Bug bounty program

Program details

The main CS.MONEY prerogative is to give our 3.5+ million users opportunity to sell, trade or buy any CS:GO or DOTA 2 items they want to get, thus, we have to insure that our user's personal information is safe and secure. We decided to launch our public bug bounty program, to improve security of our site. The goal of this bounty is to find vulnerabilities which affect the confidentiality, integrity, or availability of our services and code run by us or our customers.

Target overview

12 vulnerabilities rewarded

Validation within 2 days

75% of submissions are accepted or rejected within 2 days

$450 average payout (last 3 months)

If you find a vulnerability or you want to clarify information about the conditions of the program, contact us:

Reward guidelines

Target Reward
XSS or CSRF vulnerabilities which have significant impact $500 +
Clickjacking $100 +
For remote executing code on server, unlegitimate access to our servers, disclosure internal private API $1000 +
For any unlegitimate access to our support system $500 +
For vulnerability in other systems (e.g. pic.money, s1.cs.money and etc.) which can violate work on main site $500 +
Any deanonymization of users or user's data. Trading history, telephone numbers, ips and etc. $500 +
Incorrect saving time. For instance saving credit cards numbers in cookies $250 +
Any errors in business logic which can lead to loss of the money. For example: bugs when balance wasn't written off after the skin was bought or traded. Bounty can be easilly increased in case a greater vulnerability is discovered. $100 - $5000
Authorization or authentication bypass $500 +