NUS Bug Bounty Challenge 2024

We are excited to announce that the Bug Bounty Challenge 2024 event is happening on 20 May 2024 (Mon) to 02 June 2024 (Sun). This event is designed to give our community the opportunity to showcase their skills in cybersecurity and help us identify potential vulnerabilities in our NUS application systems. We are also excited to introduce our platform partner, Yes We Hack – a recognised global Bug Bounty and Vulnerability Management Platform. They will be providing the technology and expertise to help make this event a success.

BACKGROUND

For those who may be unfamiliar with the concept, a bug bounty program is a crowdsourced initiative that offers rewards to ethical hackers who find and report security vulnerabilities in application systems. This event will be an excellent opportunity for our community to showcase their skills, learn from industry experts, win attractive cash rewards and help improve the security of our applications/systems. We encourage all NUS staff and students to participate whether you are an experienced hacker or a beginner.

In preparation for the bug bounty challenge, NUS and Yes We Hack will be offering training to anyone who is interested in learning more about ethical hacking. The sessions will be conducted by a professional ethical hacker.

We believe that this event will be an excellent opportunity for our community to showcase their skills, learn from industry experts, and help improve our cybersecurity. We encourage all NUS staff and students to join and take part, whether you are an experienced hacker or a beginner.

Register your interest via http://nus.edu/bugbounty! Participants gets a swag pack and stand a chance to win attractive cash bounty prizes of up to S$3,000 per bug. Earn a spot in our Hall of Fame!

So mark your calendars and get ready to participate in our Bug Bounty Challenge 2024 event. We look forward to your participation in this bug hunting event!

REWARDS

Each bug found will be verified assigned a severity level. The bounty prizes will be awarded as follows:

Critical	S$ 3,000
High	S$ 1,000
Medium	S$ 500
Low	S$ 200

Note: Bounties are awarded only to the first unique report of a previously unidentified vulnerability. Subsequent reports will be closed as duplicates and will not be eligible for a bounty.

STEPS TO SIGNUP

Register and create an account via Yes We Hack’s platform at https://yeswehack.com/auth/register -> Select “New User”.
Provide your details and Yes We Hack username via the signup form at https://nus.edu/bugbounty by 13 May 2024 12pm (Mon).
Accept the challenge invitation email, which will be sent to you by 17 May 2024 (Fri).

Note: If you have joined our bug bounty programme previously, you will need to register again. NUS is now using a new platform via Yes We Hack.

RULES

The challenge is only open to NUS staff and students.
The list of NUS applications which are in scope will be made available only to registered participants. You may only perform testing on these applications.
Application/system owners and their respective support teams may not submit bugs related to the applications/systems they own or support.
All testing activities must be carried out through the Yes We Hack VPN. Please refer to the instructions sent to you once you have accepted the invitation.
Do not attempt to access or overwrite any data, especially private data, which you might gain access to.
Do not publicly disclose any vulnerabilities before they have been completely resolved.
Do not perform any tests that will disrupt services, or deny others from using them, e.g. DDoS/DoS attacks, brute-force attacks.
Do not use social engineering (such as phishing) to obtain credentials or access.
Do not use network-based exploits such as DNS poisoning or ARP spoofing.
Do not use exploits that require physical access to any system/machine.

NEW TO BUG BOUNTY?

Please refer to the following resources to get started:

If you have any questions, please contact NUS IT Bug Bounty Program Team

Need to know more? Check out this FAQ which is available via this link

__PRESENT