Bug bounty

Last Updated: 06 March 2025

Welcome to Chicks Gold's Bug Bounty Program. We value the contributions of the global cybersecurity community and recognize the importance of incentivizing security research to enhance our digital infrastructure's safety. We urge security enthusiasts, ethical hackers, and researchers to help us identify vulnerabilities in our products and systems.

1. Program Rules

Before you report a bug, please review these rules:

  • Respect privacy: Only test for vulnerabilities in systems you have permission to access.
  • Avoid disruption: Do not engage in activities that may degrade our services or inconvenience our users.
  • Maintain confidentiality: Do not disclose the bug or vulnerability to the public or third parties before we have resolved it.
  • Report promptly: If you discover a vulnerability, please report it to us as soon as possible.

2. Confidentiality

Any information you receive or collect about Chicks Group or any Chicks Group user through this Bug Bounty Program ("Confidential Information") must be kept confidential and only used in connection with the program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your submission and information you obtain when researching the Chicks Group sites.

3. Eligibility

  • Read and agree to all the terms & conditions.
  • Provide all information required by our team to reproduce and triage the issue.
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through this platform (if more time is needed, please contact the service desk to inform).
  • In general, Out-of-Scope vulnerabilities are not considered reward eligible.
  • Only qualifying vulnerabilities will be rewarded.
  • Reports considered duplicates will not be eligible for monetary reward.
  • Same vulnerability found in various places may be treated as duplicate if the assets share the same technology.

4. Domains

Our bug bounty program covers the following domains and applications:

  • chicksgold.com
  • chicksx.com
  • divicasales.com
  • acckings.com
  • gamertotal.com

5. In Scope

We are interested in vulnerabilities that could impact the security and privacy of our systems or customers. Specifically:

  • Leaking of personal data.
  • Horizontal/vertical privilege escalation.
  • SQL Injection (SQLi).
  • UI-related bugs (of any nature).

6. Common Template

When it is specified, some assets share the same source code, meaning they have a single root fix. Due to this, they can contain issues in common. If a specific issue has already been found in another website, it will be treated as a duplicate.

7. Asset Scope Details

All submissions related to an application should strictly match what is listed in the scope area. If the scope includes a larger top-level domain or a wildcard *, it will be mentioned.

8. Subdomain Takeover

When you perform a subdomain takeover, please release the domain again after triage validated your submission.

9. Application

  • Do not upload shells or create a backdoor of any kind.
  • Pre-Auth Account takeover/OAuth squatting.
  • Self-XSS that cannot be used to exploit other users.
  • Verbose messages/files/directory listings without disclosing any sensitive information.
  • CORS misconfiguration on non-sensitive endpoints.
  • Missing cookie flags.
  • Missing security headers.
  • Cross-site Request Forgery with no or low impact.
  • Presence of autocomplete attribute on web forms.
  • Reverse tab nabbing.
  • Bypassing rate-limits or the non-existence of rate-limits.
  • Best practices violations (password complexity, expiration, re-use, etc.).
  • Clickjacking without proven impact/unrealistic user interaction.
  • Sessions not being invalidated (logout, enabling 2FA, etc.).
  • Tokens leaked to third parties.
  • Anything related to email spoofing, SPF, DMARC or DKIM.
  • Content injection without being able to modify the HTML.
  • Username/email enumeration.
  • Email bombing.
  • HTTP Request smuggling without any proven impact.
  • Homograph attacks.
  • XMLRPC enabled.
  • Banner grabbing/Version disclosure.
  • Not stripping metadata of files.
  • Same-site scripting.
  • Subdomain takeover without taking over the subdomain.
  • Arbitrary file upload without proof of the existence of the uploaded file.
  • Blind SSRF without proven business impact (pingbacks are not sufficient).
  • Disclosed/misconfigured Google Maps API keys.
  • Host header injection without proven business impact.

10. General

  • Defacement / reputation damage.
  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate.
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end-user interactions to be exploited.
  • Spam, social engineering, and physical intrusion.
  • DoS/DDoS attacks or brute force attacks.
  • Vulnerabilities that only work on software that no longer receive security updates.
  • Attacks requiring physical access to a victim's computer/device, man-in-the-middle or compromised user accounts.
  • Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported but are usually not eligible for a bounty.
  • Reports that state that software is out of date/vulnerable without a proof-of-concept.

11. Last 90-Day Response Times

  • Avg. time first response: < 3 days.
  • Avg. time to decide: < 3 weeks.
  • Avg. time to triage: < 4 days.

12. Reward Structure

Rewards vary based on the severity of the vulnerability and the quality of the report. We use CVSS (Common Vulnerability Scoring System) to determine severity.

12.1 Regular Reward Structure

  • Critical (9.8 - 10.0): Up to $600
  • High (7.0 - 9.7): $60 - $200
  • Medium (4.0 - 6.9): $35 - $60
  • Low (0.1 - 3.9): $15 - $35
  • UI-related bugs: Up to $15

12.2 Secret Shopper Reward Structure

This category incentivizes participants to simulate real-world scenarios to uncover vulnerabilities that may not emerge through traditional testing methods.

Examples of Scenarios to Report:

  • Being told delivery by an agent will be 15 minutes, but it takes 40 minutes.
  • Refunds being described as taking 2-5 business days, but taking significantly longer.
  • Gaps in communication and follow-ups, e.g., asking questions and not receiving answers within a reasonable time (e.g., currency: 1 minute; accounts: 3 minutes).
Social engineering agents to bypass common protocol, including but not limited to:
    • Login password resets
    • Withdrawal password resets
    • Account hijacking
    • Duplicated transactions
    • Refund manipulation
    • Fee manipulation
    • Invalid coupons
    • ID or other protected user information exposure
  • Any libelous conduct.
  • Actions causing reputational damage to the brand.

Rewards:

  • Critical (9.8 - 10.0): 150 - $300
  • High (7.0 - 9.7): $75 - $100
  • Medium (4.0 - 6.9): $50 - $65
  • Low (0.1 - 3.9): $20 - $35

Note: Spam or extending conversations in a non-organic way is not permitted.

13. Out of Scope

  • Any domain not listed in the Domains section.
  • Vulnerabilities requiring unrealistic user interaction.
  • Common best practices violations (e.g., missing security headers).
  • Theoretical security issues with no realistic exploit scenario.

14. Legal

By participating in this Bug Bounty Program, you agree to comply with all laws and regulations. Destructive testing is prohibited. If you comply with this policy and submit a report in good faith, no legal action will be pursued against you.

15. FAQ

Where can I get credentials for the application? Self-register on the application. For higher-privilege accounts, request via email at mailto:bugbounty@accki[email protected].