To help strengthen the security of the new Hello IITK platform, we are starting a bug bounty program. We realize that when building a large platform, a small oversight on the part of the developers can lead to serious security bugs. While the developers of Hello IITK have tried their best to make the platform as secure as possible, there may still be some unfixed vulnerabilites.

If you believe you have found a security vulnerability on Hello IITK, we encourage you to let us know right away. We will investigate all legitimate reports and will help to get the problem fixed ASAP. If you wish to participate, read this entire document very carefully.

Submitting a report

You can submit your reports by filling this form.

Rewards

  • We will classify your report as one of the following, and you’ll get the corresponding rewards:
    • Not a security vulnerability: No rewards.
    • Extremely low-risk vulnerability: Mention in our Hall of Fame.
    • Mild Severity Vulnerability: Mention in our Hall of Fame + Amazon Gift Coupons worth INR 400
    • Medium Severity Vulnerability: Mention in our Hall of Fame + Amazon Gift Coupons worth INR 600
    • High Severity Vulnerability: Mention in our Hall of Fame + Amazon Gift Coupons worth INR 800
  • In addition to the above, you may get a certificate awarded by the Institute. The certification, and the contents of the certificate, will be at the discretion of Prof. T. V. Prabhakar.

Responsible Disclosure Policy

For you to participate in the program, we require that:

  • You do not modify or access data from any other user’s account, without the account owner’s explicit consent.
  • You try your best to avoid privacy violations and disruptions to others (which may include things like unauthorized access to or destruction of data, and interruption or degradation of the services of the Hello IITK platform).
  • If, while investigating an issue, you inadvertently access any data that you are not supposed to, you must promptly notify us and then immediately delete the information from your system. You must also acknowledge the inadvertent access in any related bug bounty report you may subsequently submit. You may not share the inadvertently accessed information with anyone else.
  • You do not exploit a security issue you discover for any reason other than for testing purposes, and you do not conduct testing outside of your own account, or another account for which you have the explicit written consent of the account owner to test.
  • You give us reasonable time to investigate and mitigate an issue you report before publicly disclosing any information about the report or sharing such information with others.

TL;DR

Don’t do anything that can dirsupt the proceeding of any course. For testing vulnerabilities that may provide unauthorized access to another user’s account, we encourage you to form teams and test the vulnerabilities on your teammates’ accounts only. Also, don’t share the details of the vulnerability publicly.

Important Note

Any queries or API requests made by you, while logged in, may be tracked. So if you violate any rule, you will be liable to punishment.

Bug Bounty Program Processes

We will recognize and reward security researchers who help us secure the Hello IITK platform by reporting any found vulnerabilities. Rewards for such reports are entirely at the discretion of the organisers (that include the Coordinators of the Programming Club and Prof. T. V. Prabhakar’s team of developers), based on risk, impact, and other factors. To be considered for a bounty, you must meet the following requirements:

  • Adhere to our Responsible Disclosure Policy.
  • Report a security bug: that is, identify a vulnerability in the platform which creates a security or privacy risk. (Note that the organisers ultimately determine the risk of an issue, and that many software bugs are not security issues.) Report the vulnerability upon discovery or as soon as is feasible.
  • Submit your report via the form link given in the “Submitting a report” section of this document (one submission per report) and respond to any follow-up requests from the organisers for updates or further information.
  • Use your own or your teammates’ accounts when investigating issues. Do not use or interact with the account belonging to another person without explicit consent of the account owner.
  • Contact the coordinators of the Programming Club for clarification on anything not covered in these terms.

In turn, we will follow these guidelines when evaluating reports under our bug bounty program:

  • We investigate and respond to all valid reports.
  • We determine the rewards based on a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of the report. Note that extremely low-risk issues may not qualify for a bounty at all.
  • In the event of duplicate reports, we award a bounty to the first person to submit an issue.
  • We reserve the right to publish reports (and accompanying updates).
  • We publish a list of researchers who have submitted valid security reports.
  • We may retain any communications about security issues you report for as long as we deem necessary for program purposes, and we may cancel or modify this program at any time.

Issues not eligible for bounties

Out of Scope

  • Spamming the platform.
  • Social Engineering attacks.
  • Denial-of-service attacks.

Note that you may be subject to punishment if you perform any of the above mentioned attacks.

False positives

  • Bugs that are not security vulnerabilities.
  • Reports that are not reproducible.
  • Accessing data that is available publicly by design.

Conclusion

We hope that you will enjoy trying to find security bugs on the Hello IITK platform. Even if you don’t find any vulnerabilities, we hope it will be a great learning experience for you.