Bug Bounty Program | CodeChef

Bug Bounty Program

Bug Bounty Program

Introduction

CodeChef was created as a platform to help programmers make it big in the world of algorithms, computer programming, and programming contests. Apart from providing a platform for programming competitions, CodeChef also has various algorithm tutorials and forum discussions to help those who are new to the world of computer programming. Bug Bounty Program is our recent addition at CodeChef. The program is started to seek help from the community members to identify and mitigate security threats. Maintaining effective security is a community effort, and to recognize their efforts and the important role they play in keeping our Platform safe for everyone we offer a bounty for reporting certain qualifying security vulnerabilities. Please make sure you review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.

Policy Statement

Our public bug bounty program aims to continue improving the security of our products and services while strengthening our relationship with the community. We recognize and reward security researchers who help us keep people safe by reporting vulnerabilities in our products and services. Our rewards come in the form of Laddus, you can refer the criteria to redeem the same at https://www.codechef.com/laddu. Every bug you report is rewarded based on the level of severity. The participants of this program understand and agree that only reports that meet the eligibility criteria shall receive Laddus. Further, you must comply with all applicable laws in connection with your participation in this program. We may modify the terms of this program or terminate this program at any time.

Purpose

The purpose of this policy is to encourage and allow independent security researchers to report bugs to an organization and receive rewards or compensation. These bugs are usually security exploits and vulnerabilities, though they can also include process issues, hardware flaws, and so on. These rewards in return encourage the developers to discover and resolve bugs before the public is aware of them, preventing incidents of widespread abuse.

Validity of the Laddus

The Laddus shall be valid and can be redeemed within a period of three years from the date when the Laddu is credited (applicable for all Laddus credited from 1st April 2021). The Laddus that are already credited and not redeemed yet shall be redeemable and valid till 31st March 2024.

Application of Policy

This policy applies to anyone and everyone who will report a bug to us.

Bug bounty program processes

The points to keep in mind while reporting a bug are as follows:

  • All the bugs need to be reported at bugs@codechef.com.
  • We make sure the reporter is acknowledged within a maximum of 4 days.
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.
  • In case of duplicity, the report which is reproducible will be awarded a bounty.
  • Multiple bugs with one underlying issue will be awarded only to the earliest reporter.
  • Bugs related to weak test case, ambiguity in statements, time limit of the problem statements won’t be considered as valid bugs and hence are not eligible for the program.
  • Queries or feedbacks on the above-mentioned topic should be commented on problem statement page itself.
  • A report regarding a missing security best practice is not eligible for bounty unless it can be exploited to impact the users directly. In that case, the missing best practice report shall be eligible for bounty.

Disclosure Guideline

Discussing bugs publicly (or with anyone) without CodeChef's consent will void the rewards and may result in serious repercussions.

Reasons for disqualifying

The reasons when a report can be disqualified are:

  • Bounty for reports of the same bug from different users will be awarded only to the earliest reporter.
  • Bugs related to weak test cases, ambiguity in statements and time limit of the problem statements won’t be considered.
  • A report regarding a missing security best practice is not eligible for bounty unless it can be exploited to impact the users directly.
  • Disclosing the bugs/findings publicly (or with anyone) without CodeChef's explicit consent will void the rewards.
  • Multiple reports with one underlying bug will be awarded only once. All duplicate reports will be discarded.

Kinds of Bugs and reward for the same

  • Critical severity bugs
    Reward: No upper bound and shall be as per the discretion of CodeChef on case to case basis.
    Details: Bugs that gives someone unknown administrator access to the site.
    Examples:

    • Remote Code Execution
    • Remote Shell/Command Execution
    • Vertical Authentication bypass
    • SQL Injection that leaks targeted data
    • Hacking or manipulating judge result for submission
  • High severity bugs
    Reward: 400 laddus
    Details: Bugs directly affecting the security of the platform.
    Examples:

    • Authentication bypass
    • Stored XSS for another user
    • Local file inclusion
    • Compiler related vulnerability
  • Other bugs
    Reward: 150 laddus
    Details: Bugs affecting a single user.
    Examples:

    • Information leaks
    • Functionality malfunctioning

Rules

  • Automated security testing against the site or APIs is not allowed.
  • Localize all your tests to your account. Do not affect other users.
  • Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.
  • Follow disclosure guidelines.

Policy Review

This policy is subject to internal review by CodeChef from time to time to establish its efficacy. CodeChef will make changes to this policy from time to time to improve the effectiveness of its operation. In this regard, any reporter who wishes to make any comments about the Policy may forward their suggestions to bugs@codechef.com.