HackerEarth Bounty Program - program

HackerEarth has always provided safe and secure systems for the community and customers to interact with and use. However, it is possible that there could be areas with gaps in our posture that can compromise data integrity or pose a weakness in our systems, which can be exploited.

HackerEarth invites security researchers and community users to come forward and help in improving the security posture of our systems and applications. Through this program, we may provide monetary and non-monetary rewards, as well as, public recognition for vulnerabilities disclosed to the HackerEarth team. The rewards will be determined based on the criticality, severity, and impact of the findings. The rewards will be decided once the HackerEarth team has validated the findings shared with them.

Program eligibility

To be eligible to participate in our Bug Bounty Program, you must: - Be at least 18 years old if you test using a HackerEarth account - Not violate any national, state, or local law or regulation directly or indirectly while participating in the program

Processing

HackerEarth will review and respond as quickly as possible to your submission, and keep you informed as we work to fix the vulnerability you submitted. We may contact you for further information if necessary. Expect a response within 24-48 hours for an acknowledgement. Time to fix the issues will vary depending on impact and the complexity of the issue. The bounty will be processed within a month of reporting the bug. (We process the bounty in batches. We will keep you posted)

Scope

All URLs and endpoints under the hackerearth.com domain are eligible for the bug bounty program.

Rules of engagement

Do’s

Respect privacy and make a good-faith effort not to access, process, or destroy personal data
Be patient and make a good faith effort to provide clarifications to any questions that we may have about your report.
Comply to HackerEarth’s terms of use and any other applicable terms and conditions
Exercise caution when testing to avoid negative impact to customers and the services they depend on
Stop whenever unsure. If you think you may cause, or have caused, damage with testing a vulnerability, do the following:
1. Report your initial finding(s)
2. Request authorization to continue testing

Don'ts

Do not access (or attempt to access) any user’s account or non-public data unless it is part of findings
Do not affect or harm other users (or their access to or use of our services)
Do not perform any attack that could harm the reliability or integrity of our services or data. For example, DDoS/spam attacks are strictly prohibited.
Do not publicly disclose a vulnerability before we have resolved it. We appreciate your help and would like to post insights after releasing the patch.
Do not perform (or attempt) non-technical attacks, including but not limited to spam, social engineering, phishing, or physical attacks against our employees, users, or infrastructure

Rules of reporting

All the issues must be reported through email to support@hackerearth.com with an appropriate subject line. An example of a detailed subject line is: HackerEarth Bug Bounty | Vulnerability in xyz feature.

High-quality reports will help HackerEarth understand the issue clearly and engage the right team to address the issue. A good report will give enough information about the issue, the impact, and will allow our team to arrive at a solution quickly. All the bugs that are reported should be well-detailed and should contain at least the following information:

Severity
PoC (video or screenshots demonstrating the vulnerability)
Demonstrate the security impact
Context of the vulnerability

Important: Poor quality reports will not be accepted. Please ensure that your report is very well detailed.

All the bugs that are reported will be classified internally based on our understanding of the issue as High, Medium, or Low. The bounty rewards will be disbursed based on this classification.

Our teams will triage these issues internally and get back with a timeline for an appropriate fix and the bounty disbursement.

Scope of collection

The main categories of vulnerabilities that we are sincerely looking for are:

Directly affect the confidentiality or integrity of user data or which affects user privacy
Cross-site scripting (XSS)
Cross-site Request Forgery (CSRF)
Server-Side Request Forgery (SSRF)
SQL injection
Remote Code Execution (RCE)
XML External Entity Attacks (XXE)
Access Control Issues (Insecure Direct Object Reference issues, etc.)
Exposed administrative panels that give away sensitive information
Directory traversal issues
Local File Disclosure (LFD)
Vast users’ sensitive information leak
Privilege escalation/Bypassing sandboxing

Not in scope

Any of the following reports will be considered out of scope and will not qualify for the bug bounty program.

Physical or social engineering attempts (this includes phishing attacks against HackerEarth employees)
Negligible security impact
Unchained open redirects
Reports that state that system/package is out of date/vulnerable without a proof-of-concept
Speculative reports about theoretical damage (not proven with a PoC)
Vulnerabilities as reported by automated tools without additional analysis as to how they are an issue
SSL/TLS scan reports (this means output from sites such as SSL Labs)
Open ports without an accompanying proof-of-concept demonstrating vulnerability
Subdomain takeovers (you can however demonstrate that you are able to take over the page by leaving a non-offensive message, such as your username and we will look into it)
Best practices concerns
Rate limiting
Exposed login panels
Dangling IPs
Account enumeration
Distributed Denial of Service attacks (DDoS)