Embrace your inner cyber crusader, ethical guardian of the digital realm, or simply someone yearning to wield your skills for a meaningful impact – the moment of destiny has arrived, presenting you with the extraordinary opportunity to shape a better, safer online world.
CSI Linux stands at the forefront, cultivating the next wave of global investigators, boasting a thriving community of over 12,000 eager learners and counting. Our unwavering commitment lies in ferreting out vulnerabilities, making it our foremost mission.
We treasure our alliance with the vigilant warriors of vulnerability-hunting communities. When you report your findings to us, rest assured they undergo meticulous scrutiny by our in-house security maestros.
Only after thorough evaluation and appropriate action are you rewarded, and what rewards they are!
You’ll receive a prestigious certificate of recognition, a digital e-badge, and a triumphant public celebration across our extensive social platforms and website. Your hard-earned credit will shine bright, with even more exciting plans on the horizon, including exclusive merchandise. It’s easy to get involved, just read on…
Response limits:
At the moment this program is closed-access which means you have to give us notice before you go ahead with your hunting so that we can whitelist your IP address. However, this is how the program goes should you have any problems reach out to the program lead AskerDyne:
| Type of Response | SLA in business days |
|---|---|
| First Response | 7 days |
| Time to Triage and Trial | 14 days |
| Time to Resolution | depends on severity and complexity |
| Time to Reward | 28 days |
We try to be transparent and will take steps to actively keep reporters in the loop regarding the progress of their reports throughout the process. This is a new program so there might be honest mistakes on either party’s side when working on reports. So if an error is made at any stage we’ll do our utmost to resolve it.
A vulnerability report will be considered resolved when any actual vulnerability has been fully addressed and no further action is required by CSI Linux to resolve the vulnerability.
Program Rules:
Please carefully review these rules, as they will govern any report you submit!
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the report will not be eligible for a reward. Please consider (1) the attack scenario/exploitability, and (2) the security impact of the vulnerability. If you can propose a solid thesis and theoretical evidence for a scenario/exploit this may be considered on a case-by-case basis on the premise of practicality.
- Researchers may only submit one vulnerability per report unless there is a need to chain vulnerabilities to provide impact.
- When multiple researchers identify and report the same underlying issue, We will award any applicable bounty to the first eligible report that was received, we will let the subsequent reporter know this should we have duplicate reports.
- Vulnerabilities that we are already aware of will not be rewarded unless we’re able to build on what we’re already aware of.
- Reports that identify multiple vulnerabilities caused by one underlying issue will be awarded at most one bounty.
- Issues identified by a reporter will be paid at most only once, even if the same issue can be exploited on multiple in-scope assets or on contracts deployed across multiple chains.
- If you are hunting as a group you must be able to evidence all group members such as through a Git Team, website providing credence to your group, etc. You will be awarded a certificate each as well as an e-badge each.
- We do consider vulnerabilities and major bugs within the CSI Linux operating systems for reward however they must not make use of the default credentials of
csifor both the user/password, as in a live environment, end-users are encouraged to change the password at least.
Searching for Potential Vulnerabilities:
- Researchers may not impact production systems in a negative way for any testing.
- All CSI Linux testing and research should be conducted internally.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Brute-forcing web forms or fields are prohibited.
- Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- Wallet vulnerabilities for payment processing are considered higher-priority and we focus on these above most other vulnerabilities.
- Failure to adhere to any of the terms in this section will make you ineligible for a reward and may constitute a crime which may lead to a court case being opened against you.
Out-of-scope vulnerabilities:
The following issues are considered out of scope
- Clickjacking on pages with no sensitive actions.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
- Attacks requiring MITM or physical access or control over a user’s device. This specifically means that client-side manipulation of Javascript is excluded without a demonstration of how to manipulate the Javascript remotely.
- Previously known vulnerable libraries without a working Proof of Concept.
- Rate limiting or brute force issues on non-authentication endpoints.
- Any automated tool outputs or reports, such as Nessus.
(You can use these as part of a comprehensive report but the outputs alone will not be considered a legitimate report) - Denial of service attacks (DDOS/DOS).
- Missing HttpOnly or Secure flags on cookies.
- Vulnerabilities only affect users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version).
- Software version disclosure/banner identification issues / descriptive error messages or headers (e.g. stack traces, application or server errors).
- Public zero-day vulnerabilities that have had an official patch for less than 1 month. While outside the scope of the official bug bounty program, CSI Linux may still review these vulnerabilities – we may provide a reward at our sole discretion, however.
- Vulnerabilities that were publicly disclosed in any manner, prior to us receiving the report, and vulnerabilities of which we are otherwise already aware.
- Open redirect – may be eligible if it is part of a chain of issues, but not as a standalone issue.
- Javascript execution on csilinux.com and sub-domains is expected as our learning platform makes use of JS. To be considered in scope, you will need to demonstrate how it harms users on in-scope assets.
- Vulnerabilities reported by the same researcher to other entities either before or after their report to CSI Linux.
Disclosure Policy
To ensure that any disclosure of vulnerabilities happens in a responsible manner, do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from CSI Linux.
Failure to adhere to the Disclosure Policy will result in the forfeiture of any eligible reward.
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you for such authorized conduct.
Thank you for helping keep CSI Linux and the community safe!
Bounty Amount Discretion
Vulnerability reports that are (i) in-scope, (ii) comply with CSI Linux bug bounty policy, are not currently eligible for a monetary amount as a reward.
Dispute Resolution
- If you have any dispute about the application of the CSI Linux Hunter Disclosure program, you must first attempt to resolve the dispute in good faith through email support. Reports are processed by AskerDyne should the dispute lead to a re-investigation they will be followed through by a CSI Linux internal staff peer.
Make A Report
Making a report is seriously simple just fill in the form, Should you need to append an attachment such as a screenshot, please respond to our follow-up email with attachments on request.