HackIT – it’s an informational security forum that gathering community of experts. Forum website – it’s a place where people can sign up by sending their personal data, buy ticket and look at the content of event.

Program Rules

About

HackIT – it’s an informational security forum that gathering community of experts.

Forum website – it’s a place where people can sign up by sending their personal data, buy ticket and look at the content of event. If you believe you've detected a vulnerability that could harm users, we'd like to hear about it by participating in our Responsible Disclosure Program.

Rewards

We appreciate your valuable time while security testing and ready to give non-cash rewards only. All rewards will be awarded during forum, at main stage.

• Awesome swag and branded gear
• Community appreciating
• Hall of Fame

Scope

Turn your attention that the program includes ONLY resources that are listed below:

• hackit.ua

Non-Qualifying Vulnerabilities will be closed as Not Applicable

Best practices concerns:

• Vulnerabilities affecting users of outdated or unsupported browsers or platforms
• Self-XSS that cannot be used to exploit other users
• Vulnerabilities in third-party applications
• Reports from automated tools or scans
• Denial of Service Attacks
• Host Header Injection
• Reflected File Download (RFD)
• Username Enumeration
• Physical or social engineering attempts (this includes phishing attacks against HackIT employees)
• Content injection issues
• Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
• Missing autocomplete attributes
• Missing cookie flags
• Issues which require physical access to a victim’s computer
• Missing security headers which do not present an immediate security vulnerability
• SSL/TLS scan reports (this means output from sites such as SSL Labs)
• Banner grabbing issues (figuring out what web server we use, etc)
• Open ports without an accompanying proof-of-concept demonstrating vulnerability
• Open Redirect Vulnerabilities
• Publicly accessible login panels
• Recently disclosed 0day vulnerabilities - please give us two weeks before reporting these types of issues.
• identification of HackIT data in OSINT sources in absence of a working exploit (i.e shadowserver, rbl, etc).
• Email/SMS flooding attacks
• Issues related to software or protocols not under HackIT control
• Physical attempts against HackIT personnel, property or data centers
• Clickjacking and the issues exploited only by clickjacking

Rules of Engagement

Please refrain from accessing sensitive information (by using a test account and/or system), performing actions that may negatively affect other HackIT users (denial of service), or sending reports from automated tools.