BUG BOUNTY
Code Of Conduct
- Don’t try to exploit any DoS vulnerabilities, social engineering attacks, physical attack or spam !
- No Bruteforce allowed
- Don't publicly disclose a bug before it has been fixed
- We reserve the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion.
- Don’t violate any law and stay in the defined scope
- You also must not disrupt any service, or compromise personal data
- Any failure to comply with these rules will be sanctioned by exclusion of hunter’s submission and even worse...
Golden Rule
- Each hunter have to create an account on the Bug Bounty platform BountyFactory.io in order to validate the rules before hunting for bugs and accessing to the programs.
- Each hunter of the NuitDuHack Bug bounty will be subject to terms of use of the BountyFactory.io platform.
- Each registrant will receive the title of HZV member for the entire duration of the Nuit Du Hack 2016.
- No actual or past employee of program’s scopes can join the program.
Validation Committee
- Decision: Solo
- Business: Program's scope
- Pwnage: Onemore, Nicob, Skunk
Eligibility
To qualify for a bounty, you must:
- Comply with the rules of each program described on BountyFactory.io
- Be the first person to responsibly disclose the bug
- Report a bug that could compromise the integrity of user data, circumvent the privacy protections of user data, or enable access to a system within the infrastructure, such as: authentication bypass, XSS/SQL/XML injections, CSRF, SSRF, RCE...
- If the issue you submitted does not reach the severity for a bounty, but we feel that it did in some way point out something useful for us, then we will be happy to reward you a "Bounty"®
- Only exploit from the Nuit du Hack IP Address range will be considered valid.
- We reserve the right to decide if the submission should be refused or rewarded with a bounty or a "Bounty"® (http://en.wikipedia.org/wiki/Bounty_(chocolate_bar))
Non Eligibility
The following bugs are not eligible for a bounty:
- Duplicate bug
- Vulnerabilities not reliable or not reproducible (such as random value / hard to get value - required for exploitation), CSRF in the logout function
- Missing “HTTP only” flag for cookies, which are not related to authentication-identification
- Missing “Secure” flags for any cookie
- Missing “X-Frame-Options”, “Strict-Transport-Security”, “Nosniff”, “X-Xss-Protection” headers
- Security bugs in third-party websites that integrate with program’s scopes.
- Denial of Service and bruteforce vulnerabilities
- Spam or Social Engineering techniques
- We reserve the right to refuse or reward the submission with a bounty or a "Bounty” ®.
Submitting Bugs
Please observe the following rules:
- Submit bugs only through Bug Bounty plateform bountyfactory.io
- A Bug Bounty submission must contain an example (unique request or PoC code) and description of the weakness, and provide enough information to analyze the progress of the attack and can be easily replayed, which will simplify the validation of bugs and will impact the amount of the reward.
- The validity of each submission and the amount of reward shall be decided by the validation committee.
10h30 Bounty opening, validation committee presentation
Rewards
- Hall of Fame (HoF) for all and for the duration of the Bounty
- Bounty within the limits of the pool, amount according to criticality / elegance / documentation (All the rewards will be made through BountyFactory platform)
- Bounty ©
Glossary
- Bounty : financial reward after reporting a bug relevant, compliant with rules and interesting
- “Bounty”® : nutritive reward after reporting a bug relevant, compliant with rules. A [real] (http://en.wikipedia.org/wiki/Bounty_(chocolate_bar))
- Dashboard : Web application allowing hunters to register, report bugs and follow their evolution
- Hunter : person doing the contest and physically located on the Nuit du Hack building.