Server-side SQL from the browser
We make SQL database servers available to client-side web apps.
We are only interested in rewarding bug finds for server-side bugs. Those bugs can only be demonstrated through a client-side app; that is the situation. Server-side security concerns relate to 1) unauthorized destruction of data, and 2) unauthorized release of private data.
We award bounties for DEMONSTRATED SUCCESS at either of the above.
There are four client apps available for testing. http://www.rdbhost.com/bug_bounty.html
Guidance for how an exploit can be demonstrated is provided for each. These are live apps, so if you experiment with fake data, clean up your mess.
You do have permission to destroy and share data on each, as you can find the ability to do so, and within the Responsible Disclosure constraints. If you are more comfortable with explicit permission to damage databases, send me an encrypted email using the gpg key on the website, and I will respond with a signed email giving you permission.
We have awarded bounties for exploits that did not fall within the objectives in the paragraphs above, but they did DEMONSTRATE SUCCESS at revealing information that people would reasonably expect a web site or web service to protect. Note that account numbers are NOT protected information.
email spoofing issues.
Open for all
2 - 7 days / 98%
Average of all evaluations