Bug Bounty
Earn free coins
Program details
The main CS.MONEY prerogative is to give our 3.5+ million users opportunity to sell, trade or buy any CS:GO or DOTA 2 items they want to get, thus, we have to insure that our user’s personal information is safe and secure. We decided to launch our public bug bounty program, to improve security of our site. The goal of this bounty is to find vulnerabilities which affect the confidentiality, integrity, or availability of our services and code run by us or our customers.
Target overview
| Target | Rewards |
|---|---|
| XSS or CSRF vulnerabilities which have significant impact | $500 + |
| Clickjacking | $100 + |
| For remote executing code on server, unlegitimate access to our servers, disclosure internal private API | $1000 + |
| For any unlegitimate access to our support system | $100 + |
| For vulnerability in other systems (e.g. pic.money, s.cs.money and etc.) which can violate work on main site | $100 + |
| Any deanonymization of users or user’s data. Trading history, telephone numbers, ips and etc. | $100 + |
| Incorrect saving time. For instance saving credit cards numbers in cookies | $100 - $5000 |
| Any errors in business logic which can lead to loss of the money. For example: bugs when balance wasn’t written off after the skin was bought or traded. Bounty can be easilly increased in case a greater vulnerability is discovered. | $100 - $5000 |
| Authorization or authentication bypass | $100 + |
12 vulnerabilities rewarded
Validation within 2 days
75% of submissions are accepted or rejected within 2 days
If you find a vulnerability or you want to clarify information about the conditions of the program, contact us:
