Banner object (1)

Hack and Take the Cash !

655 bounties in database
06/09/2018

Reward

300 $ 

Arkose Labs

Are you Turing Complete?

Arkose Labs invites you to test and help secure our CAPTCHAs and authentication portal. We appreciate your efforts and hard work in making our assets more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck!

Please read carefully, as there are two distinct sections to this brief


Ratings/Rewards:

This is a non-standard program with special rewards. Please read carefully to determine how findings are rewarded.

The CAPTCHA challenge will offer no VRT based vulnerability rewards

| CAPTCHA Challenges
---|---
Level 3 | $2000 - 5,600
Stacked Animals | $600 - 2000
Solo Animals | $300 - 700

Rewards will be provided based on the difficulty of CAPTCHA, and type of exploitation. Higher rewards will be provided for a simpler bypass.
For example:

  • If at the highest difficulty of CAPTCHA, you are able to bypass it in one minute using a specially designed request, that will provide you with the highest level reward.
  • If at the highest difficulty of CAPTCHA, you are able to bypass it by taking the time to design a neural net specifically geared to bypass the CAPTCHA, you will get the lowest reward for that challenge level.
  • In the end, we want to ultimately secure our CAPTCHA systems, and are rewarding all exploits that lead to CAPTCHA bypass. While you may only be eligible for a lower reward, we reserve the right to increase rewards based on ingenuity.

The rewards for dashboard.arkoselabs.com are as follows:

Reward Range

Last updated 27 August 2018 21:58:11 UTC

Technical severity | Reward range
---|---
p1 Critical | $2,400 - $5,600
p2 Severe | $1,200 - $2,800
p3 Moderate | $600 - $1,400
p4 Low | $300 - $700

P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name | Type
---|---
dashboard.arkoselabs.com | Website
<https://client-demo.arkoselabs.com/solo-animals> | Other
<https://client-demo.arkoselabs.com/stacked-animals> | Other
Level 3, please contact whitehat@arkoselabs.com for access | Other

Out of scope

Target name | Type
---|---
status.arkoselabs.com | Website
arkoselabs.com | Website

Any domain/property of Arkose Labs not listed in the targets section is out of scope. This includes any/all subdomains not listed above.


CAPTCHA Challenge Information

Access

Single Animals

https://client-demo.arkoselabs.com/solo-animals

No human/manual labeling of samples for successful solves are allowed for ML based solutions for this level.

Stacked Animals

https://client-demo.arkoselabs.com/stacked-animals

  • There should only be manual labeling of less than 1K images on a specific set and you must get better than 50% solve rate on that same set.
  • There should only be manual labeling of less than 10K images on set A and you must get better than 50% solve rate on set B

Level 3

Please request access to the Level 3 challenge by sending an e-mail to whitehat@arkoselabs.com to request a link.

  • There should only be manual labeling of less than 1K images on a specific set and you must get better than 50% solve rate on that same set.
  • There should only be manual labeling of less than 10K images on set A and you must get better than 50% solve rate on set B

Focus Areas:

  • Bypassing public/private key validation
  • Bypassing the CAPTCHA without having to participate in the challenges
  • Automating solving the captcha challenges at scale:
    • Going through the challenge(s)
    • Getting correct results
    • Submitting the results and receiving a “Solved!” response

Rules:

To prove that you've been successful at bypassing a CAPTCHA, we require detailed reproduction steps and, if required, full source code of your implementation so our Application Security Engineers can verify.

For Brute force type exploits, the successrate needs to be over 17% or 1/6th of new attempts.

In order for the submission to be within scope we require it to:

  • Be Programmatic/Automated, or bypassable via exploit
  • Be successful in more than 50% of attempts (“submit”s)
  • Work at scale - POC should solve at least 1000 challenges at aforementioned success rate.

Out-of-Scope

  • The primary goal is the CAPTCHA challenge, and we ask that you do not perform any other testing, especially tests related to Denial of Service.

Traditional Program Information

Access

dashboard.arkoselabs.com

This is the login portal for our main application. Login, and the forgot password pages , are the only functionalities in scope for this section of the program.

Credentials

No credentials will be provided.

Focus Areas

  • Authentication bypass or privilege escalation
  • Remote code execution
  • Obtaining user information

Out of Scope

  • Do not perform any testing if you have found a way to authenticate. Any vulnerabilities found after authentication will not warrant any reward.
  • Denial of service
  • Spamming
  • Clickjacking, XSS or others that do not demonstrate a viable proof of concept for attack

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

Thanks
Gift
Hall of Fame
Reward


List your Bug Bounty for free immediately!

Contact us if you want more information.

FireBounty (c) 2015-2018