__Rewards
Severity (CVSSv3) |
Reward |
Low |
0 HKN |
Medium |
0 HKN |
High |
0 HKN |
Critical |
0 HKN |
__Program Rules
About
Information security of the company and the security of our users' data is a
top priority for us, therefore NapoleonX launched a contest to find
vulnerabilities and pay rewards for them. To participate in the contest, you
must agree and follow the rules described in this policy. You must be the
first to report a vulnerability to receive a reward. You must send a clear
textual description of the work done, along with steps to reproduce the
vulnerability. After sending an error message about it, you can not tell
anyone or anywhere.
Special condition
Please note we have limited budget for this program and contest time limited
for 48 hours from the 03:00 PM, EET 02 FEB 2018.
Scope
In the NapoleonX web services that store or process personal information of
users. Personal information is, for example, logins and passwords,
correspondence, order history and payment.
WEB services and API:
- napoleonx.ai
- ico-api.napoleonx.ai
> * ico-api.napoleonx.ai/api
> * ico-api.napoleonx.ai/validation
>
What to look for
Vulnerabilities are critical gaps and technical flaws in systems that can
violate the integrity or confidentiality of user information, as well as
change access rights to it.
WEB and API:
- Remote code execution and stored XSS
- Privilege escalation (both vertical and horizontal)
- Data breach
- Authentication bypass
Where and how to report
Sending error messages is best through a special form of hackenproof platform:
so, the triage team can process the information sent and respond faster to
you.
We want to see in the vulnerability report:
(when forming a report, stick to this list, so that the reward is the maximum
and arrived to you faster)
- the resource on which the vulnerability was found;
- type of vulnerability;
- vector of attack;
- risks from possible implementation of the vulnerability;
- playback steps;
- possible ways of correcting the bug;
- screen-shots / video screen confirming the presence of a vulnerability and demonstrating the steps of playback.
The size of awards
The size of the awards depends on priority of vulnerability and are the next:
Severity (CVSSv3) |
Reward |
Critical |
350 HKN |
High |
200 HKN |
Medium |
not rewarded |
Low |
not rewarded |
In special cases, the size of the award can be increased if the researchers
demonstrate how the vulnerability can be used to inflict maximum harm.
Out-of-Scope
In general, the following vulnerabilities do not correspond to the severity
threshold: This section contains problems that are not accepted in this
competition, because they are malicious and / or because they have a low
impact on security.
- UI and UX bugs and spelling or localization mistakes.
- Descriptive error messages (e.g. Stack Traces, application or server errors)
- Open redirects. 99% of open redirects have low security impact. For the rare cases where the impact is higher, e.g., stealing auth tokens, we do still want to hear about them
- Publicly accessible login panels without proof of exploitation.
- Reports that state that software is out of date/vulnerable without a proof of concept.
- Host header issues without proof-of-concept demonstrating the vulnerability.
- HTTP codes/pages or other HTTP non- codes/pages.
- Fingerprinting/banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking/Tapjacking and issues only exploitable through clickjacking/tapjacking.
- CSRF in forms that are available to anonymous users (e.g. the contact form).
- Login & Logout CSRF
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure/HTTPOnly flags on non-security-sensitive Cookies.
- OPTIONS HTTP method enabled
- Lack of Security Speed bump when leaving the site.
- Weak Captcha
- Content injection issues.
- HTTPS Mixed Content Scripts
- Content Spoofing without embedded links/html
- Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console).
- Reflected File Download (RFD).
- Best practices concerns.
- HTML Injection
- Highly speculative reports about theoretical damage. Be concrete.
- Missing HTTP security headers, specifically, For e.g.
> * Strict-Transport-Security
> * X-Frame-Options
> * X-XSS-Protection
> * Host Header
> * X-Content-Type-Options
> * Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
> * Content-Security-Policy-Report-Only
>
- Infrastructure vulnerabilities, including:
> * Certificates/TLS/SSL related issues
> * DNS issues (i.e. mx records, SPF records, etc.)
> * Server configuration issues (i.e., open ports, TLS, etc.)
>
- Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers will not be honored, including Internet Explorer all versions
- Vulnerabilities involving active content such as web browser add-ons
- XSS issues that affect only outdated browsers (like Internet Explorer)
- Issues that require physical access to a victim’s computer.
- Physical or social engineering attempts (this includes phishing attacks against employees).
- Recently disclosed 0day vulnerabilities.
- Microsites with little to no user data
- Most brute forcing issues
- Denial of service
- Spammingice
- Spamming