Programs Identity · Auth SellAuth (sellauth.com)
Active Program $5,000 flat · validated critical OAuth · Sessions · Licenses · Dashboard · APIs · full mesh

SellAuth (sellauth.com) Bug Bounty: $5,000 Each Validated Critical — Full Scope, Kill Chain Required

SellAuth at sellauth.com is an identity/licensing layer for merchants and integrations: authenticated dashboards, bearer-token integrations, OAuth/OIDC-style redirects, webhook fan-out on auth/licensing events, reseller or team roles, entitlement checks, storefront-adjacent session bridging, CDN-served dashboards, queues and workers that mint or revoke access — collectively the entire SellAuth-operated perimeter is in-scope with no artificial carve-out appendix. Every confirmed critical validated with a reproducible exploitation chain pays exactly $5,000 USD. Acceptance requires both a numbered attack chain narration and evidence that the exploitation actually succeeds (replayable scripts, session/token traces, SSO callback tamper logs, SSRF egress, OAuth state/PKCE failures — prose alone collapses payouts).

BountyHunter Editorial

Security Research Desk

Published
Reading time8 min
StatusLive · Accepting reports
Start Hunting View Scope
Critical payout $5,000 USD · each validated report
Avg. triage ~48h identity SaaS pattern
Identity blast radius High tokens · licenses · reseller roles
Scope all SellAuth-operated stacks
Proof bar Chain + PoC kill chain · attack succeeds
01 — Overview

Auth & licensing surfaces worth hammering

May 6 — X announcement: SellAuth’s official X (Twitter) account posted a thread about this bounty — the $5,000 flat payout per validated critical, encouragement to stress the full hosted stack (auth, dashboards, APIs, OAuth flows, sessions), the bar for a documented kill chain plus proof the exploit works, expectations for coordinated disclosure through sanctioned channels before blasting screenshots in public timelines, plus inline links/pointers threaded there for reporters.

Social timelines move faster than contracts — reconcile every payout tier and inbox with sellauth.com and whatever SellAuth pins or updates after May 6 when you actually submit.

SellAuth concentrates session cookies, OAuth/SAML bridging, API bearer rotation, reseller or team hierarchies, license seat enforcement, SSO callback URLs, MFA enrollment state, webhook HMAC issuance, admin impersonation tooling, edge caching of authenticated HTML — fertile ground for account takeover, cross-tenant privilege bleed, and forged entitlement issuance if isolation breaks. This playbook rewards only highest-impact, fully demonstrated criticals — each earns $5,000.

In scope materially: every HTTP host answering for sellauth.com and delegated subdomains, websocket or SSE channels they operate, Postgres rows under their infra, CDN bundle origins they sign or host, SAML/OIDC metadata endpoints, mobile or desktop deep-link handlers advertised in their docs, preview/staging clones they label, Grafana/Sentry ingestion they administer, worker runtimes emitting auth webhooks.
Civil exclusions only: credential stuffing unrelated third-party sites outside SellAuth login context, ransomware of hospitals, phishing campaigns against random consumers unrelated to bounty testing. Societal bans — not SKU-level fences.

Minimum evidence bar — non-negotiable:
1️⃣ Narrative kill chain tying root cause → exploit steps → observable impact  2️⃣ Proof the attack succeeds (replayable txs, JWT traces, scripted harness, SSO callback captures). Narratives without a working exploitation path are graded below payout threshold.
02 — Why this matters

Why probe SellAuth?

Flat $5K critical payouts

Validated critical exploits with reproducible payloads earn exactly $5,000 USD — single tier for paid rows.

Token & SSO blast radius

OAuth redirects, opaque refresh tokens, role APIs — chained bugs silently spread across reseller trees until mapped.

No fake micro-scope list

If SellAuth can patch or configure it — from dashboard JS to infra Terraform — testers can escalate until severity lands.

Responsible disclosure halo

Demonstrated exploits with airtight chains earn coordinated publication credit after fixes ship.

03 — Reward

$5,000 per validated critical

There is exactly one bounty amount that maps to payouts on this ledger: validated critical findings pay $5,000 USD each. Novel low-severity items may qualify for goodwill credit but not this stipend. Paid rows must exhibit (a) attacker-readable kill-chain storytelling and (b) objective proofs of successful exploitation replayable by SellAuth responders (Burp transcripts, scripted API sequences, OAuth callback replays, JWT mutation evidence, stolen session fixation logs…).

Critical $5,000 USD ea.

Forge admin or reseller-equivalent roles at scale; universal account takeover primitives; SSO/OIDC state confusion leading to credential theft chain-wide; mass license forgery affecting many tenants; persisted RCE in dashboard or auth edge; SSRF/metadata pivot through SellAuth workers.

  • Cross-tenant org / seat data bleed or impersonation primitives
  • Broken OAuth/state/PKCE allowing silent token theft on callback
  • SSRF/metadata pivot from infra SellAuth exposes to clients
Operational truth: If you can't yet prove the exploitation lands inside SellAuth’s boundary, tighten your staging mirror until HTTP/trace or token logs objectively show attacker success — triage shelves “might work” theories.
04 — Scope inventory

Illustrative map (non-exhaustive)

These rows do not impose limits — shorthand for tagging reports. Anything SellAuth hosts, signs, proxies, caches, parses, verifies, webhook-delivers counts as bounty ground even if undocumented here. Treat “not listed” ≠ “out-of-scope”: default stance is open scope across SellAuth.

Surface Class Critical payout
sellauth.com, *.sellauth.com, dashboards & static HTML/JS/CSS Web · CDN $5,000 / validated bug
REST/Graph APIs · licensing webhooks (Bearer, HMAC, signing keys) Backend $5,000 / validated bug
OAuth/OIDC redirects, SSO callbacks, session refresh endpoints Auth $5,000 / validated bug
Reseller dashboards, impersonation tooling, worker queues emitting auth events SaaS $5,000 / validated bug
05 — Scope policy

Everything SellAuth operates — no exclusions list

This playbook refuses “only these SKU endpoints.” Sandbox shards, mirrored tenants, Grafana boards, ephemeral feature flags, SMTP bridges that deliver magic links SellAuth signs, Zapier-esque automation patched by SellAuth — all bounty eligible when critical impact is reproducible.

  • Every apex / vanity hostname routing through SellAuth edge — claim routing evidence inside your chain write-up.
  • Infrastructure-as-code or SDK repos SellAuth merges affecting auth boundary
  • WASM/edge workers they inject into dashboard or login bundles
  • Partner OAuth apps gated through SellAuth consent UX
Legal floor (not bounty shrink): harassment, brute unrelated consumer banks wholesale, ransomware — still barred despite maximal technical surface.
06 — Rules

Rules of engagement

  1. Prove exploitation success. Ship artefacts third parties rerun: scripted curl/openid-client flows, deterministic Burp exports, SSO callback trace captures, JWT tamper scripts, SSRF egress PCAPs showing metadata hits.
  2. Articulate kill chain granularity. Number each hop: auth boundary → abused endpoint → escalation → monetizable damage (ATO chains, counterfeit licenses, infra pivot, mass org-wide token theft…).
  3. Responsible blast radius documentation. Quantify accounts or reseller trees exposed even when exercised only on staging mirrors that faithfully route like production.
  4. Encrypt & ship privately. Use sanctioned intake (security channels on sellauth.com — see submit section) before public disclosure.
  5. Honor duplicate fairness. First fully qualifying chain + reproducible exploitation wins treasury on collisions.
07 — Submit

How to submit a report

Start from the security / disclosure contact publicly listed on sellauth.com (often security@sellauth.com or similar — verify on the vendor site before sending). Mandatory sections mirror below.

Report Template 
# Title
[Critical][Exploit-Proven] <tight title>

# Executive summary — impact in one paragraph

# Severity self-classification → must map to SellAuth critical definitions above

## Attack chain narrative (numbered, no gaps)
1. Preconditions (session assumptions, OAuth app ID, reseller org ID)
2. Entry primitive — exact HTTP verb/path/query/body or callback parameter line
3. Pivot(s) chaining trust escalation
4. Final hop → ATO chain / forged entitlement / infra takeover equivalent

## Successful exploitation evidence
• Replayable CLI script showing JWT/session escalation or SSO failure
• HAR / Burp with matched responses proving unauthorized boundary cross
• Webhook/logs illustrating attacker-controlled issuance or revocation

## Reproduction package
Commands + fixtures + pinned SHAs

## Disclosure ack
Responsible channel only until SellAuth clears publication coordination
Gating reminder: Missing kill chain granularity or lacking demonstrable exploitation success bumps the intake into “needs rework” — no payout until solved.
08 — Example

Node.js vignette · pair with reproducible SSO exploit replay

Pseudocode illustrating a bypass of OAuth state correlation — useless without attaching HAR evidence that a victim session is swapped on sellauth.com callbacks.

Node · illustrative misuse 
// BUGGY: echoes state cookie without CSRF/token bind
import express from 'express';
const app = express();
const sessions = Object.create(null);

app.get('/oauth/callback', (req, res) => {
  const sess = sessions[req.query.state]; // FIXED: attacker replays leaked state ⇒ wrong user bound
  sessions[req.query.state] = undefined;
  res.cookie('sa_session', issueToken(sess.userId)); // attacker becomes victim
  res.redirect('/dashboard');
});
09 — FAQ

Frequently asked questions

Is anything actually “out of scope” besides illegal stuff?

No discretionary product carve-outs — only universal legal/ethical lines. If SellAuth hosts, proxies, or documents a surface, testers escalate until triage disqualifies specifics.

Do speculative write-ups without a working exploit get paid?

No. $5K critical payouts require both narrative and evidence of successful attack replay. Theory-only stalls without compensation.

Are staging / dev nets fair game?

Yes whenever SellAuth labels or operates them.
Mirror configs realistically where possible.

Duplicates?

First validated chain + reproducible exploitation wins; followers acknowledged only.

Lower severities rewarded?

Not under this $5K-flat critical playbook — escalate impact or accept acknowledgement without cash.

Critical chain + working exploit = $5,000

No narrow scope appendix — document the attack, prove it lands, file privately.

Submit a Report Read the Scope