Platform surfaces worth pressure-testing
BiteCo routes user sessions through apps and APIs, emits signed webhooks, enforces tenant or org boundaries, proxies partner callbacks, caches HTML/JS at the edge, and schedules jobs that mutate user-visible state — fertile ground for broken access control, cross-tenant leaks, and silent state corruption if any boundary slips. This playbook rewards only highest-impact, fully demonstrated criticals — each earns $5,000.
In scope materially: every HTTP(S) origin answering for biteco.one and delegated subdomains, WebSocket channels they operate, databases and object stores their workers touch, signing keys they custody for Bearer/HMAC flows,
preview or staging shards they label, observability paths they operate, SDK loaders or deep links they document.
Civil exclusions only: mass harassment, ransomware against unrelated third parties, laundering. Not product carve-outs.
1️⃣ Narrative kill chain tying root cause → exploit steps → observable impact 2️⃣ Proof the attack succeeds (replayable scripts, fixture logs, Burp/HAR with matched responses). Narratives without a working exploitation path are graded below payout threshold.
Why probe BiteCo?
Flat $5K critical payouts
Validated critical exploits with reproducible payloads earn exactly $5,000 USD — single paid tier on this ledger.
API + automation blast radius
Integrations and webhooks multiply state — chained bugs can pay out quietly until someone replays them with receipts.
No fake micro-scope list
If BiteCo can patch or configure it — from edge bundles to queue workers — testers escalate until severity lands.
Responsible disclosure halo
Demonstrated exploits with airtight chains earn coordinated publication credit after fixes ship.
$5,000 per validated critical
There is exactly one bounty amount that maps to payouts on this ledger: validated critical findings pay $5,000 USD each. Novel low-severity items may qualify for goodwill credit but not this stipend. Paid rows must exhibit (a) attacker-readable kill-chain storytelling and (b) objective proofs of successful exploitation replayable by BiteCo responders (Burp transcripts, scripted API sequences, SSRF egress captures, signing-bypass traces…).
Mass account takeover or org-wide authz bypass; universal webhook or signing forgery affecting many tenants; fund or entitlement reroute at scale; persisted RCE in BiteCo edge/app origin; SSRF/cloud metadata pivot through workers they expose.
- Cross-tenant or cross-org data exfiltration without consent
- Critical integrity break in automated settlement or balance updates
- Break-glass SSRF from BiteCo infra to internal cloud metadata
Illustrative map (non-exhaustive)
These rows do not impose limits — shorthand for tagging reports. Anything BiteCo hosts, signs, proxies, caches, verifies, or webhook-delivers counts as bounty ground even if undocumented here. Treat “not listed” ≠ “out-of-scope”: default stance is open scope across BiteCo.
| Surface | Class | Critical payout |
|---|---|---|
biteco.one, *.biteco.one, HTML/JS/CSS, PWAs |
Web · CDN | $5,000 / validated bug |
| REST/Graph/WebSocket APIs · webhooks (Bearer · HMAC) | Backend | $5,000 / validated bug |
| Admin consoles, operator tooling, impersonation rails | SaaS | $5,000 / validated bug |
| Queue workers · cron pipelines · signed callback URLs | Infra | $5,000 / validated bug |
Everything BiteCo operates — no exclusions list
This playbook refuses “only these SKU endpoints.” Sandbox shards, mirrored tenants, Grafana boards, feature-flag planes, SMTP bridges, automation hooks BiteCo patches — all bounty eligible when critical impact is reproducible.
- Every apex / vanity hostname routing through BiteCo edge — claim routing evidence in your chain write-up.
- Infrastructure-as-code or client SDK repos BiteCo ships toward production
- Edge workers or bundles they sign & serve to browsers
- Partner OAuth or API-key consent surfaces BiteCo operates
Rules of engagement
- Prove exploitation success. Ship artefacts third parties rerun: scripted curl flows, Burp/HAR exports, SSRF egress captures, signing forgery scripts with verified callback acceptance.
- Articulate kill chain granularity. Number each hop: auth boundary → abused endpoint → escalation → monetizable damage (ATO, cross-tenant bleed, silent reroute, infra takeover…).
- Responsible blast radius documentation. Quantify users or orgs affected even when exercised only on staging mirrors that mirror routing + auth faithfully.
- Encrypt & ship privately. Use sanctioned intake on biteco.one (see submit section) before broadcasting exploit details.
- Honor duplicate fairness. First fully qualifying chain + reproducible exploitation wins treasury on collisions.
How to submit a report
Start from the security / disclosure contact publicly listed on biteco.one (security@biteco.one is a common pattern — verify on the vendor site before sending). Mandatory sections mirror below.
# Title
[Critical][Exploit-Proven] <tight title>
# Executive summary — impact in one paragraph
# Severity self-classification → must map to BiteCo critical definitions above
## Attack chain narrative (numbered, no gaps)
1. Preconditions (session / API key / org context)
2. Entry primitive — exact HTTP verb/path/query/body
3. Pivot(s) chaining trust escalation
4. Final hop → ATO / cross-tenant damage / reroute / infra takeover equivalent
## Successful exploitation evidence
• Replayable script + truncated responses showing impact
• HAR / Burp with unauthorized state change
• Webhook or worker logs proving forged delivery accepted
## Reproduction package
Commands + fixtures + pinned SHAs
## Disclosure ack
Responsible channel only until BiteCo clears publication coordinationNode.js vignette · pair with reproducible API exploit replay
Pseudocode for API requests without a key still reaching handlers — useless without traces proving unauthenticated biteco.one calls mutate protected state.
// BUGGY: missing / invalid API key maps to a synthetic admin tenant
function attachTenant(req, res, next) {
const key = req.header('X-Biteco-Key');
if (key && registry.has(key))
req.tenant = registry.get(key);
else
req.tenant = { id: 'public', role: 'admin' }; // default-overprivileged
next();
}Frequently asked questions
Is anything actually “out of scope” besides illegal stuff?
No discretionary product carve-outs — only universal legal/ethical lines. If BiteCo hosts, proxies, or documents a surface, testers escalate until triage disqualifies specifics.
Do speculative write-ups without a working exploit get paid?
No. $5K critical payouts require both narrative and evidence of successful attack replay. Theory-only stalls without compensation.
Are staging / dev nets fair game?
Yes whenever BiteCo labels or operates them.
Mirror configs realistically where possible.
Duplicates?
First validated chain + reproducible exploitation wins; followers acknowledged only.
Lower severities rewarded?
Not under this $5K-flat critical playbook — escalate impact or accept acknowledgement without cash.
Critical chain + working exploit = $5,000
No narrow scope appendix — document the attack, prove it lands, file privately.