Bug Bounty Rules

Code of Conduct

• Outside Bounty-time, contact with committee members will not be tolerated.
• Don’t try to exploit any DoS vulnerabilities, social engineering attacks, physical attack or spam !
• No Bruteforce allowed
• Don't publicly disclose a bug before it has been fixed
• We reserve the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion.
• Don’t violate any law and stay in the defined scope
• You also must not disrupt any service, or compromise personal data
• Any failure to comply with these rules will be sanctioned by exclusion of hunter’s submission and even worse...

Golden rule

• To join the program, each hunter must create an account through the dashboard and read the rules.
• This validation will constitute acceptance of this rules and code of conduct.
• Each registrant will receive the title of HZV member for the entire duration of the Nuit Du Hack 2015.
• No actual or past employee of QWANT, DENYALL or Yax.it can join the program.

Validation Committee

• Decision: Solo
• Business: QWANT / DENYALL / Yax.it
• Post-intrusion: Julesi
• Pwnage: Onemore, Nicob
• Infrastructure + Business: Free_maN

Eligibility

To qualify for a bounty, you must:

• Be the first person to responsibly disclose the bug
• Report a bug that could compromise the integrity of user data, circumvent the privacy protections of user data, or enable access to a system within the infrastructure, such as:
  authentication bypass, XSS/SQL/XML injections, CSRF, SSRF, RCE... (QWANT, Yax.it)
• Exploit vulnerable Web Application by bypassing protections (DENYALL)
• If the issue you submitted does not reach the severity for a bounty, but we feel that it did in some way point out something useful for us, then we will be happy to reward you a "Bounty"®
• Only exploit from the Nuit du Hack IP Address range will be considered valid.
• We reserve the right to decide if the submission should be refused or rewarded with a bounty or a "Bounty"® (http://en.wikipedia.org/wiki/Bounty_(chocolate_bar))

NON Eligibility

The following bugs are not eligible for a bounty:

• Duplicate bug
• Vulnerabilities not reliable or not reproducible (such as random value / hard to get value required for exploitation), CSRF in the logout function
• Missing “HTTP only” flag for cookies, which are not related to authentication-identification
• Missing “Secure” flags for any cookie
• Missing “X-Frame-Options”, “Strict-Transport-Security”, “Nosniff”, “X-Xss-Protection” headers
• Security bugs in third-party websites that integrate with Qwant or Yax.it.
• Denial of Service and bruteforce vulnerabilities
• Spam or Social Engineering techniques
• We reserve the right to refuse or reward the submission with a bounty or a "Bounty” ®.

Submitting bugs

Please observe the following rules:

• Submit bugs only through dashboard
• A Bug Bounty submission must contain an example (unique request or PoC code) and description of the weakness, and provide enough information to analyze the progress of the attack and can be easily replayed, which will simplify the validation of bugs and will impact the amount of the reward.
• The validity of each submission and the amount of reward shall be decided by the validation committee at Bounty-Time, as follows:
  • 10h30 Bounty opening, validation committee presentation
  • 11h30 End of the first bounty slot
  • 13h30 Bounty-Time, Awards
  • 19h15 Bounty-Time, Awards
  • 00h Bounty-Time, Awards
  • 05h or 06h Bounty-Time, Awards

Denyall Bug Bounty Details

The Denyall bug bounty will be divided in 4 phases associated with ascending security levels :

• 1st phase : bounty will be Bounty(TM) biscuits
• 2nd phase : bounty will be Denyall goodies
• 3rd and 4th phases : bounty will be made of cash money (after the 19:15 Bounty Time)

Each vulnerability could be submited during each phase.

Rewards

• Hall of Fame (HoF) for all and for the duration of the Bounty
• Money (bank check) within the limits of the pool, amount according to criticality / elegance / documentation
• Bounty © http://en.wikipedia.org/wiki/Bounty_(chocolate_bar)

Glossary

• Bounty-time : time when the validation committee meets to discuss of submission validity and the amount of rewards
• Bounty : financial reward after reporting a bug relevant, compliant with rules and interesting
• “Bounty”® : nutritive reward after reporting a bug relevant, compliant with rules. A real http://en.wikipedia.org/wiki/Bounty_(chocolate_bar)
• Dashboard : Web application allowing hunters to register, report bugs and follow their evolution
• Hunter : person doing the contest and physically located on the Nuit du Hack building.