N45HT Bug Bounty

 started soon 

No technology is perfect, and N45HT believes that collaborating with skilled security researchers around the world is essential for identifying weaknesses in any technology. If you believe you have found a security issue in our product or service, we encourage you to notify us. We welcome the opportunity to work with you to resolve the issue promptly.

Response Targets

N45HT will make every effort to meet the following response targets

Type of responseBusiness day
First response3 business days
Triage7 business days
Resolution30 business days

Report Security Vulnerability

  • Please provide details of the issue, including the Proof of Concept, URL vulnerability, and detailed reproduction steps.
  • Submit one vulnerability per report, unless it is necessary to chain vulnerabilities to demonstrate impact.
  • Social engineering is prohibited.
  • Do not perform DoS or DDoS attacks.
  • Please use English when submitting a security vulnerability.

Exceptions and Rules

Any activity that disrupts, damages, or adversely affects any third-party data or account is not allowed

Public Disclosure

N45HT does not currently support public disclosure at this time

In Scope Vulnerability

  • SQL Injection
  • Broken authentication
  • Broken access control
  • Cross-site Scripting (XSS)
  • Remote Code Execution (RCE)
  • XML External Entity Attacks (XXE)
  • Server-side Request Forgery (SSRF)
  • Cross-site Request Forgery (only critical CSRF vulnerabilities)
  • Privilege Escalation

Out of Scope Vulnerability

The following actions do not qualify for the Vulnerability Disclosure Program and should not be tested by researchers.

  • Self-XSS (e.g. XSS that only works with 3rd party apps)
  • Text Injection
  • HTML Injection
  • Tabnabbing
  • Banner or version disclosures (Programming Language/CMS/DBMS version, etc)
  • Phishing Attacks
  • Bruteforce Attacks or User Enumeration
  • Denial of Service Attacks
  • Login/logout/low-impact CSRF
  • CSRF on forms that are available to anonymous users
  • Social Engineering
  • DNS Attack through Social Engineering
  • Clickjacking/UI redressing
  • Scanner output or scanner-generated reports, including any automated or active exploit tool
  • Input returned in the response (reflected) with no sensitive impact
  • Missing SPF/DMARC/etc records
  • Clear Text Transmission Of Sensitive Data
  • Directory listing (unless sensitive data can be found)
  • Username enumeration
  • PHP version disclosure via HTTP header
  • Public Key (including Public API Key, Visitor Counter Key, and Web ID) refers to any public key that does not have critical issues
  • Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages