NUS Bug Bounty Challenge 2021

The NUS Bug Bounty Challenge is back! Similar to last year, we are inviting all NUS staff and students to participate in this event. Stand a chance to win attractive cash prizes, earn extra marks (for eligible modules) and gain a place in our Hall of Fame!

This year’s Bug Bounty Challenge will run from 6 Dec (Mon) to 19 Dec (Sun) 2021. Testing for vulnerabilities should only be conducted during this period, and only those submitted during this period will be considered. Signups will be open till 01 Dec 2021 3pm (Wed) via the HackerOne platform, which will be used to manage the submission and triage of bugs.

BACKGROUND

Our bug bounty programme incentivizes ethical hackers amongst our staff and students through cash rewards to uncover security vulnerabilities in our IT applications. By doing so, we are able to remediate these vulnerabilities before they could be potentially exploited by a malicious threat actor. To ensure that all testing activity is carried out in a safe and controlled manner, we collaborate with HackerOne, who also runs similar programmes for GovTech, MINDEF and Cybersecurity Agency of Singapore.

Last year, a total of US$13,700 were paid out to participating staff and students who successfully found bugs of various severity.

REWARDS

Each bug which is found and verified will be assigned a severity level and a corresponding bounty will be awarded as follows:

Critical	US$ 1500
High	US$ 500
Medium	US$ 250
Low	US$ 100

Note: Bounties are awarded only to the first unique report of a previously unidentified vulnerability. Subsequent reports will be closed as duplicates and will not be eligible for a bounty.

STEPS TO SIGNUP

Register and create an account via HackerOne’s platform at https://hackerone.com/sign_up (Select I am a Hacker).
Provide your details and HackerOne username via the signup form at https://nus.edu/bugbounty by 01 Dec 2021 3pm (Wed).
Accept the challenge invitation email, which will be sent to you by 03 Dec 2021 (Fri).

Note: If you have joined our bug bounty programme previously, or you already have an existing HackerOne account, you do not need to sign up again on HackerOne. Simply use your existing account username to sign up.

RULES

The challenge is only open to NUS staff and students.
The list of NUS applications which are in scope will be made available only to registered participants. You may only perform testing on these applications.
Application/system owners and their respective support teams may not submit bugs related to the applications/systems they own or support.
All testing activities must be carried out through the HackerOne VPN. Please refer to the instructions sent to you once you have accepted the invitation.
Do not attempt to access or overwrite any data, especially private data, which you might gain access to.
Do not publicly disclose any vulnerabilities before they have been completely resolved.
Do not perform any tests that will disrupt services, or deny others from using them, e.g. DDoS/DoS attacks, brute-force attacks.
Do not use social engineering (such as phishing) to obtain credentials or access.
Do not use network-based exploits such as DNS poisoning or ARP spoofing.
Do not use exploits that require physical access to any system/machine.

NEW TO BUG BOUNTY/HACKERONE?

Please refer to the following resources to get started:

If you have any questions, please contact Lynn Mher Valmores or Meenakumari Suraparaj.