InterNACHI® Bug Bounty Program

InterNACHI® offers a bug bounty program with rewards based on the CVSSv3 Score associated with the discovered bug. We attempt to respond within one business day and will pay on triage (as soon as the bug has been confirmed).

Summary

Higher impact bugs and higher quality reports result in larger rewards. Please submit one report per bug. Rewards are paid to the first report. If the same bug is reported multiple times in the same timeframe, the best report will be rewarded.

Bugs with scores below 6 may not be rewarded. Critical bugs will always be rewarded.

Program Scope

In Scope

  • All InterNACHI® websites and mobile apps.
  • Domains: https://*.nachi.org https://*.internachi.org
  • Please only use InterNACHI® accounts that you own. You may create a free guest account for testing.
  • Please be responsible and respectful of our members.

Out of Scope

  • Login and logout CSRF.
  • Accessing cached content after logout or restoring cookies.
  • Any attack that allows a user to gain access to an account that they already have access to.
  • Any attack that requires access to valid credentials (login, cookie, etc) without a method of acquiring those credentials (i.e. exploits that require physical access to someone's device, or theoretical man-in-the-middle/CSRF attacks).
  • Rate limiting.
  • Email spoofing.
  • DNSSEC and DANE.
  • Issues in unsupported browsers or browser extensions.
  • Reflected File Download
  • Missing HSTS policy.

Disqualifiers

  • Attempting to access other members’ accounts. You may create free guest accounts for testing (please only create the minimum number accounts needed for testing).
  • Any denial of service or disruption of access to InterNACHI® sites or apps.
  • Social engineering of any kind against members or InterNACHI® staff.
  • Overwhelming our member services team with messages. Don't fuzz test any support forms.
  • Physical intrusion.
  • Automated scanning and brute-forcing.

Testing Guidelines

  • When making HTTP requests, please include an X-Bug-Bounty header in the request if at all possible.
  • If you create free guest accounts for testing, please include “bugbounty” somewhere in your email address (you can use plus addressing or similar strategies).

Rewards

CVSSv3 Score Bounty Range
1–5 Up to $300 USD
6 Up to $800 USD
7 Up to $1,750 USD
8 Up to $3,500 USD
9 Up to $7,500 USD
10 Up to $10,000 USD
Submit a Bug

Get Started

Grow Your Business

More…

Search NACHI.ORG…