Bug Bounty

We have a bug bounty, to incentivize bug hunters to find and report any exploitable weaknesses in our service's security. At this moment, we are between bounty program hosts, but will be on HackerOne soon. The program was hosted at Cobalt.io since Oct 4, 2014, until July 2017.

This document augments the program description found there. The client apps that are approved for experimentation are below:

Client Apps

https://baseball.rdbhost.com

The interface only allows deletion of your own saved queries. Demonstrating deletion of anything else in the database justifies a bounty. The only private data in the database is the list of OpenId registrants. To demonstrate revelation of private data, provide the login 'key' for any of the accounts 'dkeeney2000@yahoo.com', 'dkeeney@rdbhost.com', or 'davidkeeney63@yahoo.com'.

This app can be run on http://localhost:8000, so if you wish to save the app files from your web browser, and experiment with code changes running under localhost, beat yourself up.

http://gh.rdbhost.com/threefaves/

There are no provisions in the app for deleting anything. Demonstrating deletion of anything in the database justifies a bounty.

There is no private data in the database, so nothing for an exploit to reveal.

https://milpalabras.rdbhost.com

The interface only allows deletion of your own messages, and only for a few minutes after posting. Demonstrating deletion of any of my own posts (see email list below) justifies a bounty. The only durable private data in the database is the list of OpenId registrants. To demonstrate revelation of private data, provide me the login 'key' for any of my own accounts 'dkeeney2000@yahoo.com', 'dkeeney@rdbhost.com', or 'davidkeeney63@yahoo.com'.

This app can be run on http://localhost:8000, so if you wish to save the app files from your web browser, and experiment with code changes running under localhost, beat yourself up.

http://www.freshfaves.com

The interface only allows deletion of your own 'faves' (bookmarks). Demonstrating deletion or alteration of any of my own faves, from account #62, justifies a bounty. The only durable private data in the database is the list of user keys. To demonstrate revelation of private data, provide me the 'key' for account #62.

Host App

http://www.rdbhost.com

This is the hosting application for administering RdbHost accounts. If you can use the site to damage data or reveal private data from any of the above accounts, you can win a bounty.

Important: Do not submit a bounty claim unless you have successfully damaged data or revealed private data per the above app descriptions. We are not interested in "could have's", or "might have's".