ChicksX welcomes responsible security researchers to help identify vulnerabilities in our systems. This program defines authorized testing, scope, reporting requirements, and reward eligibility.
1. Program Rules
- Test only assets explicitly listed as in scope.
- Active testing and exploitation are permitted only on development and staging environments.
- Production systems are limited to passive testing.
- Do not disrupt service availability.
- Do not access, modify, or destroy real user data.
- Use only accounts you own or are explicitly authorized to use.
- Cease testing once impact is confirmed.
- Report vulnerabilities promptly after discovery.
- Public disclosure is prohibited without written authorization.
- Failure to comply may result in disqualification.
2. Confidentiality
- All vulnerability reports are treated as confidential.
- Disclosure to third parties is prohibited without approval.
- Researcher identities will be handled confidentially where possible.
- A disclosure embargo may be required prior to any public release.
3. Eligibility
- Participants must comply with all applicable laws.
- Employees, contractors, and immediate family members are ineligible.
- Automated tools are permitted provided they do not degrade service availability.
- Submissions must include reproducible steps and verifiable proof.
4. Environments and Testing Restrictions
- 4.1. Authorized Testing Environments:
- Active testing and exploitation are authorized exclusively on:
- Development environments.
- Staging environments.
- 4.2. Production Environment Restrictions:
- Production systems are restricted to passive testing only.
- Exploitation, automation, modification, or abuse of production systems is prohibited.
- Upon confirmation of a production issue, testing must cease and the issue must be reported immediately.
5. Domains in Scope
Only the domains listed below are eligible under this program.
5.1. Production Domains:
Passive testing only:
- chicksx.com
- api.chicksx.com
- auth.chicksx.com
- checkout.chicksx.com
- chicksgroup.com
5.2. Development and Staging Environments:
Active testing is permitted for ChicksX-owned subdomains matching:
- .dev.
- .staging.
Including, but not limited to:
- dev.chicksx.com
- staging.chicksx.com
- dev.chicksgroup.com
- staging.chicksgroup.com
Please note that development and staging environments may have certain security protections disabled and stack traces enabled by design, as these are testing environments. Reports based solely on these characteristics will not be considered valid findings.
5.3. Excluded Assets:
- Any domain, IP address, or service not explicitly listed.
- Third-party services not owned or operated by ChicksX.
- Mobile applications unless explicitly included.
6. Eligible Vulnerabilities
The following vulnerability categories are eligible:
- Authentication bypass.
- Authorization flaws, including IDOR and privilege escalation.
- SQL injection.
- Remote code execution.
- Server-side request forgery.
- Cross-site scripting, stored and reflected.
- Cross-site request forgery with demonstrable impact.
- Business logic vulnerabilities with security or financial impact.
- Sensitive data exposure.
- Subdomain takeover.
7. Ineligible Findings
The following are not eligible:
- Denial of Service or distributed denial of service.
- Load or stress testing.
- Social engineering or phishing attacks.
- Physical attacks.
- Self-XSS.
- Clickjacking without demonstrable impact.
- Missing security headers without exploitability.
- Rate-limiting.
- Issues requiring outdated browsers or non-standard configurations.
- Reports lacking reproducibility or impact.
- Hijacking scenarios dependent on user-side issues or third-party compromises.
- Exposed third-party API keys (e.g. Google Maps, Firebase) without demonstrable impact.
- Outdated libraries or known CVEs without a working proof of concept.
8. Subdomain Takeover Criteria
Subdomain takeover findings are eligible only when:
- The subdomain resolves to an unclaimed third-party service.
- Full control of the subdomain can be demonstrated.
- The affected domain is explicitly in scope.
- The issue presents a realistic security or user impact.
9. Application and Business Logic Vulnerabilities
Examples include:
- Broken access control.
- Session fixation or hijacking.
- Token leakage.
- API authorization bypass.
- Payment manipulation.
- Balance, discount, or coupon abuse.
- Order or checkout tampering.
- Logic flaws enabling unauthorized benefits.
10. Reporting Requirements
All submissions must include:
- A clear description of the vulnerability.
- Affected domain and environment.
- Step-by-step reproduction instructions.
- Proof of concept demonstrating the issue.
- Impact assessment.
- Suggested remediation, if available.
- Reports lacking sufficient detail may be closed without reward.
11. Response Time Expectations
- Initial response within 48 hours.
- Triage within five business days.
- Resolution timelines vary based on severity and complexity.
12. Reward Structure
Rewards are determined based on severity, impact, exploitability, and report quality. CVSS is used as a guideline and does not guarantee a specific payout.
12.1 Standard Reward Ranges:
Critical (9.8 - 10.0): Up to $600
High (7.0 - 9.7): $60 - $200
Medium (4.0 - 6.9): $35 - $60
Low (0.1 - 3.9): $15 - $35
UI-related security findings: Up to $15
UI-related findings must demonstrate security relevance. Purely cosmetic issues are excluded.
13. Duplicate Submissions
- Only the first valid submission of a vulnerability is eligible for reward
- Subsequent reports of the same root issue will be classified as duplicates
- Reports may still be eligible if they demonstrate:
a.A distinct attack vector.
b.A materially higher impact.
c.An additional affected system not previously identified.
d.ChicksX retains final authority in duplicate determinations.
14. Report Quality Examples
14.1 High-Quality Report:
A high-quality report is precise, reproducible, and impact-focused. Example:
Clear title identifying vulnerability and affected system.
Environment specified.
Reproducible steps with supporting evidence.
Clear explanation of security impact.
Justification for severity assessment.
14.1 Low-Quality Report:
Low-quality reports typically exhibit one or more of the following:
Vague or sensational titles.
No environment or scope identification.
Missing reproduction steps.
No proof of exploitability.
No articulated impact.
Opinion-based or cosmetic observations.
Such reports may be closed without reward.
15. Legal and Contact Information
ChicksX will not pursue legal action against researchers who:
- Adhere to this program’s rules.
- Act in good faith.
- Avoid privacy violations.
- Do not exploit vulnerabilities beyond proof of concept.
- Immediately report accidental exposure to real user data.
16.Legal
Participation does not create an employment relationship, grant ownership rights, or guarantee rewards. ChicksX reserves the right to modify or terminate this program at any time.
17.Contact
Vulnerability reports and inquiries should be submitted to: [email protected]