Managed apps · Whatbox

Security Policy > Managed apps

Reporting discoveries

Scope

ruTorrent on subdomains of xob.ac only.
rTorrent on subdomains of xob.ac only.
Deluge on subdomains of xob.ac only.
Deluge (WebUI) on subdomains of xob.ac only.
Transmission on subdomains of xob.ac only.
Sonarr on subdomains of xob.ac only.
Radarr on subdomains of xob.ac only.
Prowlarr on subdomains of xob.ac only.
Jackett on subdomains of xob.ac only.
Syncthing on subdomains of xob.ac only.
Jellyfin on subdomains of xob.ac only.
qBittorrent on subdomains of xob.ac only.
SABnzbd on subdomains of xob.ac only.
Autobrr on subdomains of xob.ac only.
Bazarr on subdomains of xob.ac only.

Rewards

Rewards will be sent via PayPal only.

Category	Cash	Service credit
XSS	0 USD	0 USD
Missing or Incorrect HTTP Headers	0 USD	0 USD
Missing or Incorrect DNS Records	0 USD	0 USD
Weak TLS Ciphers	0 USD	0 USD
SSL Certificate Errors	0 USD	0 USD
CSRF	0 USD	0 USD
Spoofing	0 USD	0 USD
Phishing	0 USD	0 USD
Confusion	0 USD	0 USD
Internal Server Errors	0 USD	0 USD
Application Crash	0 USD	0 USD
Denial of Service	0 USD	0 USD
Rate Limits	0 USD	0 USD
Resource Use	0 USD	0 USD
Credential stuffing	0 USD	0 USD
Authentication bypass	3,000 USD	12,000 USD
Unauthenticated remote code execution	4,000 USD	16,000 USD
Unauthenticated file read	3,000 USD	12,000 USD
Unauthenticated file write	4,000 USD	16,000 USD

Recently rejected

Software version with known CVEs

While we regularly install hundreds of software updates, we do not consider outdated software inherently insecure, even if there are known CVEs in the older version.

When managing hundreds of packages, it is necessary that updates go through a quality assurance process. Occasionally it is necessary for us to holdback security fixes or to offer an older version of software for interoperability reasons.

You are encouraged to use known CVEs to assist you in generating a working Proof of Concept. But without a working Proof of Concept, reports of outdated software versions will be rejected.