Vulnerability Price List

Zerocopter uses minimal bounties to reward our Researchers for finding unknown vulnerabilities. We subtract an all-in price from your Researcher Program budget per validated vulnerability. The all-in price includes the reward paid to the researcher and a 30% handling fee.

Severity High

Category
All-in Amount (EUR)
Reward Amount (EUR)
Injection
1950
1500
XML external entity injection (XXE)
1950
1500
Remote code execution (RCE)
1950
1500
Password disclosure
1300
1000
Misconfigured DNS
1300
1000
Using default credentials
1300
1000
Insecure direct object reference on a critical function
1300
1000
Server-side request forgery (SSRF)
1300
1000
Vertical authentication bypass
1300
1000
Private API key disclosure
1040
800
Horizontal authentication bypass
1040
800
SSL attack (heartbleed)
910
700
Insecure direct object reference on an important function
780
600
Predictable session token leading to an authenticated user
650
500
Stored cross-site scripting publicly accessible
650
500

Severity Medium

Category
All-in Amount (EUR)
Reward Amount (EUR)
Cross-site request forgery (CSRF) - critical function
520
400
Same-origin policy bypass
520
400
Cross-site request forgery (CSRF) - important function
390
300
Insecure direct object reference on a non-important function
390
300
Reflected cross-site scripting publicly accessible
390
300
Stored cross-site scripting in portal
260
200
HTTP response splitting
260
200
Clickjacking
195
150
Open redirect
195
150
Visible detailed error page
195
150
Missing secure or HttpOnly cookie flag
195
150
Reflected cross-site scripting in portal
195
150
Stored cross-site scripting self XSS
195
150

Severity Low

Category
All-in Amount (EUR)
Reward Amount (EUR)
Insecure SSL - insecure cipher suite
130
100
Insecure SSL - lack of forward secrecy
130
100
Off-domain cross-site scripting
130
100
Injection, other
130
100
No rate limiting on login form
65
50
Weak password policy
65
50
Outdated software version
65
50
Unsafe file upload
65
50
Cross-site scripting self XSS
65
50
Lack of password confirmation when deleting account
65
50
Lack of password confirmation when changing password
65
50
Lack of password confirmation when changing email address
65
50
Referrer XSS
65
50
Cookie-based cross-site scripting
65
50
IE-only XSS
65
50
Session fixation
65
50
Failure to invalidate session on password change
65
50
Weak login function
65
50
Sensitive information in URL
65
50
Failure to invalidate session on logout
65
50
CSV injection
65
50
Reflected file download
65
50
Content spoofing
65
50
Show Printable Version
Select Language
Terms & Conditions
Privacy
Cookies
Responsible Disclosure
© Zerocopter B.V.