NUS Bug Bounty Challenge Scope and Rules
NUS IT is excited to announce the NUS Bug Bounty Program, an initiative to improve our cybersecurity awareness and posture through community effort. Partnering with HackerOne and SOC, we aim to expose ALL NUS students to ethical hacking through online games, sharing by hackers and discovering bugs on NUS production systems. Sign up now!
SCOPE
| Domain | Examples of In Scope Vulnerabilities | Examples of Out Of Scope Vulnerabilities |
|---|---|---|
| To be provided * | Remote Code Execution (RCE) | Any bug that does not pose a real or demonstrable security risk |
| To be provided * | SQL Injection | Denial Of Service Attacks (DOS) |
| To be provided * | Authorization bypass | Social Engineering |
| To be provided * | Privilege escalation | Physical exploits of our servers or network |
| To be provided * | Sensitive Data Exposure | Local network-based exploits such as DNS poisoning or ARP spoofing |
| To be provided * | Cross Site Scripting (XSS) | Clickjacking, open redirects, or lack of security headers |
| To be provided * | Cross Site Request Forgery (CSRF) | |
| To be provided * | Security Misconfiguration |
*The domain will be emailed to participants who have signed with HackerOne using NUS-ID, upon accepting the terms and conditions for challenge.
REWARDS
| Severity | Amount in USD** | Examples |
|---|---|---|
| Critical | US1500 | Remote Code Execution |
| High | US500 | Authorization Bypass |
| Medium | US250 | Cross Site Script |
| Low | US100 | Others |
**Bounties are awarded only to the first unique report of a previously unidentified vulnerability. Subsequent reports will be closed as duplicates and not eligible for a bounty.
OTHER REWARDS
| Modules | Description |
|---|---|
| CS2107 | Intro to Information Security |
| CS3235 | Computer Security |
| CS4238 | Computer Security Practice |
| CS4239 | Software security |
| CS5321 | Network Security |
| CS5331 | Web Security |
Extra marks can be claimed by Bounty Winner in at most one module in AY19/20.
The number of marks are to be decided by the respective module coordinator.
RULES
❖You must be NUS students and register on HackerOne platform using NUS-ID.
❖All activities have to be carried out through the HackerOne VPN using the assigned IP.
❖Do not attempt to access or overwrite any data, especially private data, which you gain access to.
❖Do not publicly disclose any vulnerabilities before they have been completely resolved.
❖Do not perform any tests that will disrupt services, or impair others from using them. For example, DDoS/DoS attacks, brute-force attacks.
❖Do not social engineer or phish users.
❖No Local network-based exploits such as DNS poisoning or ARP spoofing
❖No physical exploits of our servers or network.
FAQ
❖If you wish to use your existing HackerOne ID, please inform us (cceits@nus.edu.sg) what is your HackerOne ID using your NUS-ID email.
