What if bug bounty platforms had their own contest? Imagine a tournament where bug hunters would be promoted and sponsored by platforms like in every (e-)sports. Imagine an event where they could fight on a dedicated scope as it would be in a CTF event but with bounties or a Hackerone event but with a huge competition in the background. This is THE HUNTER GAMES.
Promote the industry.
Secure the customers.
And have fun?
To participate, a platform must:
- be able to host a physical event. See “The play”.
- be able to sponsor a team. See “Players”.
- be able to provide a scope. See “Scopes”.
- be able to triage the reports regarding the scopes she provides. See “Reports”.
Each team consists 5 players.
One of them must be an internal employee of the platform, to be easily noticeable he wears the number
The fourth others are hackers of the community selected by platforms themself using their own process.
At the beginning of the season, a random draw is performed in order to create the calendar. Teams are grouped two by two to decide the matches.
Game after game, the calendar is filled with the results, showing the progress of all teams.
A match is a set of 2 games.
The first game is hosted by the platform who has been choosen first during the random draw. The platform who has been choosen second will host the second encounter.
It’s the responsability of the host to prepare all technical details for both teams: place, network, electricity…
Points from both games are summed, the teams with the bigger score pass the round and is qualified for the next step.
A month before the game, a random draw is performed to choose a scope among the pool of scopes brought by platforms who do not participate that game. Then this scope is removed from the pool.
Two accounts with the teams name are created on the platform who belong the randomly choosen scope.
A game is height hours long, no break. Only issues reported during this period are used to calculate the points of the two fighting teams. See “Scoring”. Any extra reports after the end of time are considered as null.
Accepted scopes are:
- Host IP: provide the CIDR
- API: provide the url
- Mobile app: provide the package name from Android Play Store and/or IOS App Store
- Web app: provide the domains and subdomains
- Source code: provide the url where it can be downloaded
- IoT: provide the product
- Car: provide the car
It’s the responsability of the platform owner of the scope to provide all necessary credentials for 2 teams.
It’s the responsability of the platform owner of the scope to communicate with the customer the details regarding the game (date/time, ips…).
Reports are handled during the game by a triager employee of the platform owner of the randomly choosen scope, he is the referee. This implies that he must be aware of the date of the game, as well as the customer. It’s the responsability of the platform owner of the scope to take care about the technical problems that could occur during the game.
While bounties can be awarded after the game, the severity of all reports is properly estimated a maximum of 1 hour after the end of the game.
It’s the decision of the platforms with the agreement of their customers to disclose informations regarding their own scopes/reports. Players are not allowed to reveal any details about the customers/scopes/reports outside the games.
Every accepted report is awarded with points according his criticity. The official Bugcrowd rating system is used as a base reference to estimate severities.
P1 (critical): 100 points.
P2 (high): 50 points.
P3 (medium): 20 points.
P4 (low): 10 points.
P5 (informative): 1 points.
Winning the game
The winner is the team who get the most points in a game. In case of equality, the fastest report is awarded with a bonus of 100 points which is enough to get a winner.