FBN Bug Bounty Bug Bounty Scope The following websites are within the scope of the program: *.fbn.com Farmers Business Network Mobile apps (iOS and Android) *.gradable.com Non-Intrusive Submissions Handling The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules: - Cross Site Scripting (XSS) - Open Redirect - Cross Site Request Forgery (CSRF) - Improper Access Control General Requirements: Give adequate information allowing the vulnerability to be reproduced, so we will be able to resolve it as quickly as possible. In particular please include at least the following information: type of vulnerability; service or URL or IPs affected; requirements to reproduce the issue; information necessary to reproduce the issue; impact of the vulnerability together with an explanation of how an attacker could find it and exploit it. Only perform low resource testing. Any automated tools should be set at the lowest possible rate. We will respond to a valid submission within 10 business days with our evaluation of the report. We will not pass on your personal details to third parties without your permission, unless it is necessary to comply with a legal obligation. Reporting under a pseudonym or anonymous is possible. We will keep you informed of the progress towards resolving the problem. Testing Requirements: Do not take advantage of the vulnerability or problem you have discovered. Do not perform any activity that can damage us or our customers, disrupt the impacted system or service or cause any data leakage/loss. Respect the privacy of our users: you are not allowed to use any personal data for purposes other than protect our users and their data, in accordance with this policy. Keep confidential any information about discovered vulnerabilities until we have had time to fix and validate the issue. Do not demand financial compensation in order to disclose any vulnerabilities. Do not place, install, render, or effect backdoors, keyloggers, malicious code, or otherwise unwanted software or code in FBN owned digital assets and systems. Do not make changes to the system or application. Do not use Denial of Service attacks or brute force access. Do not use aggressive automated scanning. Any testing that takes place must be done to have minimum resource impact on the service. Do not physically attack our staff or infrastructure. Do not use social engineering techniques on our employees or contractors. Reports about TLS ciphers, email spam, volumetric attacks, missing web security headers and “best practices” in general will NOT be considered as valid submissions, unless you are able to craft an exploit that leverages also the lack of such headers or configurations. Possible Awards: Recognition and endorsement Gift Cards or Cash