Celfocus Hack This Rules!
Hack This is an event designed for the Celfocus security community, where participants will be able to test an application.
Hack This Official URL will be presented on the starting day.
We determine the value of the reward based on the Risk and probability of the reported vulnerability. Important Note: Vulnerability research must NOT be restricted to the vulnerabilities mentioned below, they are for reference only.
Level Points Earned Vulnerability
Informational/Low | 50 Points | Stack Trace, Business Logic Errors without impact |
Low | 100 - 200 Points | URL Redirects, Debug information, Business Logic Errors, Information server or database disclosure, clickjacking. |
Medium | 300 - 500 Points | Reflected XSS, misconfigured CORS, Server-side request forgery (SSRF), Cryptographic weaknesses, Vulnerabilities in mobile applications or APIs |
High | 600 - 800 Points | Stored XSS, exposed API credentials, SQL injection, Broken access control, XML external entity (XXE) injection, Directory traversal vulnerabilities, IDOR – insecure direct object references, Insecure deserialization. |
Critical | 1200 - 1500 Points | RCE on backend systems, authentication bypass leading to account compromise, privilege escalations from unprivileged to Admin or cross-organizational lateral movement, sensitive data exposure. |
Eligibility Requirements
To be eligible for the hack this you must follow the rules shown below:
- Be registered for the event and assigned to a team.
- Not be working directly on the project.
Credentials
The credentials will be delivered to the teams before the event starts. If you need to create more accounts, please contact the application security team.
Rules
-
Any team that violates the below rules, points could be deducted.
-
It is not allowed to attack other systems that are not within the scope.
-
It is not allowed to change the system to prevent other teams from finding vulnerabilities.
-
Only interact with accounts you own or with the explicit permission of the account holder.
-
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide the impact. In case, it is the same type of vulnerability in the same endpoint but with different parameters, only one submission can be made. However, all parameters must be explicitly mentioned following the correct Reporting Criteria.
-
When submission duplicates occur from different teams, we still reward.
-
If a vulnerability from the same category is found in different parameters on the same endpoint, points will be given to the endpoint, adding the value of 1/3 of the vulnerability value per extra parameter found.
-
E.g. profile page, containing different parameters: name, description and phone number.
-
If an XSS Store is discovered in the name, 350 points will be given and if the same vulnerability (XSS Store) is found in the description and telephone number parameters, an additional 117 points will be added (1/3 of the base value). In the resume, in this case, an XSS is a Description of the Vulnerability found in the name, description, and phone number, (350 + 117 + 117 ) points would be awarded.
-
DO NOT disrupt the availability of the application/system. If you think you may cause or have caused damage.
-
Follow the disclosure policy.
Generic Rules
-
Limit of Number of People: max 3 persons per team.
-
Not brute force flags in any way.
-
Flags not submitted within the event period will not be valid.
-
The scoreboard is updated when flags are submitted.
-
The flag format "flag{answer}".
Ineligible Vulnerability Types
-
Social Engineering (e.g. phishing, vishing, smishing)
-
Unconfirmed reports from automated vulnerability scanners or reports lacking evidence of a vulnerability.
-
Generic examples of Host header attacks without evidence.
-
Theoretical sub-domain takeovers with no supporting evidence.
-
Reports of broken links or unclaimed social media accounts.
-
Physical Testing (e.g. office access, open doors, tailgating).
-
Denial-of-service (DoS) attacks that require significant resources, such as a distributed denial-of-service (DDoS) attack.
-
Low severity issues, such as spelling mistakes or minor UI issues.
-
Vulnerabilities related to SSL/TLS configuration or cipher selection without proof of impact.
-
Vulnerabilities that are not reproducible or are found in a manner that violates the rules or terms of the hack this event.
Reporting Criteria
You will report the vulnerabilities found in vulnerability submission.
The submission fields you will need to fill in:
- Name of Vulnerability – Eg: cross-site script in the homepage, remote code execution via file input.
- Description of the Vulnerability – Explanation of how the vulnerability works, a detailed from beginning to end how to exploit it (Proof of concept), List of URLS and affect parameters, type of user (unregistered, read-only, admin), CVE (if possible), tools used to replicate, Print Screen (required).
- Type of vulnerability - If you are uncertain, contact AppSec Team or select "other".
- Easy of exploitation – Degree of difficulty to execute the exploit (from 1-hard to 5-easy).
Reminders:
- Submissions form will be presented on starting day.
- To be considered a vulnerability, it must be a proven exploit. Eg: Library jQuery 1.2 vulnerable to XSS, the report must have the exploit XSS (reflected, stored, DOM).
Our Compromise
The Application security team ensures that points are validated and rewarded accordingly.
Scope
Domain will be presented on the starting day.
Deadlines
Only vulnerabilities submitted within the event period will be considered valid.
Communication and notifications
Communications are done through the official channels, Microsoft Teams or other channels defined by the Application Security team before the event starts.
Disclosure Policy
Do not discuss any vulnerabilities (even resolved ones) outside the event without the organization express consent.
All vulnerabilities are classified as confidential.
Frequent Asked Questions (FAQs)
What is this?
A week dedicated to teams looking for security vulnerabilities in "capture the flag" challenges and one of our CELFOCUS products/projects.
Why are we doing this?
Understanding securities vulnerabilities allow us to be better prepared and deliver more secure applications.
How can I join in?
Sign up as a team of three(max.) or individually (we will join you to a team if you wish)
-
Registrations can only happen until 1 week before the event starts.
-
When registering your team, don't forget to save your team password and only share it with your team members.
Working as a team, you will be facing these challenges, collecting points and be among the teams to win prizes! All the Product vulnerabilities will use our Vulnerability Management Process scale to classify the vulnerabilities detected.
Can I participate as a single player?
Yes. The Application Security Team will contact before the event to let you know if you want to be added to a team.
We all know multiple brains are better than one.
Are there identified vulnerabilities on CELFOCUS product/project?
No, we are counting on you.
What’s in it for me?
Besides the thrill of discovering vulnerabilities and learning more about them, you will get to work with an inspiring team and create new connections.
Oh! And if you are among the top three teams you may win awesome electronic gadgets. Additionally, all participants that finds a vulnerability will get an event Merchandize.
Are the prizes for individuals or to be divided by team members?
Each team member will receive individual gift cards.
When can the team start the challenges?
The Application Security Team will advertise the events and inform all the Security Community about the start and end date. Also, there will be an open and close ceremony for every event.
Teams are responsible for creating their own dynamic, time off work etc.
How can I access the Hack This Portal?
The portal should be accessed via our corporate VPN and shared with you before the start of the event.
When will the winners be announced?
The announcement will be shared at the end of the event, in the closing ceremony.
Who can win the top 3 Prizes?
Only teams with 100% of Celfocus personnel will be eligible to win those prizes, however, the thrill, the experience and the Celfocus Merch will be certain for everyone else. So, if you worked with us in the past and want to continue to “play”, you can join the fun! (If you have a Novabase email, you are considered as Celfocus Personnel in this context)