This story draft by @richardjohnn has not been reviewed by an editor, YET.
WIP: HackerNoon Bug Bounty Program
Have you found a HackerNoon.com security vulnerability? Please use this form and let us know what you have found. Want to know if we’ll give you a reward for discreetly disclosing it? Read on!
If your bug bounty helps improve HackerNoon in a notable way, we have three levels of rewards: HackerNoon swag, cash/bitcoin bounties, and HackerNoon ad credits. Bounties can be paid out in USD, stablecoins, or BTC. If the issue is a minor one, we may instead offer HackerNoon swag for your community mindfulness. Here are some example bugs and bounties. USD Ranges are mapped to example issue types below. The more serious the issue is, the more we reward.
|
Bug |
Description |
Bounty |
Ad Credit |
|---|---|---|---|
|
Privilege Escalation |
You’ve obtained write access to a database or you can edit content that wasn’t originally created by you. |
$300 (USD) |
$999 |
|
Cross-Site Scripting (XSS) |
You can inject client-side scripts into our site so users viewing a page can get pwned. |
$100 |
$398 |
|
Cross-Site Request Forgery (CSRF) |
Intercept and modify our requests to our backend |
$100 |
$398 |
|
Impersonation |
Can you send me an email that looks like it came from @hackernoon.com? |
$100 |
$398 |
|
Personal information leak |
You can get access to user’s personal email, or some other data that available on their profile or about page. |
$100 |
$398 |
|
“hey, you know you support TLS 1.0?” |
Pointing out information widely available via a site like https://www.ssllabs.com/ (that we didn’t yet know about). |
HackerNoon Shirt |
$50 |
We accredit much of our bug bounty tiering to Bugcrowd’s Vulnerability Rating Taxonomy, a resource outlining Bugcrowd’s baseline priority rating, including certain edge cases, for common vulnerabilities (more info on github). The same contact form can be used to report any suggestions for how we should measure bugs in the future.
What if I choose my payment in HackerNoon ad credits?
For people who want to report bugs for the sake of making this a better place to spend time, we want to offer more generous payouts in HackerNoon ad credits. Here is our full sponsorship options. Credits must be spend within a year. Here’s a preapproved example packages for this program about how you can spend your credits. They are designed to grow yourself online or your company or friend’s company or your spouse’s company’s internet presence:
- $999 level: either a tech company news page (+chance to get listed as a top tech company) or six brand as author publishing credits or a Slogging AMA
- $398 level: you can get two brand as author publishing credits (all stories published are subject to editorial quality control)
- $50 level: Tweet you a thank you and add you to the GitHub list
A Note About Being Patient to the Internet
Please not test vulnerabilities in public, or in a destructive manner. Instead, please test against your own accounts or content from another account you’ve created. We may ask for a demonstration of the exploit with a specific test. A demonstration is useful in the case of a bug report we cannot verify ourselves based on the given description. It sometimes happens we get bug reports, but then we don’t hear back when we reply asking for a demonstration or reproduction of the issue.
If you have multiple issues you can enumerate them in a single report. A reward is given for each type of bug found. If the same issue appears in multiple places we’d give one reward for those.
If a vulnerability has already been reported, it isn’t eligible for a reward.
Please be patient when awaiting a reply. We’re a small team engineers and HackerNoon has millions of visitors. Unless you have more relevant information to the bug, please allow us time to respond before submitting more forms.
L O A D I N G
. . . comments & more!
. . . comments & more!
