MNDWRK BUG HUNT
TERMS AND CONDITIONS

At Mndwrk, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. Therefore, we launch a Bug Hunt in April-May, 2023 to let our community members resided in Hungary explore the vulnerabilities of Mndwrk Community Portal. We expect participants to identify vulnerabilities that could be exploited by a potential attacker to run malicious code, install malicious software, access confidential data or compromise data integrity, etc. (see detailed information and excluded submission types in section Bug Hunt Rules)

Based on the experiences of this Bug Hunt, we are planning to introduce our ongoing Bug Bounty Program in the future.

By organizing this Bug Hunt, our goal is to find and fix vulnerable elements of the system, thereby increasing the security of the Mndwrk Portal. This program is not intended to obtain potential candidates for our current or future partners.

This web page represents a legal document with terms and conditions applicable to all individuals who register for the Mndwrk Bug Hunt through the dedicated registration form. Upon registering for the Mndwrk Bug Hunt, you are referred to as a “Researcher” and you are bound by and are obligated to comply with these Terms and Conditions.

Target

Bug Hunt aims to uncover vulnerabilities of our systems/services available under the subdomain members.mndwrk.com (Mndwrk Community Portal)

Timing

The Bug Hunt starts on the 4th of May and finishes on the 22nd of May, 2023.

Kick-off meeting

A kick-off meeting will take place on the 3rd of May, 2023, 17:00 CET to make a clear understanding of the goal, the rules and the processes of the Mndwrk Bug Hunt among all participants.

The Submission Process

If you believe you have discovered a vulnerability, please create a submission by e-mailing your findings to

bughunt@mndwrk.com

 In the initial submission, the full description of the Vulnerability must be specified, including as much of the following information as possible:

  • Type of issue (SQL injection, cross-site scripting, privilege escalation, etc.);
  • Provide all steps required to reproduce the exploit of the vulnerability;
  • Proof of concept or exploit code. We encourage Researchers to include a video or screenshot Proof-of-Concept in their submissions. These files should not be shared publicly. This includes uploading to any publicly accessible websites (i.e. YouTube, Imgur, etc.). If the file exceeds 100MB, upload the file to a secure online service such as Google Drive, OneDrive, tresorit, Vimeo, with a password;
  • Saved attack logs;
  • URLs and/or applications affected and
  • Describe the potential impact of the issue, and how an attacker could exploit it.

Incomplete information and complexity of the Vulnerability may affect the review time of the Vulnerability, whether to award a submission and/or the amount of the reward. 

Each submission will be updated (e.g the Researcher will be notified) at significant events, including when the issue has been validated, when we need more information from you, or when you have qualified for a reward.

Each submission is evaluated by the Bug Hunt Committee, set up by Mndwrk. We will evaluate submissions on the basis of first-to-find. You will qualify for a reward if you were the first person to alert Mndwrk to a previously unknown issue AND the issue triggers a code or configuration change.

We keep the right to cancel the program at any time.

During the disclosure process we will

  • respond to your report as fast as possible (normally within 10 working) with our evaluation of the report.
  • not take any legal action against you on the reported vulnerabilities, if you have followed the instructions described in this document.
  • handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.
  • keep you informed of the progress towards resolving the vulnerability.

Bug Hunt Rules

We are committed to protecting the interests of Mndwrk as well as the interests of the Researchers. The more closely your behavior follows these rules, the more we’ll be able to cooperate with you/ protect you if a difficult situation escalates.

Please carefully read the following rules:

  • Testing should be performed only on systems identified under the ‘Targets’ section. Any other systems are Out Of Scope.
  • You should create accounts for testing purposes. Do not use leaked or compromised accounts belonging to other users. Vulnerabilities that were discovered using leaked or compromised accounts will be disqualified.
  • Submissions must be made exclusively through e-mail (bughunt@mndwrk.com) to be considered for a reward.
  • Communication regarding submissions must remain within Mndwrk support channels for the duration of the disclosure process.
  • Actions which affect the integrity or availability of the target are prohibited and strictly enforced. If you notice performance degradation on the target systems, you must immediately suspend all use of automated tools.
  • Submissions should have impact to the target’s security posture. Impact means the reported issue affects the target’s users, systems, or data security in a meaningful way. For example
  • Leaking, modifying or unauthorized access to sensitive server configuration, code, or user data (especially credentials)
  • Privilege escalation (e.g. obtaining admin rights on your test user, or running code on the servers)
  • Submissions will be evaluated based on the maximum possible impact it has on target’s users, systems or data security. Researchers should stop their activity as soon as they find the bug, before having any harmful impact on the above mentioned. Submitters may be asked to defend the impact in order to qualify for a reward.
  • Submissions may be closed if a Researcher is non-responsive to requests for information after 7 days.
  • Researchers are expected to refrain from the following actions:
  • In any way attack our end users or engage in trade of stolen user credentials.
  • Taking advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary, or deleting or modifying other people's data to demonstrate the vulnerability.
  • Revealing vulnerabilities to third party until it has been resolved. We will do our best to remediate findings within 90 days.
  • Mndwrk’s Disclosure policies apply to all submissions including Duplicates, Out of Scope, and Not Applicable submissions.
  • If a Researcher wants to retain disclosure rights for vulnerabilities that are out of scope for the bounty program, they should report the issue Mndwrk.
  • Violation of a program’s stated disclosure policy may result in enforcement.

You must be at least 18 years old and have a primary residence and citizenship in Hungary to be eligible to receive any monetary compensation as a Researcher.

Registration

You will need to register and accept the Terms and Conditions for Mndwrk Bug Bounty Program on https://mndwrk-com/events/bug-hunt When you register, you must give us accurate and complete information. This means that you cannot register using a name or contact information that does not apply to you, and you must provide accurate and current information on all registration forms. You may only register once. Mndwrk may deny the registration of certain names or require certain names be changed at Mndwrk’s sole discretion.

A violation of the rules included in this document may result in the invalidation of submissions, and forfeiture of all rewards, for current and future Mndwrk Bug Bounty Programs.

Excluded Submission Types

Some submission types are excluded because they are dangerous to assess, or because they have low security impact to Mndwrk. This section contains issues that Mndwrk does not accept, will be immediately marked as invalid, and are not rewardable.

  • Findings from physical testing such as office access (e.g. open doors, tailgaiting).
  • Findings derived primarily from social engineering (e.g. phishing, vishing).
  • Findings from applications or systems not listed in the ‘Targets’ section.
  • Functional, UI and UX bugs and spelling mistakes.
  • Network level Denial of Service (DoS/DDoS) vulnerabilities.

Common “Non-qualifying” Submission Types

Some submission types do not qualify for a reward because they have low security impact, and thus, do not trigger a code change. This section contains a listing of issues found to be commonly reproducible but are often ineligible. We strongly suggest you do not report these issues unless you can demonstrate a chained attack with higher impact.

  • Descriptive error messages unless they contain sensitive data (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure and HTTPOnly cookie flags.
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Username enumeration via Login Page error message
  • Username enumeration via Forgot Password error message
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS / TRACE HTTP method enabled
  • SSL Attacks such as BEAST, BREACH, Renegotiation attack
  • SSL Forward secrecy not enabled
  • SSL Insecure cipher suites
  • The Anti-MIME-Sniffing header X-Content-Type-Options
  • Missing HTTP security headers, specifically

Program Rewards

The decision to grant a reward, and the value of a reward (if any), is entirely within Mndwrk’s discretion.

All qualifying Researchers will be rewarded MWCs on Mndwrk Community Portal, therefore to be rewarded you should create an account on the Portal. Please, read our ICO White Paper Draft for more details about MWCs here.

We will evaluate each submission based on CVSS version 3.1, and will calculate the CVSS scores with the calculator available on https://www.first.org/cvss/calculator/3.1. Reward amounts are based on the security level of the submission:

Security level (CVSS score)

MWCs rewarded

Low (0,1-3,9)

100 - 500

Medium (4-6,9)

501 - 1 000

High (7-8,9)

1 001 - 3 000

Critical (9-10)

3 001 - 7 000

In addition, we will reward the top 3 Researchers (based on the number and security level of their submissions).

MWCs rewarded

1st

20 000

2nd

15 000

3rd

10 000

 

Intellectual Property; Ownership of Testing Results

You hereby represent that you have obtained the necessary approvals and consents from all third parties including your employer for the purpose of participating as a Researcher.

For the purposes of this section, “Testing Results” means information about vulnerabilities discovered on the Target System discovered, found, observed or identified by Researchers” and “Target System” are the applications and systems that are the subject of Mndwrk Bug Hunt.

You shall ensure that all Testing Results in the Target System that you submit is secret and confidential. Do not disclose the information to any third party without our written confirmation unless Mndwrk has already disclosed the information or you are required to disclose the information by applicable laws.

ALL SUBMISSIONS ARE CONFIDENTIAL INFORMATION OF MNDWRK. This means no submissions may be publicly disclosed at any time unless Mndwrk has otherwise consented to disclosure. You may discuss a vulnerability after it is fixed, but cannot discuss it in any way before that. If you want to discuss a vulnerability in your blogs, public speeches, white papers, or other media after the vulnerability is fixed, please contact Mndwrk for consent. It is recommended that you discuss a vulnerability publicly 30 days after Mndwrk fixes the vulnerability that you submitted.

As a prerequisite for participating in this program, you hereby grant Mndwrk, its affiliates, and customers a permanent, irrevocable, worldwide, transferable, and sub-licensable license regarding the vulnerabilities you have discovered. Mndwrk, its affiliates, and customers can use, sell, copy, adapt, modify, publish, distribute, publicly interpret, and create derivative works of the vulnerability that you submit to us, and use the license in other ways.

The intellectual property rights of the products, system software, and related technical materials provided to you for test are owned by Mndwrk (except for third-party system software). You only have a non-exclusive, non-sublicensable, and non-redistributed general license based on the purpose of the Bug Hunt. The license automatically terminates upon the expiration of this Bug Hunt.

You warrant that the software you use is copyrighted and legitimate and does not infringe upon intellectual property rights of any third party. You shall not engage in manufacturing, using, distributing, or transferring forged, pirated, or illegal software. If you violate this article, we have the right to terminate some or all services provided to you without being deemed in violation of this Agreement. You shall bear relevant legal liabilities if any losses are caused to us.

All non-public information (including but not limited to technical information, business secrets, Huawei agreements, and related confidential information) that you obtain from us during the Bug Hunt (collectively referred to as "confidential information") is protected by laws and regulations regarding intellectual property rights, anti-unfair competition and other legal issues. We shall respect each other's intellectual property rights and trade secrets, and you shall be responsible for the confidentiality of our technical secrets and trade secrets. You shall not disclose, transfer, license others to use, exchange, donate, or share such secrets with any other individual or organization in any manner, or co-use or improperly use such secrets with any such individual or organization without Mndwrk’s prior written consent. You shall bear relevant legal liabilities if any losses are caused to us due to your violation of this article.

This section shall remain binding on Parties after the Buh Hunt.

Confidentiality Obligations

“Confidential Information” means any information that is marked or otherwise designated as confidential at the time of disclosure or that a reasonable person would consider confidential based on the circumstances and content of the disclosure, and includes, without limitation: customer information, personally identifiable information, financial information, information regarding Target System, pricing information, business information, amounts paid to Researchers. Confidential Information does not include information that: (i) is or becomes known to the receiving party from a source other than one having an obligation of confidentiality to the disclosing party; (ii) is or becomes publicly known or otherwise ceases to be confidential, except through a breach of this Agreement; or (iii) is independently developed by the receiving party.

You agree that you will (i) hold in confidence and not disclose to any third party any Confidential Information, except as approved in writing by disclosing party; (ii) protect such Confidential Information with at least the same degree of care that the Researcher uses to protect its own Confidential Information, but in no case, less than reasonable care; (iii) use the disclosing party’s Confidential Information for no purpose other than the use permitted by the disclosing party; and (iv) immediately notify disclosing party upon discovery of any loss or unauthorized disclosure of disclosing party’s Confidential Information.

Official Support Channel and Private Communication

During the course of Mndwrk Bug Hunt, the Mndwrk team may communicate updates via email. If you have questions about a program or a specific submission, you may contact the Mndwrk team via bughunt@mndwrk.com

get in touch.

Tell us about your goals!
Contact Sales