Bountytalk - Forums Advertising & Bounty Hub
Other Bounties => Bug bounty programs => Topic started by: Angelina on May 02, 2023, 06:43:31 pm
-
Submit bug report
Eligibility
Reports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section). In most cases, we will only reward the type of vulnerabilities that are listed below.
Arbitrary code execution
SQL injection
Privilege escalation (from unauthenticated user or to admin users)
Authentication bypass for login
Circumvention of permission model for apps or admin users
Cross-site request forgery
Cross-site scripting - See the next section for limitations
Known issues or previously reported vulnerabilities
The following reports are not considered as vulnerabilities or are not subject of this bug bountry program. Please do not report any of the following issues:
Any issue where staff users are able to insert JavaScript in their content
Any issue related to execution of javascript in the Rich Text Editor (for example, when editing the description of a problems)
Cross-site scripting that requires full control of a http header, such as Referer, Host etc.
Arbitrary file upload to the CDN server
Insecure cookie handling for non-sensitive cookies
Incorrect/No cookie expiration
CSRF for Login, Logout and Signup pages
Issues with the SPF, DKIM or DMARC records for Leetcode domains or mail system abuse
User enumeration
There's no "X-Content-Type-Options" HTTP header with nosniff value, which can lead to Content Sniffing
Content Spoofing on error and restore password page
Any kind of brute force attacks on our services.
Ineligible vulnerability types
Leetcode does not consider the following to be eligible vulnerabilities under this program:
Denial of Service
Social Engineering, including phishing
Failure to implement security best practices such as rate limiting, minimum password strength
Any issue that can only be exploited by physical access to someone's device or debug access being enabled, or that depends on a vulnerability in the operating system
Architectural decisions knowingly made by Leetcode are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them
Rules for participation
The following rules must be followed in order to get any rewards:
Don’t attempt to gain access to another user’s account or data.
Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
Don’t publicly disclose a bug before it has been fixed.
Allow a reasonable amount of time for Leetcode to respond to your vulnerability report before publishing details of your exploit
Only test for vulnerabilities on sites you know to be operated by Leetcode. Some sites hosted on subdomains of leetcode.com are either operated by third parties or no longer supported by us and just there for legacy reasons. Though in case it's possible to escalate the privileges through subdomain website to our original site, then it might be eligible for bug bounty.
Do not impact other users with your testing, this includes testing for vulnerabilities in repositories you do not own. We may suspend your Leetcode account and ban your IP address if you do so.
Don’t use scanners, scrapers or any other automated tools in your testing. They’re noisy and we may suspend your Leetcode account and ban your IP address.
Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
When in doubt, contact us at support@leetcode.com
Rules for us
We will respond as quickly as possible to your submission.
We will keep you updated as we work to fix the bug you submitted.
We will not take legal action against you if you play by the rules.