Security Research Challenge

Part bug bounty, part capture-the-flag

This isn't your typical bug bounty. We've built something for researchers who appreciate the craft. Real vulnerabilities earn real rewards. There's also an Easter egg for those who understand the history of authentication security. No scanners. No spray-and-pray. Just you, the API, and your knowledge.

Rewards

• Critical (Up to €500): Auth bypass, privilege escalation, account takeover
• High (Up to €250): Token hijacking, claim manipulation, session fixation
• Medium (Up to €100): Rate limit bypass, information disclosure
• Low (Hall of Fame): Minor misconfigurations, low-impact findings

Scope

• IN: api.ng-stage.com (Staging API)
• IN: app.ng-stage.com (Staging application)
• OUT: *.nettingale.com (Production (out of scope))
• OUT: Third-party services (External dependencies)

Rules of Engagement

• Only test on staging. Never touch production
• No DoS/DDoS testing
• No social engineering or phishing attempts
• No accessing other users' data beyond proof-of-concept
• Report before public disclosure (90-day policy)
• One account per researcher

Out of Scope

• Missing security headers without a demonstrated exploit chain
• Self-XSS or issues requiring unlikely user interaction
• Clickjacking on pages without sensitive actions
• Rate limiting on non-authentication endpoints
• Vulnerabilities in third-party dependencies (report upstream)
• Issues already reported or publicly known

How It Works

• We acknowledge reports within 48 hours and aim to validate within 7 days
• Fixes are prioritized by severity. Critical issues are patched within 72 hours
• Payment is sent within 14 days of fix deployment via SEPA, Wise, or PayPal
• First valid report wins. Duplicates receive Hall of Fame credit only
• Severity is determined at our discretion, but we discuss disagreements in good faith

Contact

Email: [email protected]
Response time: 48 hours