UltraSeedbox Bug Bounty Program

Ultra.cc Bug Bounty Program

Security is core to our values, and we value the input of security researchers to help us maintain a high standard for security and privacy for our users. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good-faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.


When working with us according to this policy, you can expect us to:


The following are the list of platforms that are within this scope of the program.

Out of Scope


Ultra.cc Website and User Control Panel

 Category PayPal Credit Service Credit
 XSS  EUR 150  EUR 300
 XSS (Bypassing CSP)  EUR 1 000 EUR 1 500
 CSRF  EUR 300 EUR 600
 Authentication Bypass  EUR 1 500  EUR 3000
 SQL Injection  EUR 10 000 EUR 20 000
 Arbitrary code execution  EUR 4 000 EUR 8 000
 Arbitrary code execution (with privilege escalation)  EUR 15 000  EUR 30 000
 Persistent code change  EUR 10 000 EUR 20 000

Ultra.cc App Hosting Solutions Infrastructure

 Category PayPal Credit Service Credit
 Authentication Bypass (SSH, FTP, VPN, etc.)  EUR 500 EUR 1 000
 Authentication Bypass of Supported Apps  EUR 250 EUR 500
 Local privilege escalation EUR 1 000 EUR 2 000

The List of the Researchers who report the valid vulnerabilities and exploits will be displayed on our Hall of Fame to extend our gratitude towards them.

Receiving Your Award

Ground Rules

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research conducted under this policy to be:

You are expected, as always, to comply with all applicable laws. If a third party initiated legal action against you and complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through the UltraSeedbox Ticket System before going any further.

Disclosure Policy

If you believe you have discovered a vulnerability, please create a ticket through the UltraSeedbox Ticket System.

USB Bug Bounty Hall of Fame