Infrastructure, Web Services, DirectSMS apps

This program is for security researchers who like to find and report vulnerabilities in our infrastructure and applications. For each vulnerability found, we pay out a reward, provided they satisfy certain rules and conditions of the Bug Bounty program.

🐞
!

Rules of participation for the Bug Bounty program

To participate in the Bug Bounty program, you must follow these rules of participation. If you do not follow these rules, we may disqualify you from the program and refuse to pay any reward.

  • Independent researchers only: This program is open to independent security researchers only. Employees of our company, their relatives, and contractors are not eligible to participate.
  • Responsible Disclosure: You must give us a reasonable amount of time to fix the vulnerability before you disclose it to anyone else. You must not disclose the vulnerability to any third party without our prior written consent.
  • No destructive actions: You must not use the vulnerability for any destructive actions, such as deleting or modifying data, or disrupting our services.
  • No social engineering: You must not use social engineering or phishing attacks against our employees or users.
  • Scope: Only vulnerabilities in the domains and applications listed in the "Domains" and "Apps" tabs are in scope for the Bug Bounty program.

Rewards and Payments

Rewards are paid based on the severity of the vulnerability. The severity is determined by our security team at its sole discretion. Payments are made through designated platforms or via electronic payment systems as agreed upon.

Appendix A

Types of vulnerabilities that are NOT within the scope of our program and are NOT rewarded:

  • Social engineering (phishing, vishing, etc.)
  • Physical security violations
  • Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
  • Spam or mass mailing
  • Vulnerabilities in third-party services used by our infrastructure
  • SSL/TLS configuration issues without a direct security impact
  • Rate limiting or brute force issues on non-critical forms
  • Clickjacking on pages without sensitive actions
  • Disclosure of non-sensitive information
  • Missing security headers that don't lead to a direct vulnerability

Appendix B

Table of vulnerability categories and reward levels (New reduced prices):

Vulnerability Low Medium High
Remote Code Execution (RCE) $150 $450 $1,500
SQL Injection $60 $240 $750
Authentication Bypass $45 $225 $600
Stored XSS $30 $120 $360
Broken Access Control (IDOR) $30 $150 $450
Reflected XSS / CSRF $15 $60 $240
Sensitive Data Disclosure $15 $75 $225

In-Scope Domains

  • directsms.net
  • api.directsms.net
  • *.directsms.net

In-Scope Applications

  • DirectSMS Android App
  • DirectSMS iOS App
  • DirectSMS Desktop Integration

Report a Security Bug