This year was legendary for the Patchstack Alliance bounty program project, and to finish this year on the highest note, we decided to make four additional weekly events for December. Some of you remember when we did that last year, and it was a mind-blowing competition that echoed for several months after. So let’s do it again!
Events
We have four full competition weeks in December, each dedicated to particular vulnerabilities.
Week #1 – December 4-10, 2023
The first week is an easy one – warm up before getting serious. In the first week, you will compete by reporting Broken Access Control and Cross-Site Request Forgery (CSRF) vulnerabilities.
Week #2 – December 11-17, 2023
The second week will get more serious as you will compete by reporting Cross-Site Scripting (XSS) and Sensitive Data Exposure vulnerabilities.
Week #3 – December 18-24, 2023
On the third week of December, you can show your skills by reporting SQL Injection (SQLi), Open Redirection, and Broken Authentication/Bypass vulnerabilities.
Week #4 – December 25-31, 2023
In the year’s final week, you’ll compete with other elite researchers in finding Remote Code Execution (RCE), PHP Object Injection, Arbitrary File (upload/download/deletion), and Privilege Escalation vulnerabilities.
Monthly competition (December)
The great news is that monthly competition will also happen, and all points from weekly events will be counted in your monthly point pool. It means you can participate in five events in December.
Bounties?
Yes, we have them. Each week, we will give bounties to TOP 3 researchers. 1st place is $300, 2nd place is $200, and 3rd place is $100 – meaning the weekly bounty pool is $600. Plus, at the end of December, we will count the points for the monthly results, and TOP 15 + 1 researchers will split up an additional $2450. It means that the overall December bounty pool is $4850!
Rules!
- Patchstack Alliance standard rules apply to these events. Please read the rules carefully. Please report particular vulnerability types on specific weeks to compete in dedicated week events.
- Yes, you will get extra AXP points for boosted products from Patchstack mVDP program, you can check the list of boosted products here – Extra points!
- We will create public profiles for all new researchers who will submit valid reports. Each public profile will include information about your results, also it will have your Twitter, GitHub, Linked, your personal and social links. Also we accept “BuyMeACoffee” links on the profiles and on database entries for vulnerabilities you have discovered.
- December results will be visible on this leaderboard. Weekly results will be announced by updating this article, on Patchstack Twitter account and on Patchstack Alliance Discord server.
- All valid reports will get their CVE IDs. Even if your report does not get any points (like admin+ vulnerabilities), you’ll still get the CVE ID if the report is valid.
- If you have any questions, create a ticket on the Patchstack Alliance Discord server or dm to [email protected].
Source: patchstack.com