NUS Bug Bounty Challenge Scope and Rules

NUS IT is excited to announce the NUS Bug Bounty Program, an initiative to improve our cybersecurity awareness and posture through community effort. Partnering with HackerOne and SOC, we aim to expose ALL NUS students to ethical hacking through online games, sharing by hackers and discovering bugs on NUS production systems. Sign up now!

SCOPE

Domain Examples of In Scope Vulnerabilities Examples of Out Of Scope Vulnerabilities
To be provided * Remote Code Execution (RCE) Any bug that does not pose a real or demonstrable security risk
To be provided * SQL Injection Denial Of Service Attacks (DOS)
To be provided * Authorization bypass Social Engineering
To be provided * Privilege escalation Physical exploits of our servers or network
To be provided * Sensitive Data Exposure Local network-based exploits such as DNS poisoning or ARP spoofing
To be provided * Cross Site Scripting (XSS) Clickjacking, open redirects, or lack of security headers
To be provided * Cross Site Request Forgery (CSRF)
To be provided * Security Misconfiguration

*The domain will be emailed to participants who have signed with HackerOne using NUS-ID, upon accepting the terms and conditions for challenge.

REWARDS

Severity Amount in USD** Examples
Critical US1500 Remote Code Execution
High US500 Authorization Bypass
Medium US250 Cross Site Script
Low US100 Others

**Bounties are awarded only to the first unique report of a previously unidentified vulnerability. Subsequent reports will be closed as duplicates and not eligible for a bounty.

OTHER REWARDS

Modules Description
CS2107 Intro to Information Security
CS3235 Computer Security
CS4238 Computer Security Practice
CS4239 Software security
CS5321 Network Security
CS5331 Web Security

Extra marks can be claimed by Bounty Winner in at most one module in AY19/20.
The number of marks are to be decided by the respective module coordinator.

RULES
❖You must be NUS students and register on HackerOne platform using NUS-ID.
❖All activities have to be carried out through the HackerOne VPN using the assigned IP.
❖Do not attempt to access or overwrite any data, especially private data, which you gain access to.
❖Do not publicly disclose any vulnerabilities before they have been completely resolved.
❖Do not perform any tests that will disrupt services, or impair others from using them. For example, DDoS/DoS attacks, brute-force attacks.
❖Do not social engineer or phish users.
❖No Local network-based exploits such as DNS poisoning or ARP spoofing
❖No physical exploits of our servers or network.

FAQ
❖If you wish to use your existing HackerOne ID, please inform us (cceits@nus.edu.sg) what is your HackerOne ID using your NUS-ID email.