Arkose Labs invites you to test and help secure our CAPTCHAs and authentication portal. We appreciate your efforts and hard work in making our assets more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck!
Please read carefully, as there are two distinct sections to this brief
This is a non-standard program with special rewards. Please read carefully to determine how findings are rewarded.
The CAPTCHA challenge will offer no VRT based vulnerability rewards
| CAPTCHA Challenges
Level 3 | $1000 - 5,600
Stacked Animals | $300 - 1000
Solo Animals | $100 - 500
Rewards will be provided based on the difficulty of CAPTCHA, and type of
exploitation. Higher rewards will be provided for a simpler bypass.
The rewards for dashboard.arkoselabs.com are as follows:
Last updated 2 October 2018 20:00:19 UTC
Technical severity | Reward range
p1 Critical | $2,400 - $5,600
p2 Severe | $1,200 - $2,800
p3 Moderate | $600 - $1,400
p4 Low | $300 - $700
P5 submissions do not receive any rewards for this program.
Target name | Type
dashboard.arkoselabs.com | Website
<https://client-demo.arkoselabs.com/solo-animals> | Other
<https://client-demo.arkoselabs.com/stacked-animals> | Other
Level 3, please contact firstname.lastname@example.org for access | Other
Target name | Type
status.arkoselabs.com | Website
arkoselabs.com | Website
Any domain/property of Arkose Labs not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
No human/manual labeling of samples for successful solves are allowed for ML based solutions for this level.
Please request access to the Level 3 challenge by sending an e-mail to email@example.com to request a link.
To prove that you've been successful at bypassing a CAPTCHA, we require detailed reproduction steps and, if required, full source code of your implementation so our Application Security Engineers can verify.
For Brute force type exploits, the successrate needs to be over 17% or 1/6th of new attempts.
In order for the submission to be within scope we require it to:
This is the login portal for our main application. Login, and the forgot password pages , are the only functionalities in scope for this section of the program.
No credentials will be provided.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Contact us if you want more information.