Programs Online Casino ITL996 (itl996.com)
Active Program $5,000 flat · validated critical App · API · Admin · Payment · Game · full mesh

ITL996 (itl996.com) Bug Bounty: $5,000 Each Validated Critical — Admin Access Priority, Full Scope

ITL996 at https://www.itl996.com is a Chinese online casino platform serving real-money gaming — slots, live dealer tables, sportsbook, and virtual games. It operates customer-facing web apps, game lobbies, authenticated dashboards, HTTP/JSON APIs, payment gateways (deposit/withdraw), admin consoles, and backend management systems — collectively the entire ITL996-operated perimeter is in-scope with no artificial carve-out appendix. Every confirmed critical validated with a reproducible exploitation chain pays exactly $5,000 USD. Admin access findings receive priority triage. Acceptance requires both a numbered attack chain narration and evidence that the exploitation actually succeeds (replayable scripts, tampered account or balance state, SSRF egress, auth bypass on admin surfaces, payment manipulation traces — prose alone collapses payouts).

BountyHunter Editorial

Security Research Desk

Published
Reading time8 min
StatusLive · Accepting reports
Start Hunting View Scope
Critical payout $5,000 USD · each validated report
Avg. triage ~48h online casino pattern
Blast radius Very High funds · users · admin access
Scope all ITL996-operated stacks
Proof bar Chain + PoC kill chain · attack succeeds
01 — Overview

Chinese online casino — admin access priority

ITL996 is a Chinese real-money online casino operating at https://www.itl996.com. The platform offers slot games, live dealer tables, sportsbook betting, lottery-style games, and virtual gaming — all backed by payment rails handling deposits, withdrawals, and internal wallet transfers.

This bounty program is designed around one primary target: admin access. The platform's administration consoles — user management, game configuration, payout controls, audit logs — represent the highest-value attack surface. A single validated admin-level compromise is worth $5,000 USD. Full chain, proven exploitation, no exceptions.

All ITL996-operated web applications, APIs, admin panels, payment integrations, game backend services, and CDN edges are in scope. If they host it, proxy it, or sign it — you can test it.

Admin Access

Primary payout target. Any admin console takeover — full control over user accounts, balances, game outcomes, and platform configuration.

Payment Manipulation

Deposit/withdraw bypass, balance tampering, transaction forgery, wallet draining via API or backend flaws.

Game Integrity

RNG manipulation, bet-result forgery, house-edge bypass, jackpot or payout-ratio tampering through game API compromise.

02 — Why this matters

Casino-grade risk surface

Chinese online casinos operate on thin trust margins. ITL996 connects real-money deposits to game outcomes, user account balances, and withdrawal pipelines through a stack that includes:

  • Customer-facing web lobby with user registration, authentication, and wallet views
  • Admin back-office for user management, blacklist/whitelist, KYC verification, balance adjustments, and game configuration
  • Payment gateway integration — deposit (Alipay, WeChat, USDT, bank transfer) and withdrawal processing
  • Game server APIs — RNG seed, bet placement, outcome resolution, jackpot state
  • Agent/affiliate management — commission tracking, sub-account creation, revenue share

Admin access is the crown jewel. A single admin session takeover yields control over all user balances, game outcomes, withdrawal approvals, and audit trails. It is the highest-impact finding this program will pay for.

Priority fast-lane: Reports that demonstrate admin console access (bypass, takeover, privilege escalation to admin role) are elevated to front of the triage queue and paid within the standard window.
03 — Reward

$5,000 per validated critical

There is exactly one bounty amount that maps to payouts on this ledger: validated critical findings pay $5,000 USD each. Novel low-severity items may qualify for goodwill credit but not this stipend. Paid rows must exhibit (a) attacker-readable kill-chain storytelling and (b) objective proofs of successful exploitation replayable by ITL996 responders (Burp transcripts, scripted API sequences, SSRF egress captures, session-token extraction traces…).

Critical $5,000 USD ea.

Admin console takeover or privilege escalation; mass user account takeover; payment/bank balance manipulation across multiple accounts; RNG or game outcome forgery affecting real money; database access or credential dump affecting production; SSRF/cloud metadata pivot through ITL996 infra.

  • Admin-level auth bypass (login, session hijack, role escalation)
  • Cross-user or mass balance tampering via API or SQL injection
  • Bet outcome / game RNG seed manipulation demonstrable on live games
  • Full database read or write access through exposed endpoints
Operational truth: If you can't yet prove the exploitation lands inside ITL996's boundary, tighten your staging mirror until HTTP/trace logs objectively show attacker success — triage shelves "might work" theories.
04 — Scope inventory

Illustrative map (non-exhaustive)

These rows do not impose limits — shorthand for tagging reports. Anything ITL996 hosts, signs, proxies, caches, verifies, or routes counts as bounty ground even if undocumented here. Treat "not listed" ≠ "out-of-scope": default stance is open scope across ITL996.

Surface Class Critical payout
itl996.com, *.itl996.com, HTML/JS/CSS, game lobby Web · CDN $5,000 / validated bug
REST/WebSocket game APIs · wallet APIs · bet resolution endpoints Backend $5,000 / validated bug
Admin consoles, agent dashboards, operator tooling, user management SaaS $5,000 / validated bug
Payment gateway integration — deposit/withdraw rails, wallet API, transaction logs Payment $5,000 / validated bug
Game engine backends, RNG services, jackpot/prize state Gaming $5,000 / validated bug
CDN edge, cached assets, worker functions, redirect surfaces Infra $5,000 / validated bug
05 — Scope policy

Everything ITL996 operates — no exclusions list

This playbook refuses "only these SKU endpoints." Sandbox shards, mirrored tenants, game staging environments, feature-flag planes, SMTP bridges, automation hooks ITL996 patches — all bounty eligible when critical impact is reproducible across real-money surfaces.

  • Every apex / vanity hostname routing through ITL996 edge — claim routing evidence in your chain write-up.
  • Admin back-office panels and agent management portals
  • Third-party game provider integrations ITL996 proxies or whitelabels
  • Payment aggregator APIs and callback webhooks processing real money
  • Mobile-responsive surfaces and PWA builds served from ITL996 origins
Legal floor (not bounty shrink): harassment, indiscriminate ransomware, laundering — still barred even though technical surface is maximal. Do not alter live game outcomes or drain real user balances beyond PoC scope.
06 — Rules

Rules of engagement

  1. Prove exploitation success. Ship artefacts third parties rerun: scripted curl flows, Burp/HAR exports, SSRF egress captures, session token forgery scripts with verified callback acceptance.
  2. Articulate kill chain granularity. Number each hop: auth boundary → abused endpoint → escalation → monetizable damage (admin takeover, balance manipulation, game outcome tampering, data exfiltration…).
  3. Responsible blast radius documentation. Quantify users or funds affected even when exercised only on staging mirrors that mirror routing + auth faithfully.
  4. Encrypt & ship privately. Use sanctioned intake (see submit section) before broadcasting exploit details.
  5. Honor duplicate fairness. First fully qualifying chain + reproducible exploitation wins treasury on collisions.
07 — Submit

How to submit a report

Start from the security / disclosure contact publicly listed on itl996.com — look for security@itl996.com, admin@itl996.com, or a Telegram/WeChat contact on the site footer. Always verify the contact method on the live vendor site before sending. Mandatory sections mirror below.

Report Template 
# Title
[Critical][Exploit-Proven] <tight title>

# Executive summary — impact in one paragraph

# Severity self-classification → must map to ITL996 critical definitions above

## Attack chain narrative (numbered, no gaps)
1. Preconditions (session / API key / admin context)
2. Entry primitive — exact HTTP verb/path/query/body
3. Pivot(s) chaining trust escalation toward admin access
4. Final hop → admin takeover / balance manipulation / game outcome forgery equivalent

## Successful exploitation evidence
• Replayable script + truncated responses showing impact
• HAR / Burp with unauthorized state change
• Admin panel screenshot showing escalated privileges
• DB dump, config leak, or payment transaction forgery receipt

## Reproduction package
Commands + fixtures + pinned SHAs

## Disclosure ack
Responsible channel only until ITL996 clears publication coordination
Gating reminder: Missing kill chain granularity or lacking demonstrable exploitation success bumps the intake into "needs rework" — no payout until solved.
08 — Example

Node.js API vignette · admin privilege escalation through misconfigured auth middleware

JavaScript (CWE-285) 
// BUGGY: Admin panel middleware trusts any valid session, not role check
function adminAuth(req, res, next) {
  const token = req.header('Authorization');
  if (token && jwt.verify(token, secret)) {
    // Missing: role claim validation — any valid user token = admin
    req.user = jwt.decode(token);
    next();
  } else {
    res.status(401).json({ error: 'Unauthorized' });
  }
}

// Attack: take any user JWT (register a free account),
// send to /admin/users, /admin/withdrawals, /admin/game-config
// Result: full admin console access via user-level token
09 — FAQ

Frequently asked questions

Is anything actually "out of scope" besides illegal stuff?

No discretionary product carve-outs — only universal legal/ethical lines. If ITL996 hosts, proxies, or documents a surface, testers escalate until triage disqualifies specifics.

Do speculative write-ups without a working exploit get paid?

No. $5K critical payouts require both narrative and evidence of successful attack replay. Theory-only stalls without compensation.

Are staging / dev nets fair game?

Yes whenever ITL996 labels or operates them.
Mirror configs realistically where possible.

Can I test game RNG or outcome logic?

Yes — game backends, RNG endpoints, bet placement/resolution APIs are in scope. Use test accounts and minimal real stakes. If you can demonstrate predictable outcomes or forged results, the chain counts.

How is admin access verified for payout?

Submit a replayable PoC showing escalation from a non-privileged user session to administrative capabilities — panel access, user management, balance adjustment, game configuration, or withdrawal approval. Screenshots + raw request traces required.

Duplicates?

First validated chain + reproducible exploitation wins; followers acknowledged only.

Lower severities rewarded?

Not under this $5K-flat critical playbook — escalate impact or accept acknowledgement without cash.

Critical chain + working exploit = $5,000

Admin access priority — document the attack, prove it lands, file privately.

Submit a Report Read the Scope