Bounty

At Eneba we’re happy to cooperate with the security research community and maintain a reward program for issues found.

If you believe you’ve detected a security issue and wish to claim a reward, please check the guidelines below.

Qualifying issues

1. Cross-site scripting
2. Cross-site request forgery
3. Mixed-content scripts
4. Authentication or authorization flaws
5. Server-side code execution bugs
6. Ability to retrieve keys not belonging to the user
7. Bypassing user verification procedures

Non-qualifying issues

Due to limited impact and/or resources required, certain issues may not qualify for a reward.

1. Issues requiring unlikely user actions. E.g. if a user needs to enter something manually in the console it will not qualify.
2. Email spoofing for eneba.com domain. We are aware of issues that might arise with spoofed emails but it’s not something we deem a reward worthy issue.
3. Enumeration attack. Bruteforce attacks will not be considered for a reward unless you demonstrate that there is a rate-limiting issue.

Disclosure procedure

1. Summarise the issue(s) that you have found.
2. Describe the attack vector that can be taken advantage of.
3. Add video/screenshots that might help with understanding the issue.
4. Compile the information and send it to bounty@eneba.com
5. We will resolve the issue within 30 days of the disclosure.
6. The bounty will be decided and paid out after the resolution.

If the issue is disclosed elsewhere prior to the resolution it will be disqualified from receiving the reward.