HackerEarth Bounty Program

We work hard everyday to maintain and improve our systems and processes so that our end users can learn programming safely online at all times. However, we are like others, should you find a weakness in one of our IT systems, we would appreciate your help.

HackerEarth maintained a private bug bounty program till now. The program was known to few and only reward part was HackerEarth t-shirt and swag kit. After growing demand and a need for healthy bug bounty program, we have decided to open the program to engage with security community helping us see a safer tomorrow.

This program will help recognize the contributions of security researchers who invest their time and effort in helping us make HackerEarth more secure. Through this program, we provide monetary rewards and public recognition for vulnerabilities disclosed to the HackerEarth Team. The reward level is based on the bug severity and increases for higher quality reports that include PoC, detailed insights, steps to reproduce the bug, test cases, and patches.

Report Format:

  • The main URL where the vulnerability locates (For web vulnerabilities).
  • A detailed description with necessary screenshots.
  • Steps to reproduce the vulnerability and your advice to fix it.
  • Versions of web components related to the vulnerability (browser, OS, APP version, etc.).
  • Other useful information related to the bug.

Domains covered:

All urls with domain *.hackerearth.com are covered.

Bounty Range:

We maintain flexibility with our reward system, and have no minimum/maximum amount; rewards are based on severity, impact, and report quality.

Processing:

HackerEarth will review and respond as quickly as possible to your submission, and keep you informed as we work to fix the vulnerability you submitted. We may contact you for further information if necessary. Generally 24-48 hours to respond and an effective time of a week for a mean time to resolution and pay out.

Basic Rules:

In addition to complying with our Terms of Use and any other applicable terms and conditions, you must also follow these basic rules when participating in our bug bounty program:

  • Do not access (or attempt to access) any user’s account or non-public data unless it is part of findings.
  • Do not affect or harm other users (or their access to or use of our services).
  • Do not perform any attack that could harm the reliability or integrity of our services or data. For example, DDoS/spam attacks are strictly prohibited.
  • Do not publicly disclose a vulnerability before we have resolved it. We appreciate your help, and would like to post insights after releasing patch.
  • Do not perform (or attempt) non-technical attacks, including spam, social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

Scope of Collection:

The main categories of vulnerabilities that we are sincerely looking for are:

  • Directly affect the confidentiality or integrity of user data or which affects user privacy
  • Cross-site Scripting (XSS)
  • Cross-site Request Forgery (CSRF)
  • Server-Side Request Forgery (SSRF)
  • SQL Injection
  • Remote Code Execution (RCE)
  • XML External Entity Attacks (XXE)
  • Access Control Issues (Insecure Direct Object Reference issues, etc.)
  • Exposed Administrative Panels that without strong protection
  • Directory Traversal Issues
  • Local File Disclosure (LFD)
  • Vast Users’ Sensitive Information Leakage
  • Vast Order details Leakage
  • Privilege Escalation / Bypassing Sandboxing
Notifications
Mark All as Read
View All Notifications

?