If you interact with accounts you do not control, participation in this program will be void. This includes sending messages, placing orders, requesting quotes, or posting in the public forum.

 

Brick Owl operates a vulnerability disclosure program for the reporting of vulnerabilities found in Brick Owl. Our goal is to reward security researchers who follow responsible disclosure principles and proactively reach out to us if they have identified a vulnerability which would impact the safety of our marketplace or users.

 

Target / Scope

The vulnerability disclosure programme is focused on www.brickowl.com and all shop subdomains. It does not include the Brick Owl API or any third party libraries/tools such as PUDO tools or external APIs.

 

Rules

When performing security research please adhere to the following rules:

• If you create accounts, please start them with the username bugcrowd_
• Do not use the contact forms to contact accounts that you do not own.
• Do not place orders in stores that you do not own.
• Do not request shipping quotes in stores that you do not own.
• Do not create posts/comments in the forum.
• Brick Owl is a live platform. Avoid harming infrastructure, interacting with other users or attempting to access, manipulate, and/or attack accounts you do not explicitly own.
• If you use automated scanning tools, you must not use them across the entire site. Brick Owl has thousands of subdomains. Scanning tools should be targeted and rate limited to avoid harming infrastructure. 
• Failure to follow these rules will void participation in the program.

 

Rewards

Brick Owl follows the Bugcrowd Vulnerability Rating Taxonomy for the prioritization/rating of findings. We offer rewards based on the table below, and the program exceptions.

VRT Category	Reward
P1	£1000 - £2000
P2	£300 - £500
P3	£150 - £250
P4	£100 - £150
P5	£0

Program Exceptions

• Security reports that don't pertain to Brick Owl.
• Flaws specific to out of date browsers.
• Simple, non-XSS content injection. Manipulating a URL to present a page that contains custom text does not qualify for the bug bounty program.
• Lack of the Secure flag on non-sensitive cookies. 
• Lack of HTTPOnly flag on non-sensitive cookies.
• Username enumeration. While username enumeration can be a vulnerability in other web applications, Brick Owl is a public marketplace and as such usernames can be enumerated by design through a number of ways.
• Rate limiting on forms
• Lack of password policy
• CSRF issues submitted with a proof-of-concept containing a nonce.
• DoS/DDoS
• Any third party tools or systems not managed by Brick Owl
• Spam / Phishing
• This program is not open to minors, individuals on sanctions lists or individuals in countries on sanctions lists. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion. You must not disrupt any service or compromise anyone’s data. You must follow the rules listed above.