EN DE ES UK PL RU TR ZH
Service status Support
rdp.bot

looking glass

free server for 15 minutes

sign up

sign in
EN
English Deutsch Español Українська Polski Русский Türkçe 中文

Bug Bounty Program

We strive to provide maximum security and protection for our users' data. If you find a vulnerability in h2.nexus, report it privately and we'll reward you — from $1 to $5,000 per valid bug, paid by bank card, cryptocurrency or bank transfer.

  • $1 – $5,000reward range
  • Card · Cryptoor bank wire
  • < 24 hfirst response
  • *.h2.nexusin scope

About the program

Our bug bounty program rewards researchers who responsibly find and report security vulnerabilities across the h2.nexus platform — the website, the billing area, the free-server terminal and the infrastructure behind them. The goal is simple: fix real security issues before they can be abused, and fairly reward the people who help us do it.

Every report is reviewed by our team. If your finding is valid, original and in scope, we pay a reward based on its severity and real-world impact. The more serious and clearly demonstrated the issue, the higher the payout — up to $5,000 for critical vulnerabilities.

Rewards by severity

Rewards depend on the impact and exploitability of the bug. The ranges below are a guide — the final amount is decided case by case.

Critical $1,500 – $5,000

Remote code execution, authentication bypass, full account or server takeover, access to other customers' data or funds, payment manipulation.

High $500 – $1,500

Server-side request forgery with real impact, stored XSS in the control panel, IDOR exposing sensitive data, privilege escalation.

Medium $150 – $500

Reflected XSS with impact, CSRF on sensitive actions, sensitive information disclosure, broken access control with limited reach.

Low $1 – $50

Typos, content mistakes, visual or layout glitches, and similar minor issues.

Severity and the final reward are determined by h2.nexus based on CVSS, exploitability and real-world impact. Duplicate reports are rewarded only for the first valid submission.

Scope

Test only the assets listed below, and only with accounts and data that belong to you.

In scope

  • Everything in the h2.nexus project, including all subdomains
  • my.h2.nexus — the client area (BillManager 6)
  • vm.h2.nexus — the server control panel (VMManager 6)
  • vm-promo.h2.nexus — the promo-server control panel (VMManager 6)
  • Our Telegram bots: @rdpbot, @h2nexus_info_bot, @bgp_robot
  • …and the project's other services and infrastructure

Out of scope

  • Automated scanner output with no working proof of concept
  • Missing best-practice headers with no demonstrated impact
  • DoS and DDoS — denial-of-service and resource-exhaustion attacks

How to report

A good report helps us reproduce and fix the issue fast — and helps you get paid sooner.

  1. 1

    Describe the bug

    Explain the vulnerability, the affected URL or endpoint, and the security impact in clear terms.

  2. 2

    Add a PoC

    Include exact steps to reproduce, the requests or payloads used, and screenshots or a short video.

  3. 3

    Write to us

    Send everything to root@h2.nexus and wait for our reply. Please keep the issue private until it is fixed.

Found a vulnerability?

Send your report to root@h2.nexus

Email us a clear description and a proof of concept. We review every report, respond as fast as we can and reward valid, in-scope findings.

Please include steps to reproduce, the impact, and any supporting screenshots or logs.

root@h2.nexus Report a bug