Bug Bounty Program | CodeChef
Bug Bounty Program

Bug Bounty Program

With the evolving programming community and fast growing technology it is extremely difficult to keep up with the everyday changes. At CodeChef we thrive on providing you with the best services, which are both secure and efficient.

Bug Bounty Program is our recent addition at CodeChef. The program is started to seek help from the community members to identify and mitigate security threats.

What is in it for you?

We appreciate your efforts in taking out time and pointing it out to us, it helps us be better in our approach. While we are very thankful for your efforts, we don’t want them to go unrewarded. Our reward comes in the form of Laddus and every bug you report is rewarded based on the level of severity.

1. Critical severity bugs
Reward: No upper bound
Details: Bugs that gives someone unknown administrator access to the site. Examples:

  • Remote Code Execution
  • Remote Shell/Command Execution
  • Vertical Authentication bypass
  • SQL Injection that leaks targeted data
  • Hacking or manipulating judge result for submission

2. High severity bugs
Reward: 400 laddus
Details: Bugs directly affecting the security of the platform. Examples:

  • Authentication bypass
  • Stored XSS for another user
  • Local file inclusion
  • Compiler related vulnerability

3. Other bugs
Reward: 150 laddus
Details: Bugs affecting a single user. Examples:

  • Self-XSS
  • Information leaks

How to report

All the bugs need to be reported at bugs@codechef.com

Here is what you need to take care of:

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for bounty.
  • In case of duplicacy, the report which is reproducible will be awarded a bounty.
  • Multiple bugs with one underlying issue will be awarded only to the earliest reporter.
  • NOTE: Bugs related to weak test case, ambiguity in statements, time limit of the problem statements won’t be considered as valid bugs and hence are not eligible for the program. Queries or feedbacks on the above mentioned topic should be commented on problem statement page itself.
  • A report regarding a missing security best practice are not eligible for bounty unless it can be exploited to impact the users directly. In that case, missing best practice report shall be eligible for bounty.

Disclosure Guideline: Discussing Bugs publicly (or with anyone in person) before informing CodeChef will void the rewards and may result in serious repercussions.

Rules

  • Automated security testing against the site or APIs is not allowed.
  • Localize all your tests to your account. Don't affect other users.
  • Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed.
  • Follow disclosure guidelines.