Last Revised: 2022-03-31 11:24:39
Hostinger encourages the responsible disclosure of security vulnerabilities in our services or on our website. In order to facilitate the responsible disclosure of security vulnerabilities, we agree that if, in our sole discretion, we conclude that a disclosure meets all of the guidelines of the Hostinger Bug Bounty Reward Program, Hostinger will not bring any private or criminal legal action against the disclosing party.
Our team of dedicated security professionals works vigilantly to help keep customer information secure. We recognize the important role that security researchers and our user community play in helping to keep Hostinger and our customers secure. If you discover a site or product vulnerability please notify us using the guidelines below.
Please note that your participation in the Bug Bounty Program is voluntary and subject to the terms and conditions set forth on this page (“PROGRAM TERMS”). By submitting a site or product vulnerability to Hostinger you acknowledge that you have read and agreed to these PROGRAM TERMS.
As part of your research, do not modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.
Please note that www.hostinger.com and www.hosting24.com is using the same code base, so vulnerability found on one domain will be treated as duplicate on another.
Domains not listed above are not in scope.
Hostinger will make a best effort to adhere to the following response targets:
|Type of Response||Business days|
|First Response||2 working days|
|Time to Triage||10 working days|
|Time to Bounty||14 working days|
|Time to Resolution||depends on severity and complexity|
To be eligible for the Bug Bounty Program, you must not:
By providing a Submission or agreeing to the PROGRAM TERMS, You agree that you may not publicly disclose your findings or the contents of your Submission to any third parties in any way without Hostinger's prior written approval.
Failure to comply with the PROGRAM TERMS will result in immediate disqualification from the Bug Bounty Program and ineligibility for receiving any Bounty Payments.
Hostinger will accept a report of any vulnerability that substantially affects the confidentiality or integrity of any eligible Hostinger service. Eligible vulnerabilities include, but are not limited to:
Any domain not listed in policy scope is out of scope for the purposes of the Bug Rewards Program, as is all hosted customer content and third-party programs and plug-ins.
The following actions do not qualify for the Bug Rewards Program and should not be tested by researchers participating in the Program:
For all submissions, please include:
Failure to include any of the above items may delay or jeopardize the Bounty Payment
Failure to meet the below conditions and requirements could result in a forfeiture of any potential Bounty Payment.
You may be eligible to receive a monetary reward (“Bounty Payment”) if: (i) you are the first person to submit a site or product vulnerability; (ii) that vulnerability is determined to by a valid security issue by Hostinger's security team; and (iii) you have complied with all PROGRAM TERMS.
Bounty Payments, if any, will be determined by Hostinger, in Hostinger sole discretion. In no event shall Hostinger be obligated to pay you a bounty for any Submission. All Bounty Payments shall be considered gratuitous.
All Bounty Payments will be made in United States dollars (USD). You will be responsible for any tax implications related to Bounty Payments you receive, as determined by the laws of your jurisdiction of residence or citizenship.
Hostinger will determine all Bounty Payments based on the risk and impact of the vulnerability. The minimum bounty amount for a validated bug submission is $100 USD and the maximum bounty for a validated bug submission is $6000USD.
Hostinger Bug Bounty Team retains the right to determine if the bug submitted to the Bug Bounty Program is eligible. All determinations as to the amount of a bounty made by the Hostinger Bug Bounty Team are final. Bounty Payment ranges are based on the classification and sensitivity of the data impacted, ease of exploit and overall risk to Hostinger customers, Hostinger brand and determined to be a valid security issue by Hostinger's security engineers.
As a condition of participation in the Hostinger Bug Bounty Program, you hereby grant Hostinger, its subsidiaries, affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Hostinger in connection therewith, for any purpose. You should not send us any Submission that you do not wish to license to us.
You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Submission to Hostinger. In no event shall Hostinger be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials which are competitive with those set forth in the Submission irrespective of their similarity to the information in the Submission, so long as Hostinger complies with the terms of participation stated herein.
In the event (i) you breach any of these PROGRAM TERMS or the terms and conditions of the Hostinger; or (ii) Hostinger determines, in its sole discretion that your continued participation in the Bug Bounty Program could adversely impact Hostinger (including, but not limited to, presenting any threat to Hostinger's systems, security, finances and/or reputation) Hostinger may immediately terminate your participation in the Bug Bounty Program and disqualify you from receiving any Bounty Payments. Please see our recommendations on the proper procedures for testing our applications.
Any information you receive or collect about Hostinger, Hostinger employees or any Hostinger customer through the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the Hostinger sites, without Hostinger's prior written consent. Any disclosure of Confidential Information outside of this requirement will result in immediate removal from the Program.
In addition to any indemnification obligations you may have under the Hostinger Agreements, you agree to defend, indemnify and hold Hostinger, its subsidiaries, affiliates and the officers, directors, agents, joint ventures, employees and suppliers of Hostinger, its subsidiaries, or our affiliates, harmless from any claim or demand (including attorneys’ fees) made or incurred by any third party due to or arising out of your Submissions, your breach of these PROGRAM TERMS and/or your improper use of the Bug Bounty Program.
The Bug Bounty Program, including its policies, is subject to change or cancellation by Hostinger at any time, without notice. As such, Hostinger may amend these PROGRAM TERMS and/or its policies at any time by posting a revised version on our website. By continuing to participate in the Bug Bounty Program after Hostinger posts any such changes, you accept the PROGRAM TERMS, as modified.