menu

HeroX

 12,741

Hack HeroX Challenge

Calling all hackers, we are looking for security experts to test our platform for web application frontend and backend vulnerabilities.

This challenge is closed

stage:
Closed
prize:
$6,000

This challenge is closed

more
Summary
Timeline
Updates3
Forum2
Teams87
Resources
FAQ
Summary

Overview

Overview

A penetration test, also known as a pen test, is an authorized simulated cyber attack on a computer system, performed to evaluate the security of the system. The test is performed to identify both weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed.

During traditional penetration tests, companies source and hire expert freelancers or organizations to perform the security tests necessary for annual compliance with internal security protocols. At HeroX, we have decided to apply crowdsourcing to our regular security evaluations via an incentivized competition model.

If you are qualified and interested in participating in our pen test, visit the Guidelines Tab for more information.


Guidelines

Challenge Structure

Phase I: April 1st - May 7th, 2019

  • Hackers submit a Request to Participate
  • All verified hackers will advance to Phase II

Phase II: May 7th - 21st, 2019

  • All approved hackers will be given a list of penetration tests and the necessary credentials to access the in-scope elements of our platform
  • Hackers will choose 1 test from the List of 6 Tests to conduct and submit preliminary findings
  • Up to 5 Finalists will be selected to advance to Phase III

Phase III: May 28th - June 11th, 2019

  • The 5 Finalists will be eligible to conduct the remaining 5 tests from the List of Tests, and complete list of approved penetration tests in-scope with the Challenge
  • Hackers will submit all final deliverables including all detected, in-scope platform vulnerabilities
  • HeroX will award Finalists $50 - $1,500 per vulnerability detected, according to the Prize Structure below

 

Prize Structure

At the conclusion of Phase III, HeroX will award $50 – $1,500 per vulnerability according to the technical severity listed below. There is a $5,000 maximum reward per Finalist.

  • Priority 1 Critical $1,000 - 1,500
  • Priority 2 High $500 - $800
  • Priority 3 Medium $100 - $200
  • Priority 4 Low $50 - $100

For the initial prioritization of findings, please refer to our Severity Level Definitions, below. In some cases, our internal judges may modify a vulnerability rating due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

 

Severity Level Definitions

Critical Severity

Critical severity issues present a direct and immediate risk to a broad array of our users or to HeroX itself. They often affect relatively low-level/foundational components in one of our application stacks or infrastructure. For example:

  • Access to sensitive production user data or access to internal production systems.
  • Bypassing the HeroX login process, either password or 2FA.
  • Arbitrary SQL queries on the HeroX production database.
  • Arbitrary code/command execution on a HeroX server in our production network.

High Severity

High severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:

  • Gaining access to a non-critical resource that only HeroX employees should be able to reach.
  • Discovering sensitive user or HeroX data in a publicly exposed resource, such as an S3 bucket.
  • Bypassing authorization logic to grant a repository collaborator more access than intended.
  • Injecting attacker controlled content into HeroX.com (XSS) which bypasses CSP.

Medium Severity

Medium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:

  • Bypassing CSRF validation for low risk actions, such as starring a repository or unsubscribing from a mailing list.Code execution in a desktop app that requires no user interaction.
  • Injecting attacker controlled content into HeroX.com (XSS) but not bypassing CSP or executing sensitive actions with another user’s session.
  • Disclosing the title of issues in private repositories which should be inaccessible.

Low Severity

Low severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:

  • Triggering application exceptions that could affect many HeroX users.
  • Triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.
  • Bypassing community-and-safety features such as locked conversations.
  • Creating an issue comment that bypasses our image proxying filter by providing a malformed URL.
  • Signing up arbitrary users for access to an “early access feature” without their consent.

 

List of Tests

  1. Cross-Site Scripting (XSS)
  2. SQL Injection
  3. Sensitive Data Exposure
  4. Broken Access Control
  5. Security Misconfiguration
  6. Broken Authentication

For more information about these tests, please visit OWASP's Guide, here.

 

Scope of this Challenge

  1. What computer assets are in scope for the test?
    1. HeroX.com website and its infrastructure
  2. Does it include all computers, just a certain application or service, certain OS platforms, or mobile devices and cloud services?
    1. All computers and services related to HeroX.com website.
  3. Does the scope include just a certain type of computer asset, such as web servers, SQL servers, all computers at a host OS level, and are network devices included?
    1. Everything is included.
  4. Can the pen testing include automated vulnerability scanning?
    1. Yes.
  5. Is social engineering allowed, and if so, what methods?
    1. No.
  6. What dates will pen testing be allowed on?
    1. The Challenge Launch Date is April 1st, 2019 and the Submission Deadline is June 11th, 2019. During this window, pen testing will be allowed anytime according to the Challenge Structure outlined above.
  7. Are there any days or hours when penetration testing should not be tried (to avoid any unintentional outages or service interruptions)?
    1. No. Penetration Testing is allowed any time from April 1st, 2019 - June 11th, 2019.
  8. Should the professional attackers (e.g., red team) try to break-in without being detected by the defenders (e.g., blue team), or should they use normal methods that real intruders might use to see if it sets off existing detection and prevention defenses?
    1. No. These interruptions are a crucial part of the pen test.
  9. Will the penetration testing be blackbox (meaning the pen tester has little to no internal details of the involved systems or applications) or whitebox (meaning they have internal knowledge of the attacked systems, possibly up and involving relevant source code)?
    1. Blackbox
  10. Should testers try their best to avoid causing service interruptions or is causing any sort of problem a real attacker can do, including service interruptions, a crucial part of the test?
    1. Use normal methods that real intruders might use to see if it sets off existing detection and prevention methods. Include all attempted (but defended) and successful attacks in your documentation.
  11. Is denial-of-service considered an in-scope goal?
    1. DoS (Denial of Service): Yes, in-scope
    2. DDoS (Distributed Denial of Service): No, out of scope
  12. Is accessing a particular computer or exfiltrating data part of the goal, or is simply gaining privileged access enough?
    1. The goal is to access any data that the user should not be able to access or to gain any additional access.

 

Timeline
Updates3

Challenge Updates

One Week Left to Hack HeroX!

May 14, 2019, 9:39 a.m. PDT by MacKenzie Richter

Greetings Hackers, 

You have one week left to submit for Phase II of the Hack HeroX Challenge. The submission deadline is on May 21, 2019 at 11:59 p.m. CDT. 

If you missed the deadline for Phase I, you can still submit a Request to Participate. We will review your request and, if eligible, send you access credentials immediately so that you have time to participate before the Phase II deadline. 

As a reminder, for Phase II you only need to choose 1 test from the list below to conduct your tests and submit preliminary findings.

List of Tests

  1. Cross-Site Scripting (XSS)
  2. SQL Injection
  3. Sensitive Data Exposure
  4. Broken Access Control
  5. Security Misconfiguration
  6. Broken Authentication

Please let us know if you have any questions. 

Best,

HeroX


Only 2 Hours Left!

May 7, 2019, 7:59 p.m. PDT by MacKenzie Richter

Hackers, 

Now is your chance to request to participate in the 2-week Hack HeroX Challenge to win $2,500. 

We hope you will Accept the Challenge within the next 2 hours!

 

Prizes

At the conclusion of Phase III, each of the 5 Finalists will receive a cash prize:

  • First Place: $2,500
  • Second Place: $1,500
  • Third Place: $1,000
  • Fourth Place: $500
  • Fifth Place: $500

 

Cheers, 

HeroX


Only 8 Hours Left!

May 7, 2019, 1:59 p.m. PDT by MacKenzie Richter

Greetings Hackers, 

If you're still debating whether to apply to the Hack HeroX Challenge, today is your last chance!

Pro Tip: HeroX recommends that you submit ideas at least three hours before the deadline. Last-minute technical problems and unforeseen roadblocks have been the cause of many un-submitted entries. Don’t let that happen to you!

 

Phase I is only a request to participate, so it shouldn't take too long to complete -  

As a reminder, see the Challenge Structure below.

 

Phase I: April 1st - May 7th, 2019 at 11:59pm CDT

  • Hackers submit a Request to Participate
  • All verified hackers will advance to Phase II

Phase II: May 7th - 21st, 2019

  • All approved hackers will be given a list of penetration tests and the necessary credentials to access the in-scope elements of our platform
  • Hackers will choose 1 test from the List of 6 Tests to conduct and submit preliminary findings
  • 5 Finalists will be selected to advance to Phase III

Phase III: May 28th - June 11th, 2019

  • 5 Finalists will be eligible to conduct the remaining 5 tests from the List of Tests, and complete list of approved penetration tests in-scope with the Challenge
  • Hackers will submit all final deliverables including all detected, in-scope platform vulnerabilities
  • All 5 Finalists will earn a cash prize to honor their time commitment to Phase III

 

Happy Hacking!

HeroX


Forum2
Teams87
Resources

Challenge Resources

List of Tests
April 1, 2019
FAQ