Security issue reporting guidelines

If you think you have found a security vulnerability in Bunnies of Las Vegas, please report it to us straight away by emailing security@bunniesoflasvegas.com. Please include detailed steps to reproduce and a brief description of what the impact is. We encourage responsible disclosure (as described below), and we promise to investigate all legitimate reports in a timely manner and fix any issues as soon as we can.

Code

We do read all reports within 24 hours, but as all reports are reviewed and personally investigated by our senior staff, it may take up to 7 business days before you hear back from us.

Responsible disclosure policy

We ask that during your research you make every effort to maintain the integrity of our users’ data, avoiding violating privacy or degrading our service. You must give us reasonable time to fix any vulnerability you find before you make it public. In return we promise to investigate reports promptly and not to take any legal action against you.

Bug bounty

Our bug bounty program is common to all services provided by Bunnies of Las Vegas.

As a measure of our appreciation for security researchers, we are happy to give full credit in any public postmortem after the bug has been fixed, and we offer a monetary bounty for certain qualifying bugs. To qualify for the bounty, you must:

  • Follow our responsible disclosure policy (see above).
  • Report the bug to us first, and give us reasonable time to fix the issue before making it public.
  • Be the first person to report the issue to us.
  • Find a bug that enables access to a system running Bunnies of Las Vegas infrastructure.

Examples of valid vulnerability types include:

  • Authentication or session management issues
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF/XSRF)
  • Remote Code Execution
  • Privilege Escalation

The decision of whether a bug qualifies for a bounty is solely at the discretion of Bunnies of Las Vegas. Any qualifying bug will be eligible for a bounty of a minimum of US $100 and a maximum of $5,000. The exact value will be determined by Bunnies of Las Vegas after taking into account the severity of the vulnerability, the number of users potentially affected etc. All bounties will be paid via PayPal or Bitcoin. Any taxes or fees are the sole liability of the recipient. We process bug bounty payments once a month.

General Exclusions

  • Denial of Service (DOS) and social engineering attacks do not qualify and must not be attempted against Bunnies of Las Vegas or our users under any circumstances.
  • Bugs that require exceedingly unlikely user interaction or are caused by insecurities in browser extensions do not qualify.
  • Brute force log in attempts.
  • Bugs on sites associated with Bunnies of Las Vegas but not run by Bunnies of Las Vegas do not qualify. We are grateful for any reports on issues with these sites, and we will pass on the bugs to the relevant company, however they do not qualify for a bounty.
  • Anything related to enumeration of usernames does not qualify.
  • Bugs related to unpatched, out of date or exceedingly rarely used browsers or other client software out of our control.
  • We are public about the software we run. We are not interested in reports about “leakage” of the fact we run nginx, or the version number, or Node module names or file paths.
Hall of fame

Our thanks to the following security researchers for their submissions:

Researcher Vulnerability Year Prize
Annonymous Image proxy bypass 2019 $500
Annonymous CSRF Token Disclosure 2015 $900