Bug Bounty Program


  • Domain: stage copy of www.b1.lt server (accessed via whitelisted IP, please contact us for more information)
  • Registration in bounty program required (via bounty[@]b1.lt)
  • Using www.b1.lt domain for bounty hunting is strictly prohibited



  • Unauthorized access to project servers (vulnerabilities that leads to remote code execution RCE).
  • XSS vulnerabilities on the assets with critical functionality (with proven script execution)
  • Server-side vulnerability with information disclosure (for ex. memory leaks or insecure direct object references) of critical or highly confidential data.
  • Internal balance manipulations (with no balance)
  • Authentication bypass or privilege escalation.
  • Injection vulnerabilities
  • Any other vulnerability that can lead to loss of user privacy.


Issues considered out of scope:

  • Disclosure of non-sensitive information (for ex. project version) and information that does not present significant risk.
  • Reports of missed protection mechanism / best current practice (for ex. no CSRF token, framing/clickjacking protection, tabnabbing) without demonstration of real security impact for user or system;
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions;
  • CSRF on self-hosted servers, unless proved to be present on public server;
  • Attacks requiring MITM or physical access to a user's device;
  • Content spoofing and text injection issues without showing an attack vector;
  • Missing best practices in SSL/TLS configuration or in Content Security Policy;
  • Missing HttpOnly or Secure flags on cookies;
  • Missing best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.);
  • Insecure password complexity requirements
  • Vulnerabilities related to 3rd-party software unless they lead to vulnerability in our scope
  • Vulnerabilities involving stolen credentials
  • Phishing and social engenering
  • Issues that require unlikely user interaction
  • Publicly disclosed issues


Program Rules

  • If you think you have found a security vulnerability - please provide us detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (phishing and etc.) is prohibited.
  • Vulnerability must be original and previously unreported.
  • Do not perform any attack that could harm the reliability or integrity of our services or data.
  • Avoid scanning techniques that are likely to cause degradation of service to our customers (for ex. DoS, spamming).
  • Refrain from stealing and disclosure user's private information.


Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.


Amount of Reward

In determining the amount of payout, we will take into account the level of risk and impact of the vulnerability:

  • Critical: 400—500 EUR
  • High: 200—300 EUR
  • Medium: 100—200 EUR
  • Low: 10—100 EUR