Thank you for your interest in participating in the NusaTeam.dev Bug Bounty Program. Our goal is to maintain a secure and reliable online environment for our users, and we value the contributions of security researchers in helping us achieve this goal.
Contact Information:
For reporting security vulnerabilities, please contact us via email at security@nusateam.dev.
Scope:
The scope of our bug bounty program includes the following domains:
- nusateam.dev
- api.nusateam.dev
- blog.nusateam.dev
- security.nusateam.dev
- developer.nusateam.dev
Out of Scope:
The following domains are considered out of scope for our bug bounty program:
- *.nusateam.dev (All subdomains)
Bounties:
We offer the following bounties for qualifying vulnerabilities:
| None | Low | Medium | High | Critical |
| $0 | Up to $50 | Up to $100 | Up to $500 | Up to $1,000 |
Rewards:
Qualified researchers who responsibly disclose vulnerabilities may be eligible for the following rewards:
- Cash rewards
- Certificate of Recognition
- Inclusion in our Hall of Fame
Qualifying Vulnerabilities:
We encourage the reporting of vulnerabilities that pose a risk to the security or integrity of our systems. Examples of qualifying vulnerabilities include, but are not limited to:
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging and Monitoring
Non-Qualifying Vulnerabilities:
The following vulnerabilities are considered non-qualifying and are not eligible for bounties:
- Vulnerabilities affecting users of outdated browsers or platforms
- Account brute force
- Account takeover via CSRF/OAUTH etc.
- CRLF
- Self-XSS
- Flash-based XSS
- Tabnabbing
- Email Spoof
- Session fixation
- Cache Poisoning
- Content Spoofing
- Missing cookie flags
- Best practices/issues
- HTML content injection
- Mixed content warnings
- Clickjacking/UI redressing
- HTTPS/SSL/TLS Related Issues
- Physical or social engineering attacks
- Reflected file download attacks (RFD)
- Issues that require unlikely user interaction
- Login/logout/unauthenticated/low-impact CSRF
- Unverified Results of automated tools or scanners
- No SPF/DMARC in non-email domains/subdomains
- Attacks requiring MITM or physical access to a user’s device
- Issues related to networking protocols or industry standards
- Carriage Return Line Feed injection without direct impact (CRLF)
- Error information disclosure that cannot be used to make a direct attack
- Missing security-related HTTP headers which do not lead directly to a vulnerability
Responsible Disclosure:
Researchers are expected to adhere to responsible disclosure practices when identifying and reporting vulnerabilities. This includes:
- Providing detailed information about the vulnerability, including steps to reproduce and potential impact.
- Not disclosing the vulnerability to any third parties until it has been adequately addressed by our security team.
- Respecting the privacy and integrity of our systems and data during the testing process.
Legal Considerations:
NusaTeam.dev reserves the right to discontinue or modify the bug bounty program at any time without prior notice. We are committed to working collaboratively with security researchers to address reported vulnerabilities promptly and to reward eligible contributions fairly.
Thank you for helping us improve the security of our platform. We look forward to your participation in our bug bounty program!
Note: We have temporarily halted our bug bounty program until further notice. Reports submitted during this period will not be eligible for rewards.