Vulnerability Disclosure Policy
Codingame intends to keep its service secure and protect its customers’ data. If you’ve found a security issue that you believe we should know about, you can submit it to our team. Eligible findings can receive a reward as stated below.
- Only the first reporter of a vulnerability can be eligible for reward (based on date of proper report, matching the criteria below).
- You must be available to supply additional information as required, in order for us to fully reproduce and address the issue (please provide PoC, including screenshots or video).
- Accepted targets are codingame.com and codingame.eu and all their existing subdomains.
- Severity and rewards are decided solely by our team, and we retain the right to determine if the submitted vulnerability is eligible.
- Rewards are determined on the basis of the severity level per the below table (note: the table is provided as example of severity, but does not constitute a commitment or contract in any way). Reward amount decisions are final.
- Analysts not following the below rules will not be eligible for reward.
- Avoid privacy violations, destruction or modification of data, and any interruption or degradation of our services.
- In the case that you acquire private data despite the previous rule, please dispose of it as soon as possible (ie when not required anymore for PoC).
- Don’t interact with our end-users or their own customers and candidates.
- No DoS attacks, use of automated scans or testing is tolerated only if done at the pace of a real human user.
- No social engineering, nor physical interaction with our users or employees, nor their equipment.
- Limit the number of accounts you create to the required minimum for the PoC. Creating more than a few accounts will not be tolerated.
- Allow a reasonable time (up to 90 days) for us to reproduce the issue, and fix it before making any information public. Ask for our approval before making any disclosures.
Spamming the sales or other forms is out of bounds of this program. Abuse will lead to being banned from the program.
Security Levels and Examples
Level : None (out of scope / no rewards)
This list gives examples of vulnerabilities considered out of scope of our disclosure program. These reports won’t be rewarded.
- Bugs not related to a security issue (non-200 HTTP response codes, application or server errors, and similar).
- Issues without a clear security impact : non-exploitable Self-XSS , logged-out CSRF, missing HTTP security headers / cookie flags / CORS / ClickJacking / Mixed content / HSTS issue not leading to credential or private information leak, SSL/TLS configuration issues, password policy issues.
- Server-side request forgery (SSRF) not leading to information leak, Cross-site Request Forgery (CSRF) with no or low impact.
- Verbose messages/files/directory listings not disclosing sensitive information.
- Enabled autocomplete attribute on web forms.
- Issues affecting third-party services or components not within our control, or with a known vulnerability not yet remediated (except if an applicable fix is publicly available for a reasonable amount of time, and usable in our situation).
- Server information disclosure (component name / version). Exception can be made per previous item if it discloses a server version with an associated patch-able high or critical level vulnerability.
- E-mail configuration (SPF / DKIM / DMARC).
- DNS configuration : lack of DNSSEC, DNS records leading to removed or non-existent resources.
- Open ports without a demonstrated vulnerability.
- Threats that require privileged access to the target’s devices or stealing credentials, that are outside our control (like access to browser cookies and/or other tokens used to impersonate the user, access to user’s email address, homograph attacks…).
- Vulnerabilities only affecting users of outdated or unpatched browsers or software.
- Missing throttling, except if leading to proven exploitable vulnerability.
- Username / email enumeration except if leading to easily exploitable credential leak.
- Metadata in images.
- Disclosing API keys without proven impact.
- Text injection that is obviously abnormal/fraudulent to user.
Level : Low
- Open redirections (with proven impact).
- Obvious Server misconfiguration leading to low severity risk.
- Broken e-mail validation (with proven impact)
- Non-public Information leaks or disclosure (excluding sensitive user data).
- Reflected XSS.
- Other low-severity issues (Limited risk or overly hard to exploit).
Level : Medium
- CSRF / XSRF.
- SSRF to an internal service.
- Stored XSS.
- Credential stealing requiring plausible user interaction.
- Other medium-severity issues (Medium risk or hard to exploit).
Level : High
- Non-public Information leaks or disclosure including sensitive user data (not requiring user interaction).
- Other high-severity issues (High risk or reasonably easy to exploit).
Level : Critical
- SQL injection.
- Remote code execution.
- Server access (full command set).
- Privilege escalation.
- Broken authentication.
- Other critical-severity issues (Critical risk or very easy to exploit / amplify).
Rewards are paid by severity tier as per below table.
Currency conversion or other transaction fees can’t be added to the reward amount.
Rewards up to and including 100 USD value will be paid only via a voucher usable on 300+ services. Options include virtual debit card (Visa), virtual gift cards, and more. We do not provide rewards at this level via Paypal. More details.
Higher tier rewards (250-500 USD) can be paid by the options above, or via Paypal. To receive a reward via Paypal you must issue to us a proper proforma invoice, stating your legal business/personal contact and VAT details.
“Hall of Fame”
- Milan jain (scriptkiddie)
- Suprit Pandurangi
- Love Yadav
- Rutuparn Satpute
- Sachin Kalkumbe
- Hamdan Ali Siddiqui
- Ranjeet Singh (geekboyranjeet)
- Richa Behl
- Gokul AP