Banner object (1)

5089 policies in database
  Back Link to program      
22/01/2020
Topcoder logo
Thanks
Gift
Hall of Fame
Reward

Topcoder

Topcoder is the world's largest crowdsourcing company connecting global talent in design, software development, data science, and QA with customers. Topcoder always looks to do things “crowd first” and is excited to work with the security community at HackerOne to find vulnerabilities in order to keep our businesses and customers safe.

Response Targets

Topcoder will make a best effort to meet the following SLAs for hackers participating in our program:

Type of Response | SLA in business days
---|---
First Response | 2 days
Time to Triage | 2 days
Time to Resolution | Depends on severity and complexity

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

  • As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
  • Follow HackerOne's disclosure guidelines .

Program Rules

  • Please limit any automated scanning to 100 requests per minute. Aggressive testing that causes service degradation will be grounds for removal from the program.
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  • Do not create an excessive amount of records (more than 10) including accounts, projects, posts, challenges.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario /

exploitability, and (2) security impact of the bug.

The following issues are considered out of scope:

  • Known issues of JBOSS Version
  • Known issues JWT Tokens still valid after log out
  • Clickjacking on pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Rate limiting or bruteforce issues on non-authentication endpoints
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or Secure flags on cookies
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
  • Tabnabbing
  • Open redirect - unless an additional security impact can be demonstrated
  • Issues that require unlikely user interaction

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Topcoder and our users safe!

In Scope

Scope Type Scope Name
ios_application

ios.topcoder.com

web_application

www.topcoder.com

web_application

api.topcoder.com

web_application

arena.topcoder.com

web_application

blockchain.topcoder.com

web_application

bugzilla.topcoder.com

web_application

cmap.topcoder.com

web_application

cognitive.topcoder.com

web_application

community.topcoder.com

web_application

community-app.topcoder.com

web_application

connect.topcoder.com

web_application

crowdsourcing.topcoder.com

web_application

dashboards.topcoder.com

web_application

demo.topcoder.com

web_application

dev1.topcoder.com

web_application

dna.topcoder.com

web_application

enterprise.topcoder.com

web_application

facedetection.topcoder.com

web_application

faceid.topcoder.com

web_application

feeds.topcoder.com

web_application

forums.topcoder.com

web_application

hfgeoloc.topcoder.com

web_application

idolondemand.topcoder.com

web_application

innovation.topcoder.com

web_application

lauscher.topcoder.com

web_application

leaderboards.topcoder.com

web_application

members.topcoder.com

web_application

morgoth.topcoder.com

web_application

namedentity.topcoder.com

web_application

pam-wind-dash.topcoder.com

web_application

pins-dash.topcoder.com

web_application

quantum.topcoder.com

web_application

radiological.topcoder.com

web_application

ragnar.topcoder.com

web_application

scavengerhunt.topcoder.com

web_application

software.topcoder.com

web_application

solutions.topcoder.com

web_application

spacenet.topcoder.com

web_application

spacenet2.topcoder.com

web_application

status.topcoder.com

web_application

studio.topcoder.com

web_application

submission-review.topcoder.com

web_application

submission-review-api.topcoder.com

web_application

success.topcoder.com

web_application

tco12.topcoder.com

web_application

tco15.topcoder.com

web_application

tco16.topcoder.com

web_application

tco17.topcoder.com

web_application

tco18.topcoder.com

web_application

tco19.topcoder.com

web_application

textsummarization.topcoder.com

web_application

veterans.topcoder.com

web_application

vpn.topcoder.com

web_application

webhooks.topcoder.com

web_application

wordpress.topcoder.com

web_application

wordpress-move.topcoder.com

web_application

x.topcoder.com

web_application

zurich.topcoder.com

web_application

accounts.topcoder.com

web_application

app.topcoder.com

web_application

apps.topcoder.com

Out of Scope

Scope Type Scope Name
other

Out of Scope: * admin.topcoder.com * api-work.topcoder.com * dev.arena.topcoder.com * qa.arena.topcoder.com * arenaws.topcoder.com * asteroids.topcoder.com * beta.topcoder.com * beta-community-app.topcoder.com * blitz.topcoder.com * bluehost.topcoder.com * bluehost-test01.topcoder.com * bluehost-test02.topcoder.com * cmap-leaders.topcoder.com * coder.topcoder.com * codeyourwayin.topcoder.com * dtn.topcoder.com * epa.topcoder.com * epa.topcoder.com * hphaven.topcoder.com * ideas.topcoder.com * info.topcoder.com * internal-api.topcoder.com * jp.topcoder.com * lightning.topcoder.com * link.topcoder.com * mediasharedev.topcoder.com * mediasharepoc.topcoder.com * mobile.topcoder.com * predix.topcoder.com * qa.topcoder.com * software.qa.topcoder.com * studio.qa.topcoder.com * site.topcoder.com * smtp.topcoder.com * swift.topcoder.com * talk.topcoder.com * tcdev1.topcoder.com * tcdev3.topcoder.com * topgear.topcoder.com * training.topcoder.com * tunnel1.topcoder.com * vorbote.topcoder.com * wiki.topcoder.com * x-receiver.topcoder.com

web_application
  • admin.topcoder.com
web_application
  • api-work.topcoder.com
web_application
  • dev.arena.topcoder.com
web_application
  • qa.arena.topcoder.com
web_application
  • arenaws.topcoder.com
web_application
  • asteroids.topcoder.com
web_application
  • beta.topcoder.com
web_application
  • beta-community-app.topcoder.com
web_application
  • blitz.topcoder.com
web_application
  • bluehost.topcoder.com
web_application
  • bluehost-test01.topcoder.com
web_application
  • bluehost-test02.topcoder.com
web_application
  • cmap-leaders.topcoder.com
web_application
  • coder.topcoder.com
web_application
  • codeyourwayin.topcoder.com
web_application
  • dtn.topcoder.com
web_application
  • epa.topcoder.com
web_application
  • hphaven.topcoder.com
web_application
  • ideas.topcoder.com
web_application
  • info.topcoder.com
web_application
  • internal-api.topcoder.com
web_application
  • jp.topcoder.com
web_application
  • lightning.topcoder.com
web_application
  • link.topcoder.com
web_application
  • mediasharedev.topcoder.com
web_application
  • mediasharepoc.topcoder.com
web_application
  • mobile.topcoder.com
web_application
  • predix.topcoder.com
web_application
  • qa.topcoder.com
web_application
  • software.qa.topcoder.com
web_application
  • studio.qa.topcoder.com
web_application
  • site.topcoder.com
web_application
  • smtp.topcoder.com
web_application
  • swift.topcoder.com
web_application
  • talk.topcoder.com
web_application
  • tcdev1.topcoder.com
web_application
  • tcdev3.topcoder.com
web_application
  • topgear.topcoder.com
web_application
  • training.topcoder.com
web_application
  • tunnel1.topcoder.com
web_application
  • vorbote.topcoder.com
web_application
  • wiki.topcoder.com
web_application
  • x-receiver.topcoder.com

This program have been found on Hackerone on 2020-01-22.

FireBounty © 2015-2020

Legal notices