manipulation (IDOR, memory leak, etc.)||$200||$1000|
|Server Side Request Forgery (SSRF), non-blind||$200||$1000|
|Server Side Request Forgery (SSRF), blind||$75||$250|
|Corp Admin Stored Cross Site Scripting, blind||$75||$250|
|Stored Cross Site Scripting||$50||$200|
|Reflected/Other Cross Site Scripting||$50||$150|
|Cross Site Request Forgery (CSRF)||$50||$100|
|Self Cross Site Scripting||$50||$100|
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you.
TripleA will determine in its own discretion whether a reward should be granted and the amount of the reward. Depending on their impact, not all reported issues qualify for a monetary reward. However, all reports are reviewed on a case-by-case basis.
You must comply with all applicable laws in connection with your participation in this program.
Thank you for helping keep TripleA and our users safe!