Bug Bounty Program
BelHost welcomes responsible disclosure from security researchers. We review all qualifying reports and may offer rewards for valid vulnerabilities.
Overview
We consider the security of our systems a top priority. No system is perfect, and there can always be flaws in any technology. We look forward to working with skilled security researchers to protect our customers.
If you believe you have identified a security issue in our product or service, we encourage you to notify us.
Guidelines for responsible disclosure
- Let us know as soon as possible upon discovery of a potential security issue, and we will make every effort to quickly resolve it.
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third party.
- No unauthorized impersonation: any attempts to socially engineer another party through impersonation of a BelHost employee, another researcher, or a security team will not be tolerated.
- If you comply with all conditions set in these guidelines, we will not take any legal action against you regarding your report.
- Your report will be kept confidential. We will not share your personal information with third parties without prior consent, unless necessary to comply with a legal obligation.
Rewards
To show our appreciation, BelHost offers bounties for reports of qualifying security vulnerabilities. Bounties may be awarded as financial compensation or BelHost merchandise. The reward amount is at the discretion of BelHost and is based on the internal severity rating of the disclosed vulnerability. The bounty will be communicated after validation by our internal teams.
Eligibility
To qualify for a reward, you must:
- Be the first reporter of the vulnerability.
- Follow the guidelines as described on this page.
- Not publicly disclose the vulnerability prior to our resolution.
- Provide a working proof of concept that exploits the security issue.
- Solely use your own created accounts and not access data of other users.
- Not be an inhabitant of any country listed on the Specially Designated Nationals and Blocked Persons (SDN) list.
- Not be an inhabitant of any country listed on the Consolidated List of persons, groups, and entities subject to EU financial sanctions.
Absolute exclusions
The following categories are out of scope and generally will not receive a response.
Social and physical attacks
- Social engineering (including phishing)
- Any physical attempts against BelHost property or data centers
- Physical attack on the infrastructure
Availability and abuse testing
- Denial of service
- Brute forcing
- Reports from automated tools and scans
- Missing rate limits
Low-signal web issues
- CSRF
- Self-XSS
- Clickjacking and issues only exploitable through clickjacking
- Content spoofing on error pages or text injection
- Homograph attacks
- Open redirects
- Weak CAPTCHA / CAPTCHA bypass
- Cache-related issues
Configuration and header-only findings
- X-Frame-Options related
- Missing cookie flags
- Missing security headers which do not lead directly to a vulnerability
- Missing
noreferrer,noopener - DKIM/SPF/DMARC issues
- Version exposure
- Directory listing
- SSL issues
- OPTIONS HTTP method enabled
- Server IP disclosure
Account and auth edge cases
- Authentication session timeouts (sessions are IP-bound with a 1-hour timeout)
- 2FA TOTP code reuse
- User enumeration by brute force
- 2FA activation without email confirmation
- Password verification on email change or 2FA
- Password policy
- Any attack that requires access to the user's computer (physical or remote)
Third-party and unrelated software
- Bugs in third-party software
- WordPress vulnerabilities
- Any kind of browser vulnerabilities
- Parameter tampering for payment processors
How to report
Please send your initial findings to:
[email protected]