Banner object (1)

Hack and Take the Cash !

634 bounties in database
02/08/2018

Reward

Hackenproof

Policy

About


Our goal has always been to help the society, companies and clients communicate securely on the Internet. We have done a lot for the security of our platform and much remains to be done, nevertheless Hacken launched a activity to find vulnerabilities and pay rewards for it. To participate in the contest, you must agree and follow the rules described in this policy. You have to be the first to report a vulnerability to receive a reward. You should send a clear textual description of the work done, along with steps to reproduce the vulnerability. After sending an error message about it, you can not tell anyone or anywhere.

Scope


Turn your attention that the program includes ONLY resources that are listed below:

  • hackenproof.com

What to look for


Vulnerabilities are critical gaps and technical flaws in systems that can violate the integrity, availability or confidentiality of user’s information, as well as change access rights to it.

We are interested in next web vulnerabilities:

  • Remote code execution and stored XSS
  • Database vulnerability
  • Privilege escalation (both vertical and horizontal)
  • Data breach
  • Authentication bypass
  • CSRF
  • Obtaining sensitive information
  • Shell inclusion

Where and how to report


You can submit a report via the special form of Hackenproof platform: it helps the triage team to process the information and respond faster to you.

We want to see in the vulnerability report: (when preparing a report, stick to this list of fields)

  • Vulnerability Title;
  • Target - link to vulnerability recourse;
  • Vulnerability details;
  • Validation steps;
  • Impact - What does the vulnerability allow the attacker to accomplish?;
  • Recommended fix;
  • Vulnerability category;
  • Severity level;
  • Additional info;
  • File Upload - if it’s needed;

The size of rewards


We appreciate your efforts in taking out time and pointing it out to us, it helps us be better in our approach. While we are very thankful for your efforts, we don’t want them to go unrewarded. Eligible bug rewarded based on the CVSSv3 severity and we set next payout range:

Severity (CVSSv3) | Reward
---|---
Critical | 2272 HKN
High | 757 HKN
Medium | 378 HKN
Low | 75 HKN

In special cases, the size of the award can be increased if the researchers demonstrate how the vulnerability can be used to inflict maximum harm.

The rules of bug bounty program


Automated scanners that generate massive network traffic volumes and may affect system performance are prohibited. Localize all your tests to your account. Don't affect other users. Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed. In case you find chain vulnerabilities we pay only for vulnerability with the highest severity. It’s forbidden to perform DoS / DDoS on resources in the Scope. Follow disclosure guidelines.

Out-of-Scope


In general, the following vulnerabilities do not correspond to the severity threshold: This section contains problems that are not accepted in this competition, because they are malicious and / or because they have a low impact on security.

  • UI and UX bugs and spelling or localization mistakes.
  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • Open redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing auth tokens, we do still want to hear about them
  • Publicly accessible login panels without proof of exploitation.
  • Reports that state that software is out of date/vulnerable without a proof of concept.
  • Host header issues without proof-of-concept demonstrating the vulnerability.
  • HTTP codes/pages or other HTTP non- codes/pages.
  • Fingerprinting/banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tapjacking.
  • CSRF in forms that are available to anonymous users (e.g. the contact form).
  • Login & Logout CSRF
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-security-sensitive Cookies.
  • OPTIONS HTTP method enabled
  • Lack of Security Speed bump when leaving the site.
  • Weak Captcha
  • Content injection issues.
  • HTTPS Mixed Content Scripts
  • Content Spoofing without embedded links/html
  • Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console).
  • Reflected File Download (RFD).
  • Best practices concerns.
  • Highly speculative reports about theoretical damage. Be concrete.
  • Missing HTTP security headers, specifically, For e.g.
  • Strict-Transport-Security

  • X-Frame-Options

  • X-XSS-Protection

  • Host Header

  • X-Content-Type-Options

  • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP

  • Content-Security-Policy-Report-Only

  • Infrastructure vulnerabilities, including:
  • Certificates/TLS/SSL related issues

  • DNS issues (i.e. mx records, SPF records, etc.)

  • Server configuration issues (i.e., open ports, TLS, etc.)

  • Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers will not be honored, including Internet Explorer all versions
  • Vulnerabilities involving active content such as web browser add-ons
  • XSS issues that affect only outdated browsers (like Internet Explorer)
  • Issues that require physical access to a victim’s computer.
  • Physical or social engineering attempts (this includes phishing attacks against employees).
  • Recently disclosed 0day vulnerabilities.
  • Microsites with little to no user data
  • Most brute forcing issues
  • Denial of service
  • Spamming

SLA


Will make a best effort to meet the following SLAs for researchers who is participating in our program:

SLA | Plan
---|---
Time to first response (from report submit) | 1 day
Time to triage (from report submit) | 3 days
Time to bounty (from triage) | 5 days

We’ll try to keep you informed about our progress throughout the process.

Thanks
Gift
Hall of Fame
Reward


List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2018