Ultra.cc Bug Bounty Program

Security is core to our values, and we value the input of security researchers to help us maintain a high standard for security and privacy for our users. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good-faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.


When working with us according to this policy, you can expect us to:


The following are the list of platforms that are within this scope of the program.

Out of Scope


Ultra.cc Website and User Control Panel

 Category UP TO* PayPal Credit UP TO* Service Credit
 XSS  EUR 100  EUR 200
 XSS (Bypassing CSP)  EUR 200  EUR 300
 CSRF  EUR 300  EUR 450
 Authentication Bypass  EUR 500  EUR 750
 SQL Injection  EUR 1000  EUR 1500
 Arbitrary code execution  EUR 1000  EUR 1500
 Arbitrary code execution (with privilege escalation)  EUR 2000  EUR 3000
 Persistent code change  EUR 1000  EUR 1500

Ultra.cc App Hosting Solutions Infrastructure

 Category UP TO* PayPal Credit UP TO* Service Credit
 Authentication Bypass (SSH, FTP, VPN, etc.)  EUR 500  EUR 750
 Authentication Bypass of Supported Apps  EUR 100  EUR 200
 Local privilege escalation  EUR 500  EUR 750

* Payout Determination Policy

We determine payout values based on the risk and impact to our systems and users. Our evaluations are fair and honest, reflecting the actual security threat posed by the vulnerability. For instance, a researcher might identify a logical flaw, but if this flaw requires particular conditions that are unlikely to occur in a real-world scenario, the payout will be adjusted accordingly.

Additionally, vulnerabilities that involve accessing data already available to the researcher through another tab or session will be assessed based on the risk of unauthorized access or exposure. While we value all contributions, the payout for such findings will reflect their limited impact.

Receiving Your Award

Ground Rules

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research conducted under this policy to be:

You are expected, as always, to comply with all applicable laws. If a third party initiated legal action against you and complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through the Ticket System before going any further.

Disclosure Policy

If you believe you have discovered a vulnerability, please create a ticket through the Ticket System.

Revision #20
Created 23 June 2020 14:27:03
Updated 30 June 2024 23:45:13 by iStanCFC