Wamba Bug Bounty Program

Wamba invites you to take part in Wamba Bug Bounty Program, which aims to search for possible vulnerabilities of our service. We give a reward for each vulnerability found, and add the names of users who successfully found them to our Hall of Fame.

How to take part in the Bug Bounty program

  • Try to find bugs that may be hidden in the Wamba web service and mobile applications for iOS and Android. These may include:
    • Cross-site scripting (XSS);
    • Cross-site request forgery (CSRF);
    • Injections of program code and SQL statements ;
    • Vulnerability in session management ;
  • Have a look at the principles of responsible disclosure.
  • Use the Vulnerability submission page to point out any vulnerabilities found.
  • Earn a well-deserved reward, the bigger the bug, the bigger the reward!
Present and former company staff as well as their relatives and friends are not allowed to participate in the programme.

Vulnerability submission

We accept reports of various types of bugs in the Wamba Web Service and mobile applications for iOS and Android. These may include:
  • Cross-site scripting (XSS);
  • Cross-site request forgery (CSRF);
  • Injections of program code and SQL operators;
  • Vulnerability in session management ;
This list is not complete – if you find any other bug that could compromise Wamba service user data, or prevent it from working – make sure you tell us about it.
To tell us about any bug discoveries, use the form below. If you wish to report a bigger number of bugs, fill out this form again.

We will acknowledge receiving your message.

Reward Value

We subdivide our services into critical and other services.
To critical services we refer user authorization, personal users’ data storage and payment system.

Critical services:
  • Injections of programme code and SQL operators – $3000;
  • Cross-site scripting (XSS) – $300;
  • Cross-site request forgery (CSRF) – $300;
  • Vulnerability in session management – $150;
Other services:
  • Injections of programme code and SQL operators – $1000;
  • Cross-site scripting (XSS) – $150;
  • Cross-site request forgery (CSRF) – $150;
  • Vulnerability in session management – $100;
In special cases the reward value for disclosure can be increased.
Payment to non-Russian citizens is possible only via PayPal.
Please note that only the first who reported the problem gets the reward.

Principles of responsible disclosure

We expect adherence to the principles of responsible disclosure by the users who search for vulnerabilities on the Wamba service.
This means that a person who discovers a vulnerability and reports it via the form will not disclose information about the vulnerability to third parties whilst the bug is being fixed.
Members of the program should not in any way disclose information that has been obtained as a result of their research. This includes users’ personal data, as well as any other information that could affect the Wamba service.