Security Research Challenge
Part bug bounty, part capture-the-flag
This isn't your typical bug bounty. We've built something for researchers who appreciate the craft. Real vulnerabilities earn real rewards. There's also an Easter egg for those who understand the history of authentication security. No scanners. No spray-and-pray. Just you, the API, and your knowledge.
Rewards
- Critical (Up to €500): Auth bypass, privilege escalation, account takeover
- High (Up to €250): Token hijacking, claim manipulation, session fixation
- Medium (Up to €100): Rate limit bypass, information disclosure
- Low (Recognition): Minor misconfigurations, low-impact findings
Scope
- IN: api.ng-stage.com (Staging API)
- IN: app.ng-stage.com (Staging application)
- OUT: *.nettingale.com (Production (out of scope))
- OUT: Third-party services (External dependencies)
Rules of Engagement
- Only test on staging. Never touch production
- No DoS/DDoS testing
- No social engineering or phishing attempts
- No accessing other users' data beyond proof-of-concept
- Report before public disclosure (90-day policy)
- One account per researcher
Out of Scope
- Intentional CTF challenges (check security.txt for details)
- Missing security headers without a demonstrated exploit chain
- Self-XSS or issues requiring unlikely user interaction
- Clickjacking on pages without sensitive actions
- Rate limiting on non-authentication endpoints
- Vulnerabilities in third-party dependencies (report upstream)
- Issues already reported or publicly known
How It Works
- Submit reports through HackerOne only
- We acknowledge reports within 48 hours and aim to validate within 7 days
- Fixes are prioritized by severity. Critical issues are patched within 72 hours
- Bounties are paid through HackerOne within 14 days of fix deployment
- First valid report wins. Duplicates are closed as informative
- Severity is determined at our discretion, but we discuss disagreements in good faith
Safe Harbor
Security research conducted in accordance with this policy is authorized. We will not pursue legal action against researchers acting in good faith.
Getting Started
Our bug bounty program is private on HackerOne. To request an invitation, email [email protected] with your HackerOne username and areas of interest. We review requests weekly and prioritize researchers with authentication security experience.