Skip to content

Bug Bounty Program

Responsible Disclosure of Security Vulnerabilities

If you have discovered a vulnerability, we request that you responsibly disclose the vulnerability to our security team by taking the following steps:

  1. Do not attempt to exploit the vulnerability. Do not share the suspected vulnerability or any data with others. Do not store or copy any unauthorized data. Doing any of these things will void eligibility for a bounty program reward.
  2. Email the details to our Security Incident Response Team at [email protected].
  3. If the contents of the vulnerability are sensitive in nature, please use our PGP key found below to encrypt the information.

Ranking Vulnerabilities

All reported vulnerabilities are checked for validity, ranked, and then reviewed by the Leap Event Technology Information Security Team.

Leap Event Technology has established a Vulnerability Ranking Matrix based on NIST's Common [Vulnerability Scoring System V3](https://nvd.nist.gov/vuln-metrics/cvss). The Vulnerability Ranking Matrix is defined below. Vulnerabilities are ranked using the guidelines below with assistance from the [NIST CVSS Calculator](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator). The final ranking for a vulnerability is the sole discretion of Leap Event Technology Information Security Team.

P1: Critical

CVSS >= 9.0

Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, large scale access to PII, etc.. At the discretion of Leap Event Technology, vulnerabilities that demonstrate a critical, widespread risk to information security may be eligible to receive a reward greater than the standard bounty.
Example: Vulnerabilities that result in unrestricted Remote Code Execution such as Vertical Authentication bypass, SSRF, XXE, SQL Injection, User authentication bypass.

P2: High

CVSS 7.0 - 8.9

Vulnerabilities that affect the security of the platform including the processes it supports.
Example: Lateral authentication bypass, Stored XSS, some CSRF depending on impact.

P3: Moderate

CVSS 5.0 - 6.9

Vulnerabilities that affect multiple users, and require little or no user interaction to trigger.
Example: Some reflective XSS, Some direct object reference, URL Redirect, some CSRF depending on impact.

P4: Low

CVSS < 5.0

Issues that affect singular users and require interaction or significant prerequisites (MITM) to trigger.
Example: Common flaws, Detailed debug information.

P5: Acceptable

Non-exploitable weaknesses and “won’t fix” vulnerabilities. Best practices, mitigations, issues that are by design or acceptable business risk to the customer such as use of CAPTCHAS.

In Scope Domains

The following domains are included in this program.

  • www.showclix.com
  • admin.showclix.com
  • app.ticketleap.com
  • admin.ticketleap.events
  • www.ticketleap.events
  • {organization}.ticketleap.com
  • onsite.activations.leapevent.tech
  • admin.activations.leapevent.tech
  • public.activations.leapevent.tech
  • api.activations.leapevent.tech
  • prizeredemption.activations.leapevent.tech
  • admin.mobile.leapevent.tech
  • www.ticketbooth.com.au
  • www.ticketbooth.co.nz
  • www.ticketbooth.eu
  • admin.ticketbooth.com.au
  • admin.ticketbooth.co.nz
  • admin.ticketbooth.eu
  • events.ticketbooth.com.au
  • events.ticketbooth.co.nz
  • events.ticketbooth.eu
  • checkout.conventions.leapevent.tech
  • admin.conventions.leapevent.tech
  • register.conventions.leapevent.tech
  • store.epicphotoops.com

In Scope Mobile Applications

Scope Exclusions

The following categories of reports are considered out of scope for our program and Leap Event Technology will NOT provide any reward pay out:

Any vulnerability with a CVSS 3 score lower than 4.0, unless it can be combined with other vulnerabilities to achieve a higher score.
Brute force, DoS, phishing, text injection, or social engineering attacks. Wikis, Tracs, forums, etc are intended to allow users to edit them.
Availability of XML-RPC file without PoC demonstrating a significant security impact. As noted above, this excludes DDoS and brute force attacks.
Security vulnerabilities in WordPress plugins
Self-XSS and issues exploitable only through Self-XSS
A Note about XSS

Please note: If you've identified an XSS issue (especially on our www site), please make sure it is actually exploitable beyond Burp Suite or whatever you're using. If you can't reproduce the XSS in a browser, we will likely consider it self-XSS, and an invalid submission.

Mixed content warnings for passive assets like images and videos
Clickjacking with minimal security implications
Non critical issues that affect only outdated browsers.
Cross-site Request Forgery (CSRF) with minimal security implications (Login/logout/unauthenticated)
A Note about CSRF

If you're reporting a CSRF issue and your POC includes the CSRF token, we will assume that you don't understand what CSRF issues are, nor how CSRF prevention works. Please don't report a CSRF vulnerability if your POC includes the CSRF token. (If you can get the CSRF token from a victim, show that.)

Missing cookie flags on non-sensitive cookies.
Reports of non-exploitable vulnerabilities and violation of “best practices” (e.g. Lack of HTTP security headers (CSP, X-XSS, etc.)
Lack of secure/HTTP-only flags on non-session cookies
Server error messages that do not contain internal, confidential or restricted data or avenues to obtain it
DNS record configuration (SPF, DKIM, DMARC, CAA, DNSSEC, etc)
Theoretical vulnerabilities where you can't demonstrate a significant security impact with a PoC.
Some forms do not have rate limiting / brute-force protections. We will consider this out of scope for the program.
Known issues that have been previously reported.

Changes to the Program

We may update or suspend this Program at any time without any prior notice. We encourage you to periodically review this page for the latest information on this Program. Any submitted reports will be processed using the Program terms in effect at the time our Security Incident Response Team reviews the report.

PGP Key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQENBF1j//MBCACxqIOVGeab36yHCMqfRndP7H8o1XuQenT0O1yIZf6+27Z9Qn0x
wPB4y477I8BrIapHf4lB6nObFs3IrCvEfBwF4/QXgR5EG6ZesvqnYNYvnqWOmywy
o0BSpE03h1CTDvbqstINmjsqRLFcLs8pC78xw7Ao/mvxg3bmNk44V0lDU4Q0GjSI
+F252OFcos/JkikGPL4TZorRa+OKyJDZnBRE2WyFpBtrQ4g5BG029rlX6WjuSCKs
v6TPgS2o8yoksQD2tbLYEEQ3wIwTfhE+GI28qgrK/c+SNY2qskhfJ85WGc7l87+d
Ilfgj6jGnEg5P1UUM6l+epFklih3QYxeAB/LABEBAAG0RlBhdHJvbiBUZWNobm9s
b2d5IEluZm9ybWF0aW9uIFNlY3VyaXR5IDxzZWN1cml0eUBwYXRyb250ZWNobm9s
b2d5LmNvbT6JATgEEwECACIFAl1j//MCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4B
AheAAAoJEKO1jLZ11HH46IgH+wVppvN8tpPjUKkTGUtAmoHUt4dysWEylafzEMCD
oJwGDkDNnthsEIx6zfekFXyWD9Ievv/3+EIbonsw8lw0EzGkN3lXqvDdTCEogfp/
LhkTA2xEWNI7Vic8CdXM1P9xE+T1NpWVSx+FbvP1ygA6i67oEYN+IzWwmwG/AgRU
IU89W1p9vdJLQl8HVkl6E0Zo1QKZlglU3Hd9W1IBiF68z3ounc786DV+QwhnUT4z
HylB+sgiOD1SLPQV+WLtCms3gTNecJi3/IO8BBaylXmkvqbqdPTrkoq3+iSLyq3c
bsVszrS/xxnR2c7cbIlUB25tazmNOJYaB2jeK0CG0g3tBNm5AQ0EXWP/8wEIALxV
iyBnQLfXhP/ZK/vsQUXkd5gB0nmdn79w8LYes7uW5MZWmoD6wqumNZxzzR5TG0pg
D4WdegjqXLs/XJTGj0EHjAr1peQhtoHbcRcZTC/oan9wjGCTCuB2bS/8GLlcSRHC
6MO3Q9vWmVf8yQUfNBP59P/gv+vbvyu68Ud8gsz7PkisnxF06IvX3JfFR42tctbe
BViPWl/FwLqu4fHr/pjdR8XkE7Xozhor+coR77uEIGnwxLGj0f6conI7yrVDqf/i
+ToucemElNYgWz0zrY1oh4liM8DI82WyXsAc098Bw3EXPadtOeZFm00XjqD5+G6q
j1oPz98yeUdHNXai06EAEQEAAYkBHwQYAQIACQUCXWP/8wIbDAAKCRCjtYy2ddRx
+MzDB/9J5u7eBU+GEU7YxQKioZHaszQeQfhWBSHAKlY1N2WlB+YX4YVcHC+8NWvf
H8aYM3sIEdpFBwQyHS4KieQ4oqGNxd89lEor+q3l0WH7CUF86BfaTsOs6mIL/lDE
bDTbzhNgiB3X46SlVRe8opFY4H2LZJdirtkZTHGMhTxECFTrwT5XTI0ylINMe1cf
C1FGeAw1SGoRSIHX4CXSIBmkn8QeW+ls1L3neCysWo207/4RW1hlgngvqVmcCum/
t92SKmAFWoMJ0T5KtkKmnjwIeIkVlbLms9vaqyHFN1YQW7S86BJO+Jwc3vbGSGWm
tCg3+aUBuGgaNb5gJOdSkAZQCn/u
=EcV3
-----END PGP PUBLIC KEY BLOCK-----

Decorative element