Our goal is to ensure the security of our services, and we appreciate the contribution of every hacker who helps us in this mission. We reward experts who find and report vulnerabilities in our systems. This necessary as we have a small team of developers who might not be able to catch everything. We also don't just look for bugs, but bugs that can possibly leak or remove our privacy measures set in place by TorBox.
Guidelines
Activities that cause damage to our systems or users, or that violate user data privacy, will not be tolerated. Therefore, analyzing accounts that do not belong to you is strictly prohibited.
Any activity that does not respect our Vulnerability Policy or provides information on vulnerabilities considered "Out of Scope" is strictly forbidden.
Report Requirements
For a report to be eligible for a reward, it must include the following information:
Description of the Vulnerability: A detailed description of the identified vulnerability and the technical/economic damage it could cause if exploited.
Proof of Concept: A detailed, step-by-step explanation of how the vulnerability can be identified and how it could be exploited.
Solution/Mitigation: A detailed, step-by-step explanation of how the vulnerability can be corrected or mitigated.
Out of Scope
The following types of issues are considered out of scope and may not qualify for a reward:
Clickjacking on pages without sensitive functionality.
Self-XSS (Cross-Site Scripting involving user actions).
Reports of missing or misconfigured Content Security Policy (CSP) unless a significant impact can be demonstrated.
Low-impact information disclosures without concrete consequences (e.g., banner grabbing).
Vulnerabilities requiring physical interaction with the victim (e.g., physical device theft, in-person phishing) and social engineering attacks targeting TorBox employees or partners.
Automated scan tool results or reports generated by automatic tools without further verification or proof of real impact.
Issues related to outdated or unsupported browsers, platforms, or operating systems.
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
Vulnerabilities stemming from third-party applications unless due to misconfiguration by TorBox.
Reports on general security practices without practical impact (e.g., missing HTTP Strict Transport Security).
Password management issues such as lack of complexity checks or failed login attempt limits.
"Missing Rate Limiting" vulnerabilities without demonstrable real impact.
Reports on spam or unsolicited emails without exploitability.
Issues related to DNSSEC (Domain Name System Security Extensions) unless directly impacting the security of the main domain.
Brute force attacks.
Reports on credential/API key leaks without real impact.
Any attack that intentionally harms TorBox users.
Reports on best practices without practical impact or potential for escalation (e.g., error pages, DMARC, SPF, DNSSEC, mixed content SSL).
Attacks exploiting the ability to insert code in one's own shop and execute it from the visiting browser (e.g., XSS) without real impact on the application or significant user harm. Reports must highlight realistic attack scenarios compromising sensitive data or significantly altering TorBox applications' functionality.
By participating in our Bug Bounty Program, you help us enhance the security and reliability of our services. We value your contributions and look forward to working with you to make TorBox safer for everyone.
Reporting
Please report any findings, based off of the Report Requirements, to the TorBox support team at [email protected], and we will investigate from there. Urgent requests should also be sent there.