Bug Bounty

Last Updated: 9 February 2026

ChicksX welcomes responsible security researchers to help identify vulnerabilities in our systems. This program defines authorized testing, scope, reporting requirements, and reward eligibility.

1. Program Rules

Test only assets explicitly listed as in scope.
Active testing and exploitation are permitted only on development and staging environments.
Production systems are limited to passive testing.
Do not disrupt service availability.
Do not access, modify, or destroy real user data.
Use only accounts you own or are explicitly authorized to use.
Cease testing once impact is confirmed.
Report vulnerabilities promptly after discovery.
Public disclosure is prohibited without written authorization.
Failure to comply may result in disqualification.

2. Confidentiality

All vulnerability reports are treated as confidential.
Disclosure to third parties is prohibited without approval.
Researcher identities will be handled confidentially where possible.
A disclosure embargo may be required prior to any public release.

3. Eligibility

Participants must comply with all applicable laws.
Employees, contractors, and immediate family members are ineligible.
Automated tools are permitted provided they do not degrade service availability.
Submissions must include reproducible steps and verifiable proof.

4. Environments and Testing Restrictions

4.1. Authorized Testing Environments:

Active testing and exploitation are authorized exclusively on:

Development environments.
Staging environments.

4.2. Production Environment Restrictions:

Production systems are restricted to passive testing only.
Exploitation, automation, modification, or abuse of production systems is prohibited.
Upon confirmation of a production issue, testing must cease and the issue must be reported immediately.

5. Domains in Scope

Only the domains listed below are eligible under this program.

5.1. Production Domains:

Passive testing only:

chicksx.com
api.chicksx.com
auth.chicksx.com
checkout.chicksx.com
chicksgroup.com

5.2. Development and Staging Environments:

Active testing is permitted for ChicksX-owned subdomains matching:

.dev.
.staging.

Including, but not limited to:

dev.chicksx.com
staging.chicksx.com
dev.chicksgroup.com
staging.chicksgroup.com

Please note that development and staging environments may have certain security protections disabled and stack traces enabled by design, as these are testing environments. Reports based solely on these characteristics will not be considered valid findings.

5.3. Excluded Assets:

Any domain, IP address, or service not explicitly listed.
Third-party services not owned or operated by ChicksX.
Mobile applications unless explicitly included.

6. Eligible Vulnerabilities

The following vulnerability categories are eligible:

Authentication bypass.
Authorization flaws, including IDOR and privilege escalation.
SQL injection.
Remote code execution.
Server-side request forgery.
Cross-site scripting, stored and reflected.
Cross-site request forgery with demonstrable impact.
Business logic vulnerabilities with security or financial impact.
Sensitive data exposure.
Subdomain takeover.

7. Ineligible Findings

The following are not eligible:

Denial of Service or distributed denial of service.
Load or stress testing.
Social engineering or phishing attacks.
Physical attacks.
Self-XSS.
Clickjacking without demonstrable impact.
Missing security headers without exploitability.
Rate-limiting.
Issues requiring outdated browsers or non-standard configurations.
Reports lacking reproducibility or impact.
Hijacking scenarios dependent on user-side issues or third-party compromises.
Exposed third-party API keys (e.g. Google Maps, Firebase) without demonstrable impact.
Outdated libraries or known CVEs without a working proof of concept.

8. Subdomain Takeover Criteria

Subdomain takeover findings are eligible only when:

The subdomain resolves to an unclaimed third-party service.
Full control of the subdomain can be demonstrated.
The affected domain is explicitly in scope.
The issue presents a realistic security or user impact.

9. Application and Business Logic Vulnerabilities

Examples include:

Broken access control.
Session fixation or hijacking.
Token leakage.
API authorization bypass.
Payment manipulation.
Balance, discount, or coupon abuse.
Order or checkout tampering.
Logic flaws enabling unauthorized benefits.

10. Reporting Requirements

All submissions must include:

A clear description of the vulnerability.
Affected domain and environment.
Step-by-step reproduction instructions.
Proof of concept demonstrating the issue.
Impact assessment.
Suggested remediation, if available.
Reports lacking sufficient detail may be closed without reward.

11. Response Time Expectations

Initial response within 48 hours.
Triage within five business days.
Resolution timelines vary based on severity and complexity.

12. Reward Structure

Rewards are determined based on severity, impact, exploitability, and report quality. CVSS is used as a guideline and does not guarantee a specific payout.

12.1 Standard Reward Ranges:

Critical (9.8 - 10.0): Up to $600
High (7.0 - 9.7): $60 - $200
Medium (4.0 - 6.9): $35 - $60
Low (0.1 - 3.9): $15 - $35
UI-related security findings: Up to $15
UI-related findings must demonstrate security relevance. Purely cosmetic issues are excluded.

13. Duplicate Submissions

Only the first valid submission of a vulnerability is eligible for reward
Subsequent reports of the same root issue will be classified as duplicates
Reports may still be eligible if they demonstrate:

a.A distinct attack vector.

b.A materially higher impact.

c.An additional affected system not previously identified.

d.ChicksX retains final authority in duplicate determinations.

14. Report Quality Examples

14.1 High-Quality Report:

A high-quality report is precise, reproducible, and impact-focused. Example:

Clear title identifying vulnerability and affected system.
Environment specified.
Reproducible steps with supporting evidence.
Clear explanation of security impact.
Justification for severity assessment.

14.1 Low-Quality Report:

Low-quality reports typically exhibit one or more of the following:
Vague or sensational titles.
No environment or scope identification.
Missing reproduction steps.
No proof of exploitability.
No articulated impact.
Opinion-based or cosmetic observations.
Such reports may be closed without reward.

15. Legal and Contact Information

ChicksX will not pursue legal action against researchers who:

Adhere to this program’s rules.
Act in good faith.
Avoid privacy violations.
Do not exploit vulnerabilities beyond proof of concept.
Immediately report accidental exposure to real user data.

16.Legal

Participation does not create an employment relationship, grant ownership rights, or guarantee rewards. ChicksX reserves the right to modify or terminate this program at any time.

17.Contact

Vulnerability reports and inquiries should be submitted to: [email protected]