Our goal has always been to help the society, companies and clients communicate securely on the Internet. We have done a lot for the security of our platform and much remains to be done, nevertheless Hacken launched a activity to find vulnerabilities and pay rewards for it. To participate in the contest, you must agree and follow the rules described in this policy. You have to be the first to report a vulnerability to receive a reward. You should send a clear textual description of the work done, along with steps to reproduce the vulnerability. After sending an error message about it, you can not tell anyone or anywhere.
Turn your attention that the program includes ONLY resources that are listed below:
Vulnerabilities are critical gaps and technical flaws in systems that can violate the integrity, availability or confidentiality of user’s information, as well as change access rights to it.
We are interested in next web vulnerabilities:
You can submit a report via the special form of Hackenproof platform: it helps the triage team to process the information and respond faster to you.
We want to see in the vulnerability report: (when preparing a report, stick to this list of fields)
We appreciate your efforts in taking out time and pointing it out to us, it helps us be better in our approach. While we are very thankful for your efforts, we don’t want them to go unrewarded. Eligible bug rewarded based on the CVSSv3 severity and we set next payout range:
Severity (CVSSv3) | Reward
Critical | 2272 HKN
High | 757 HKN
Medium | 378 HKN
Low | 75 HKN
In special cases, the size of the award can be increased if the researchers demonstrate how the vulnerability can be used to inflict maximum harm.
Automated scanners that generate massive network traffic volumes and may affect system performance are prohibited. Localize all your tests to your account. Don't affect other users. Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed. In case you find chain vulnerabilities we pay only for vulnerability with the highest severity. It’s forbidden to perform DoS / DDoS on resources in the Scope. Follow disclosure guidelines.
In general, the following vulnerabilities do not correspond to the severity threshold: This section contains problems that are not accepted in this competition, because they are malicious and / or because they have a low impact on security.
Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
Certificates/TLS/SSL related issues
DNS issues (i.e. mx records, SPF records, etc.)
Server configuration issues (i.e., open ports, TLS, etc.)
Will make a best effort to meet the following SLAs for researchers who is participating in our program:
SLA | Plan
Time to first response (from report submit) | 1 day
Time to triage (from report submit) | 3 days
Time to bounty (from triage) | 5 days
We’ll try to keep you informed about our progress throughout the process.
Contact us if you want more information.