LeetCode Bug Bounty Program
Reports on the following classes of vulnerability are eligible for reward, unless they are excluded (see the next section).
In most cases, we will only reward the type of vulnerabilities that are listed below.
- Arbitrary code execution
- SQL injection
- Privilege escalation (from unauthenticated user or to admin users)
- Authentication bypass for login
- Circumvention of permission model for apps or admin users
- Cross-site request forgery
- Cross-site scripting - See the next section for limitations
Known issues or previously reported vulnerabilities
The following reports are not considered as vulnerabilities or are not subject of this bug bountry program. Please do not report any of the following issues:
- Cross-site scripting that requires full control of a http header, such as Referer, Host etc.
- Arbitrary file upload to the CDN server
- Insecure cookie handling for non-sensitive cookies
- Incorrect/No cookie expiration
- CSRF for Login, Logout and Signup pages
- Issues with the SPF, DKIM or DMARC records for Leetcode domains or mail system abuse
- User enumeration
- There's no "X-Content-Type-Options" HTTP header with nosniff value, which can lead to Content Sniffing
- Content Spoofing on error and restore password page
- Any kind of brute force attacks on our services.
Ineligible vulnerability types
Leetcode does not consider the following to be eligible vulnerabilities under this program:
- Denial of Service
- Social Engineering, including phishing
- Failure to implement security best practices such as rate limiting, minimum password strength
- Any issue that can only be exploited by physical access to someone's device or debug access being enabled, or that depends on a vulnerability in the operating system
- Architectural decisions knowingly made by Leetcode are not considered as valid submissions to the whitehat program even if there may be a more secure alternative configuration. In general, issues that fall in this category will be rejected if we do not plan to implement a fix for them
Rules for participation
The following rules must be followed in order to get any rewards:
- Don’t attempt to gain access to another user’s account or data.
- Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
- Don’t publicly disclose a bug before it has been fixed.
- Allow a reasonable amount of time for Leetcode to respond to your vulnerability report before publishing details of your exploit
- Only test for vulnerabilities on sites you know to be operated by Leetcode. Some sites hosted on subdomains of leetcode.com are either operated by third parties or no longer supported by us and just there for legacy reasons. Though in case it's possible to escalate the privileges through subdomain website to our original site, then it might be eligible for bug bounty.
- Do not impact other users with your testing, this includes testing for vulnerabilities in repositories you do not own. We may suspend your Leetcode account and ban your IP address if you do so.
- Don’t use scanners, scrapers or any other automated tools in your testing. They’re noisy and we may suspend your Leetcode account and ban your IP address.
- Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
- When in doubt, contact us at email@example.com
Rules for us
- We will respond as quickly as possible to your submission.
- We will keep you updated as we work to fix the bug you submitted.
- We will not take legal action against you if you play by the rules.
For submission please contact us at firstname.lastname@example.org
Last modified: 10/11/2018