MPP Security Vulnerabilities Reward Program

Home > MPP Security Vulnerabilities Reward Program

MPP is dedicated to safeguarding the privacy and security of our customers by constantly seeking out and addressing security vulnerabilities. If you discover a security or privacy issue in any of our products, we want to hear from you and work together to resolve it.

Program Scope

We are interested in previously unknown security and privacy issues in the following products:

  • MPP website (https://www.myprivateproxy.net), with exceptions listed in the Out of Rewards section below
  • MPP API endpoints (https://api.myprivateproxy.net)
  • MPP proxy servers
  • MPP infrastructure servers

Qualifying Vulnerabilities

Any design or implementation issue that affects the confidentiality or integrity of customer data is likely in scope for the program. Common examples include:

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF/XSRF)
  • Authentication or authorization flaws
  • Unauthorized/unauthenticated access to proxies
  • Remote code execution on infrastructure servers
  • Remote code execution on proxy servers
  • Access to internal company resources

Out of Scope

  • Do NOT attempt any DoS attacks.
  • Do NOT use testing tools that generate large volumes of traffic, as this will disqualify you from all bug bounties.
  • Do NOT try to hack real customer accounts; use your own accounts for testing.
  • Minor UI/UX bugs are not eligible for rewards, though we welcome feedback.
  • Previously reported issues: Only the first report demonstrating an issue will be rewarded.
  • MPP’s WordPress installation is out of scope unless it’s a critical vulnerability with a PoC of admin account takeover, RCE, deface, or redirection to another website.

Out of Rewards

Issues related to core WHMCS security at https://www.myprivateproxy.net/billing/ will be forwarded to the WHMCS security team and are not eligible for rewards. Researchers should report these directly to WHMCS at https://bugcrowd.com/engagements/whmcs. Only vulnerabilities caused by custom code or third-party modules are eligible for rewards.
IMPORTANT: Not making a good faith effort to avoid privacy violations, data destruction, or service interruption during your research will disqualify you from all bug bounties.

Rewards

Up to $100

  • Web: Cross-site scripting
  • Web: CSRF/Clickjacking

Up to $300

  • Security-related misconfiguration on production servers

Up to $1000

  • Data extraction from production servers
  • Access control issue exposing Personally Identifiable Information (PII)
  • Access control issue allowing viewing/controlling another customer’s account

Up to $2000

  • Remote code execution on production servers
  • Significant authentication bypass on production servers containing critical information

The final reward amount is determined at the discretion of the investigating team. We may pay higher rewards for unusually severe security issues or lower rewards for vulnerabilities with a very low likelihood of occurring. We may also decide that a single report consists of several bugs, or that several reports are actually the same issue.

Reporting Bugs

Please include the following in your report:

  • Overview: Short technical description
  • Proof of Concept: Detailed steps to reproduce the vulnerability
  • Impact: Explanation of how the attack could be executed in a real-world scenario
  • Suggested Fix: How this vulnerability should be addressed
  • Allowed file extensions for attachments: .jpg, .png, .gif, .txt, .csv, .wav, .mp4, .webm, .flv, .ogg, .wmv or a link to the file in cloud storage

Any additional information – network data, usage examples, specs, or videos – is welcome. Reports should be submitted in English.

Bounty Payments

Bounty payments are subject to the following restrictions:

  • Minors are welcome to participate, but those under 13 will need to claim bounties through a parent or legal guardian due to the Children’s Online Privacy Protection Act.
  • All payments will be made in U.S. dollars (USD) and will comply with local laws, regulations, and ethics rules. You are responsible for any tax consequences of the bounty, as determined by your country’s laws.
  • It is your responsibility to comply with any policies your employer may have that could affect your eligibility to participate in this bounty program.

Thank you for helping us keep MPP secure.