Two-factor authentication is enabled on your account. To successfully authorize, enter the code from a password generation application.
About Mailgroup
To buy virtual numbers for Mailgroup, you need to:
Contact technical support to review and confirm (verify) your account for the purchase of numbers through any communication channel available to you.
We do not recommend that you replenish the balance before your application is considered. In some cases, the application may be considered up to 7 days.
Purchase from 1000 numbers per month.
In other cases, it is not possible to buy numbers to activate Mailgroup. By going to the "Rent" tab, you can purchase a number without restrictions.
Info about OLX
Refunds for the OLX service are not provided, including the fact that the account is busy, as this happens due to the reissue of the SIM card by the mobile operator that used to have a profile.
Recommendation for registering the OLX service from the sms-activate command:
Buy a number through the site interface or API.
Before receiving the code, check the availability of the account (either through the password recovery form, or directly, trying to enter the account by entering any password). Make sure the number is not busy, and only then ask for the verification code.
If during the check (with a checker program or manually) it turns out that your personal account is busy, then cancel the purchase. The funds will automatically be returned to your balance (a successful purchase is considered only the one that has received SMS from the service).
It's safe, as cookies are only stored on your device. If you don't mind, click "Accept all cookies" or continue browsing the site. Personal data processing policy.
You need to find vulnerabilities of infrastructure, services and applications that deal with private data. The hunting area: domains, mobile and desktop applications.
Welcome to the Bug Bounty program! Your participation helps improve the security of our products and services. Please, familiarize yourself with the following rules to ensure effective and ethical collaboration
Registration and Verification
Registration:
to participate in the program you first need to sign up for the website sms-activate.guru
Provide your Telegram account during the registration process for easy communication;
Verification:
You have to go through the verification process to receive payments. Detailed instructions will be sent to you via Telegram once your report is approved.
Providing reports
Studying the Rules:
Before submitting your report, please familiarize yourself with the rules of participation and the types of vulnerabilities that can be considered;
Reporting Form:
use the form on the page sms-activate.guru/bugBountyForm
to submit your report. Your report should contain a clear description of the vulnerability, steps to reproduce it, evidence (screenshots, videos) and recommendations for fixing it;
Additional files:
attach additional files to confirm the vulnerability if necessary;
Reviewing reports process
Your report will be carefully analyzed by our security specialists. This process can take up to three months. During this time, the report may be assigned one of the following statuses: "pending", "sorted", "rejected by moderator", "more information required", and others.
Types of vulnerabilities
IN
you will find the list of vulnerabilities' types that are not eligible for getting a reward. In
criteria for assessing the importance level of a vulnerability are specified.
Verification and privacy
All personal data provided by you for verification purposes will be used solely for identification purposes, and will not be disclosed to third parties without your agreement. We make all our best to ensure privacy and security of your data.
Payments
After successful verification and confirmation of the vulnerability, you will be offered a reward. The amount of the reward is determined based on the level of importance of the vulnerability and the quality of the provided report.
Ethical norms
We expect participants to act responsibly and ethically. It is not permitted to exploit found vulnerabilities to cause damage, gain unauthorized access to data or systems, or spread information about the vulnerability until it is fixed.
Conclusion
We value your contribution to improving the security of our products and services. Your participation helps create a safer digital space for all of us.
We wish you luck in searching for vulnerabilities! Your contribution is priceless, so we are grateful for your help in securing our systems.
Appendix A
Types of vulnerabilities that are not the objects of a reward (low-level vulnerabilities that do not have critical consequences if exploited, including):
IDOR
(reports on this type of vulnerability are accepted only in case of a high level of criticality; the level of criticality is determined by our specialist when the vulnerability is confirmed);
Any kind of XSS vulnerabilities,
except for Stored XSS (Stored XSS vulnerability reports are accepted depending on the importance of the web resource);
Clickjacking;
Insecure Redirect URI;
Directory Listing Enabled
(passwords, backups) and Sensitive data exposure
(depending on the disclosed data; reports on this vulnerability are accepted if critical data is found);
Enabled debug mode,
that doesn't disclose critical data;
CSRF vulnerabilities,
found within a function that is not critical;
Disclosure of the admin panel
(if the bug hunter finds the admin dashboard, but is unable to perform account takeover or obtain other critical information);
User Enumeration
with no disclosing critical data;
Security Misconfiguration,
in case there is no evidence that the threat has been realized;
Refuse to provide services;
Spam;
Social engineering,
aimed at employees, contractors or customers;
Any physical attempts to gain access to property or data centers
System's owner;
Report created by using automated tools and scans;
Errors in a third-party software;
Absence of security headers
that don't lead directly to a vulnerability;
SSL / TLS trust violation;
Vulnerabilities affecting only users of outdated or unlicensed browsers and platforms;
Password and account recovery policies,
such as the expiration date of a reset link or password strength;
Outdated DNS record,
pointing to a system that does not belong to the system owner.
Contents
Appendix B
Types of vulnerabilities by the level of criticality:
Vulnerability
Low
Medium
High
Path Traversal
10
40
70
Directory Listing Enabled
10
40
Insecure Redirect URI
5
10
Clickjacking
5
Brute Force
5
SQL Injection (empty database, useful database)
10
40
70
XML External Entity Injection
50
70
Local File Inclusion
50
Remote Code Execution
10
50
100
Authentication Bypass
50
90
Account Takeover
50
90
Insecure Direct Object References
10
Stored XSS
20-30
Reflected XSS
10-20
Server-Side Request
40-60
Cross-Site Request Forgery
10-20
Race Condition
10
90
Server-Side Template Injection
20
80
Path Traversal
Low
10
Medium
40
High
70
Directory Listing Enabled
Low
10
Medium
40
High
Insecure Redirect URI
Low
5
Medium
10
High
Clickjacking
Low
5
Medium
High
Brute Force
Low
5
Medium
High
SQL Injection (empty database, useful database)
Low
10
Medium
40
High
70
XML External Entity Injection
Low
Medium
50
High
70
Local File Inclusion
Low
Medium
50
High
Remote Code Execution
Low
10
Medium
50
High
100
Authentication Bypass
Low
Medium
50
High
90
Account Takeover
Low
Medium
50
High
90
Insecure Direct Object References
Low
10
Medium
High
Stored XSS
Low
20-30
Medium
High
Reflected XSS
Low
10-20
Medium
High
Server-Side Request
Low
Medium
40-60
High
Cross-Site Request Forgery
Low
10-20
Medium
High
Race Condition
Low
10
Medium
High
90
Server-Side Template Injection
Low
20
Medium
High
80
Points according to the vulnerability critical level are awarded as follows:
Low level of importance - from 0 to 30 points;
Medium level of importance - from 31 to 60 points;
High level of importance - from 61 to 100 points.
sms-activate.guru
hstock.org
ipkings.io
Rewards
Amount of the reward depends on the criticality of the vulnerability, the ease of exploitation, and the impact on user data. The level of criticality is often decided together with developers and can take longer time.
Vulnerability
Reward
Remote Code Execution (RCE)
$1500 - $5000
Local files access and other (LFR, RFI, XXE)
$500 - $3000
Injections
$500 - $3000
Cross-Site Scripting (XSS), excluding Self-XSS
$100 - $500
SSRF, except for the blind
$300 - $1000
Blind SSRF
$100 - $500
Memory leaks / IDORs / Disclosure of information with protected personal data or sensitive user information
$70 - $1150
Other confirmed vulnerabilities
Depends on the criticality
All SMS-Activate apps that deal with user data are involved. Our applications can be found in Google Play
and App Store
by the name SMS-Activate
Apps
Vulnerability
Reward
Remote Code Execution (RCE)
$1500 - $5000
Local files access and other (LFR, RFI, XXE)
$500 - $3000
Injections
$500 - $3000
SSRF, except for the blind
$300 - $1000
Blind SSRF
$100 - $500
Memory leaks / IDORs / Disclosure of information with protected personal data or sensitive user information
During the selected period, you will always have the opportunity to receive an unlimited number of SMS from the selected service. You can always restore access to your registered account!
If you have not received an SMS with a code within the first 20 minutes, you can cancel the number, and the money will be returned to your account in full.
If you have not received an SMS and more than 20 minutes have passed, it will be impossible to cancel the rent. A number that was sold for rent, will not be resold for the corresponding service after the expiration of the rental period. The minimum rental period is 4 hours and the maximum is 4 weeks.
There are two options for renting a number:
Full rent means that you have access to the reception of absolutely all kinds of SMS*
Rent a number for a specific service. In this case, you will receive SMS only from the service you have chosen.
The rented number is located in the “Rent” tab, in the mobile version of the site under the “Operations” tab. Set up filters to display numbers correctly. After the end of the rental period, the number will be displayed in the “History” tab.
* Except for sms from the mobile operator whose number you purchased
{{item.text}}
You will always have the opportunity to receive an unlimited number of sms from the chosen service during the selected period. You will always be able to restore access to your registered account!
If you have not received an SMS with a code within the first 20 minutes, you can cancel the number, and the money will be returned to your account in full.
If you have not received an SMS and more than 20 minutes have passed, it will be impossible to cancel the rent. A number that was sold for rent, will not be resold for the corresponding service after the expiration of the rental period. The minimum rental period is 4 hours and the maximum is 4 weeks.
There are two options for renting a number:
Full rent means that you have access to the reception of absolutely all kinds of SMS*
Rent a number for a specific service. In this case, you will receive SMS only from the service you have chosen.
The rented number is located in the “Rent” tab, in the mobile version of the site under the “Operations” tab. Set up filters to display numbers correctly. After the end of the rental period, the number will be displayed in the “History” tab.
* Except for sms from the mobile operator whose number you purchased
An option for registration in services where you need to enter the last digits of the incoming number for confirmation.
The number is provided for 5 minutes. You need to enter it in the service where you need to pass verification within this time. Then a code will be displayed on the page "Activation" at SMS-Activate. If you have problems with activation, cancel the purchase of the number before 5 minutes pass.
If you purchase the service, you can also receive unlimited SMS to the purchased number within 20 minutes. Verification service is provided at the same favorable price for all services.
*Only 1 number can be received. If you receive an incoming call and confirmation numbers, no refund is possible.
Verification by number is a service for the cases when a service demands you to enter the last digits of the incoming call number for confirmation. The verification service is provided at the same beneficial price for all services.
The minimum rent period is 4 hours, the maximum is 4 weeks. Your number will be displayed on the Rent page.
You are given 20 minutes to enter the purchased number in the service, where you need to pass verification and receive an incoming call within the rental period that you purchased.
If you faced problems with activation, you did not receive an SMS or the digits of the incoming call number were not received, then the number can be canceled for free within 20 minutes.
*The first incoming call is included in the price of this service. All subsequent incoming calls will cost 5% of the initial cost of the number. If you receive an incoming call and confirmation numbers, a refund is not possible.