Megamarket

Rules for Us

• We respect the time and effort of our researchers.
• We respond within 2 business days.
• We process reports within 5 business days after our initial response.
• We may extend the processing time, but you will be informed about any delays.
• We determine the reward amount within 5 business days after processing.
• We will do our best to keep you informed about the progress of your report.

Rules for You

• Be an ethical hacker and respect the confidentiality of other users.
• Avoid compromising privacy, deleting data, or disrupting or degrading our services.
• When registering a test account for Megamarket research, please use the word "Standoff" in the “Last Name” field to prevent your account getting potentially blocked.
• Automatic scanning tools must be limited to 30 requests per second per target host, counting all tools and threads combined.
• Review these program rules before beginning your research.
• Report vulnerabilities clearly and efficiently.

Scope

Megamarket Does Not Reward For

• Security scanner and other automated tool reports.
• Reports generated by artificial intelligence.
• Unlimited SMS or email-sending capabilities.
• Reports about using four-character SMS codes without proof of account takeover.
• Username enumeration via login or password reset functionality.
• Rate-limit issues without additional impact.
• Information about IP addresses, DNS records, or open ports.
• Issues based solely on product version without exploitation PoC.
• Vulnerabilities blocked by security systems (e.g., WAF) without bypass demonstration.
• Reports about insecure SSL/TLS ciphers without exploitation demonstration.
• Duplicated reports already submitted by other participants.
• 0-day and 1-day vulnerabilities publicly disclosed less than 30 days ago, or CVSS > 8 vulnerabilities disclosed less than 14 days ago.
• Self-XSS and other issues not impacting users or application data directly.
• Vulnerabilities requiring outdated or unsupported browsers (over 6 months old).
• CORS misconfigurations without proof of exploitation.
• Disclosure of username, email, or phone number existence.
• Disclosure of technical or non-sensitive data (e.g., software versions, stacktraces).
• Tabnabbing, clickjacking.
• CSP-related reports for domains without CSP or with unsafe eval/inline policies.
• Attacks requiring full access to a local account, browser profile or victim's device.
• Disclosure of sensitive user data through external, non-Megamarket resources (e.g., spyware data).
• Issues requiring complex or highly improbable user interaction.
• Misconfigurations in DNS/email (DKIM/DMARC/SPF/TXT) without security impact.
• Broken or outdated social media links or similar inactive pages.
• Ability to perform actions unavailable via UI without actual security risk.
• Ability to create user accounts without restrictions.
• User enumeration or disclosure of public user information.
• Missing user action notifications.
• Leakage of confidential tokens (e.g., password reset token) to trusted third parties over HTTPS.
• Account takeover of non-technical staff without access to sensitive data.
• Issues unrelated to security.
• Missing security best practices without demonstrated user/system impact (e.g., missing headers CSP/HSTS, cookie flags HttpOnly/Secure, CSRF protection, SSL certificates).

Megamarket’s Commitments

• Prioritize security tasks and promptly address identified vulnerabilities.
• Respect researchers and not impose unjustified restrictions on responsible disclosure.
• Refrain from making unfounded accusations related to research participation.

Public Disclosure

Prohibited Actions

• Access, modify, delete, or disclose other users' data without consent. Intentional access to such data is prohibited and may be considered illegal.
• Interfere with other users’ accounts.
• Use vulnerabilities for personal benefit.
• Use testing tools that generate excessive traffic or lead to resource exhaustion attacks.
• Conduct attacks impacting service integrity or availability (e.g., DoS, brute force). Instead, report the issue, and Megamarket’s team will perform verification in a test environment.
• Perform physical attacks on staff, data centers, or offices.
• Conduct attacks using social engineering techniques (phishing, vishing, spam) against clients, partners, or staff.
• Research underlying server infrastructure hosting web applications.
• Disclose vulnerability details before Megamarket’s official public release.
  If multiple vulnerabilities are discovered, prepare separate reports for each one.

RCE Testing Policy

• Executing commands: ifconfig (or ipconfig), hostname, whoami, id.
• Reading contents of files /etc/passwd and /proc/sys/kernel/hostname (or drive:/boot.ini, drive:/install.ini).
• Creating an empty file in your user directory.
  Any other actions must be pre-approved by Megamarket’s security specialists.

SQL Injection Testing Policy

• Retrieving current database name (SELECT database()), version (SELECT @@version), current user (SELECT user(), SELECT system_user()), and hostname (SELECT @@hostname).
• Retrieving database schema (SELECT table_schema), list of tables (SELECT table_name), and column names (SELECT column_name).
• Performing mathematical, conversion, or logical queries (including SLEEP) without data extraction other than listed above.
  Any additional actions must be pre-approved by Megamarket’s security specialists.

File Upload and Reading Policy

• Modify, replace, or delete any files on the server (including system files) except those associated with your account or approved user accounts.
• Upload files that can cause denial of service (e.g., large files).
• Upload malicious files (malware, spyware, etc.).