Just a quick update with the full details of the upcoming contest. Obviously it doesn’t include the target, but it should cover everything else. If I have missed anything or you have other questions, please send me an email. As we are early beta, everything you tell us helps make these programs awesome.
If you have not created an account goo.gl/Z9IW5
Arctic Wolf Details and Rules
The cash prize will be announced after the close date once we have finished reviewing each submission and paid by pre-paid visa gift card or paypal:
* $500 for 1st prize
This competition will be open for 3 days:
* Starts 11pm Tuesday February 5th and closes at 11pm Friday February 8th (Greenwich Mean Time – GMT)
You’ll receive leaderboard recognition and points for the following milestones:
* 100 when you create an account
* 500 for submitting a bug report
* 1,000 for disclosing a bug
* 10,000 for 1st prize
* 5,000 for 2nd prize
* 2,500 for 3rd prize
The link to the target will be sent out via email on 11pm Tuesday February 5th (GMT) only to researchers who have signed up via goo.gl/Z9IW5
Ruby on Rails
Bugs must be submitted using the Submit Bugs form goo.gl/CVbBu which can be found in the header menu of Bugwolf when signed in. It’s important to note that once you submit a bug you can not edit it. However, you can resubmit an updated bug by using the same form.
We’ve created a forum called Arctic Wolf 1.0 goo.gl/3VRcI to collaborate, chat, and share feedback with our team and other researchers about this contest. If you have questions or feedback which you would prefer not to share in the forum, then please email me or hello [at] bugwolf [dot] com
The most important thing is that you play nice with others and us. Be thoughtful in testing and please don’t do anything that brings down the site. Most of all use your common sense. We will be keeping an eye on the target. Anyone found to act in bad faith and impacting our other members or breaking the spirit of these guidelines will be disqualified, and forfeit any rewards or prizes.
* Eligibility of all bug submissions are subject to approval by the Bugwolf management team and judges.
* Prizes and leaderboard points will be awarded based on time, severity, and creativity.
* Brevity and clarity for all bug submission is a key factor during the judging. Submissions which are incomplete or are unable to be replicated will be disqualified.
* No damaging database activities and do not delete or modify data on the target.
* To speed-up and qualify for the bug submission validation and verification process you must include PoC screenshot, link, or how-to with it. If you are unable to, then an explanation must be included explaining why it has not. The judges will review your explanation and decide if your submission still qualifies or to exclude it.
* This is a bug bounty contest and not a penetration test. Do not use DDoS. By using a bot-net for a resource exhaustion attack you are not finding a bug and don’t upload shell/exploits.
* By creating an account and accessing any contest you agree not to disclose the client name or any information about them that could identify them, the target and details relating to testing, and any issues discovered from the testing. Violating the terms of this disclosure revokes all permissions to test.
* Cash prize will be paid via a pre-paid Visa gift card or PayPal. The winner will be contacted at the email address which they used for their Bugwolf account and asked how they would like payment made.
* If you identify a bug that has the potential to cause a DoS, you must report it immediately by using the Submit Bugs form goo.gl/CVbBu and exploiting that bug or otherwise attacking the target is not cool.
* If the target or our website was down for long period of time, the Bugwolf team reserves the right to close the contest and award the winner.
* Judging of bugs is after the end of the contest. All contestants and winners will receive an email notifying them of the contest results at the email address they have used to register for Bugwolf. We’ll also publish a blog post and update the leaderboard.
Security researchers have been granted permission to test only those systems that are specifically names in the contest information. Our platform is dedicated to discovering those security bugs that clients can reproduce and impact only those systems specified by the contest instructions. Any contestant that tests a systems or submits a vulnerability that’s outside the testing parameters will be disqualified, and automatically forfeit any claim to cash prizes or rewards.
Discoveries that are not qualified bug submissions include:
* Distributed denial-of-service
* Page Not Found/404s
* Vulnerabilities from systems not specified by the contest instructions
* Spelling or Typos
* UI/UX and functional bugs
* Web server banner disclosures