Ayan Bug Bounty Challenge

Ayan invites you to collaborate in the Bug Bounty Challenge, aimed at identifying vulnerabilities. If you are interested in discovering or resolving bugs in websites and applications, please submit your reports according to the rules and regulations of this page. By doing so, you'll not only help improve and develop our infrastructure but also receive a reward.

Send report

Ayan Bug Bounty Rewards!

Vital
Up to 1,500,000,000 Rials as a prize
The Ayan Bug Bounty has 4 levels of rewards, defined according to the CVSS standard. Your reward will be determined and paid after acceptance and review by our team.
Note: The process of responding to your report may take up to 15 business days; additionally, if the report is confirmed by the Ayan security team, the reward will be deposited within 5 business days.

Critical

Up to 250,000,000 rials in prize

High

Up to 150,000,000 rials in prize

Medium

Up to 50,000,000 rials in prize

Scope of the Bug Bounty Challenge

Ghabzino

  • Ghabzino Android Application
  • Ghabzino iOS Application
  • ghabzino.com

Pishkhan 24

  • Pishkhan 24 Android Application
  • pishkhan24.com

Khalafi.ir

  • khalafi.ir

Ghabzino Organization

  • organization.ghabzino.com

Ghabzino API

  • api.ghabzino.com

Ghabzino Counter

  • counter.ghabzino.com

Acceptable Vulnerabilities

Business Logic
Server-Side Request Forgery (SSRF)
XML External Entity (XXE)
SQL Injection
Insecure Direct Object References (IDOR)
Authorization Flaws
Server-Side Code Execution
Data Leakage
sms bombing
Authentication Flaws

Unacceptable Vulnerabilities

  • Password complexity
  • Username / email enumeration
  • Disclosure of JavaScript API keys (e.g. API key for map service)
  • CSRF and CORS misconfiguration with no security impact
  • Missing secure flag in Cookie
  • Missing secure HTTP headers
  • Disclosure of server or software version numbers
  • Reports extracted from vulnerability scans
  • Clickjacking
  • Brute-force
  • Self XSS
  • Missing best practices in SSL/TLS configuration
  • DOS and DDOS (Application and Network)
  • Social Engineering
  • Lack of SPF/DKIM/DMARC implementation
  • Cross-Site Scripting (XSS)

Rules and Regulations of the Challenge

Participants in Ayan's Bug Bounty Challenge must adhere to the rules and regulations stated on this page for their reports to be considered acceptable. These rules and regulations include:

  • Maintaining the confidentiality of information obtained during the bug identification process is mandatory at all stages of participation in the challenge, even after its conclusion. In cases of disclosure, alteration, theft, or destruction of information, the bug reporter is fully responsible for any consequences.
  • If the reported bug has already been identified by other individuals, no reward will be given for duplicate reports.
  • The identified bug must fall within the scope of Ayan's Bug Bounty Challenge. Reports outside the scope of the challenge will not be eligible for rewards.
  • If a bug is identified across multiple areas of Ayan's Bug Bounty Challenge, only one reward will be given to the reporter.
  • Any disruption caused to the websites and applications within the scope of Ayan's challenge by the bug reporter is prohibited.
  • The payload (code, script, etc.) used to identify the bug must be included in the report.
  • The identified bug must be provable and reproducible to qualify for a reward.
  • The standard for assessing bugs for reward allocation is the CVSS standard.

Your Report…

  • Your report should be detailed step-by-step, both in writing and in video, to enable our team to test it.
  • Your report must include one bug. If you have identified multiple bugs, please submit them separately.
  • Your report should be sent to Ayan's email address provided below. Please make sure to send the completed bug bounty form along with your report.
Download the form