Rules of Participation
Participation in the program requires acting ethically, responsibly and adhering to the rules. Be sure to read all the rules before you start discovering vulnerabilities.
1
Do not distribute information about the found vulnerability until it is fixed.
2
Use every effort not to harm our users and services (act in good faith).
3
Be sure to use your own accounts, phone numbers, etc. to conduct research. Do not try to access other people's accounts or any sensitive information. If you need account access to find vulnerabilities, you must use your own personal account.
4
If, during testing, personal data is inadvertently accessed by a the researcher, we strongly request that all information associated with them be deleted - including: connection codes, personal data, etc., after notifying us about it.
5
Use all necessary measures to avoid violations of the privacy and performance of other users, including unauthorized access to data, destruction of data, interruption or degradation of services, etc.
6
We will consider it inadmissible and no bounty will be paid if we discover that during the course of testing and finding a vulnerability by a the researcher: 6.1 Physical interference was made in data centers or offices. 6. 2 Social engineering methods were used against company employees. 6.3 The company's infrastructure was hacked and the information obtained was used to report vulnerabilities. 6.4 Attempts were made to gain access to the account or data of other users.
7
Automated scanning tools must have a limit of 5 requests per second (300 requests per minute) per target host and must not exceed the limit of 3 concurrent requests at the same time (5 threads).
8
Avoid aggressive security testing practices. Remember that you are testing a production environment that is functioning, maintained, and controlled. To prevent negative consequences, conduct research responsibly, act less intrusively, and control the impact of your tests on users wisely , moderators, and administrators. Aggressive security checks and tests may trigger alerts and result in enforcement actions such as blocking an account, phone number, or IP address.
