SCOPE
The types of vulnerabilities that we reward the highest for are critical vulnerabilities, such as remote code execution, access to server source code or data, and cheating on games leading to financial gain. Payouts are not made for Informational or Low severity issues; only Medium and above.
OUT OF SCOPE
- Missing Security Headers.
- Missing Cookie Flags.
- SSL/TLS Misconfigurations.
- Username Enumeration.
- Outdated WordPress Core, Plugins, or Themes (unless remotely exploitable).
- Low Impact Information Disclosure, such as Apache, PHP versions, etc.
- Self-Cross-Site Scripting (XSS).
- Password policy issues.
- Missing DMARC/SPF.
- Session Handling (unless Medium severity or above).
RULES
- In the event that we receive duplicate reports, the first report received will be considered the valid one.
- Do not attempt any Denial of Service (DoS) attacks.
- Do not modify any user or system data.
- Do not disclose the vulnerability to any third-parties, or publicly, until we have remediated the vulnerability.
- Do not compromise other users' accounts or data.
- Do not use automated tools, such as web vulnerability scanners.
- Do not conduct Social Engineering attacks, Phishing, or any physical testing, such as lock picking.
- Employees and business partners are excluded from the Bug Bounty.
REPORTING A VULNERABILITY
Please email your vulnerability information to bugbounty@bovada.lv and include the following information:
- Contact Name
- Vulnerability Title
- Services or Products Affected
- Vulnerability Technical Description
- Vulnerability Risk Rating (Informational, Low, Medium, High, Critical)
- Screenshots or any other supporting information
A member of our Cyber Security team will respond to your report as soon as possible, usually within 2 business days, please take into consideration time zone differences in our response time.