If you think you have found a security vulnerability in Bunnies of Las Vegas, please report it to us straight away by emailing email@example.com. Please include detailed steps to reproduce and a brief description of what the impact is. We encourage responsible disclosure (as described below), and we promise to investigate all legitimate reports in a timely manner and fix any issues as soon as we can.
We do read all reports within 24 hours, but as all reports are reviewed and personally investigated by our senior staff, it may take up to 7 business days before you hear back from us.
We ask that during your research you make every effort to maintain the integrity of our users’ data, avoiding violating privacy or degrading our service. You must give us reasonable time to fix any vulnerability you find before you make it public. In return we promise to investigate reports promptly and not to take any legal action against you.
Our bug bounty program is common to all services provided by Bunnies of Las Vegas.
As a measure of our appreciation for security researchers, we are happy to give full credit in any public postmortem after the bug has been fixed, and we offer a monetary bounty for certain qualifying bugs. To qualify for the bounty, you must:
Examples of valid vulnerability types include:
The decision of whether a bug qualifies for a bounty is solely at the discretion of Bunnies of Las Vegas. Any qualifying bug will be eligible for a bounty of a minimum of US $100 and a maximum of $5,000. The exact value will be determined by Bunnies of Las Vegas after taking into account the severity of the vulnerability, the number of users potentially affected etc. All bounties will be paid via PayPal or Bitcoin. Any taxes or fees are the sole liability of the recipient. We process bug bounty payments once a month.
Our thanks to the following security researchers for their submissions:
|Saga||Cacheable HTTPS response||2021||$200|
|Annonymous||Image proxy bypass||2019||$500|
|Annonymous||CSRF Token Disclosure||2015||$900|