Bounty Program for Vulnerabilities

Why Advance?
A' Design Award gives importance to your security and privacy. We incorporate necessary steps to ensure your data is safe and secure such as using SSL Encryption as well as Secure Hash based password comparison for authentication and we are constantly looking for new ways to improve our security, for that reason we have decided to integrate a bug bounty program where we reward security researchers, coders, hackers, software developers, database engineers and tech-savvy users who could help us strengthen our defenses and lessen any potential vulnerabilities. We observe that software security researchers and white hat hackers are increasingly engaging with companies to hunt down vulnerabilities, bugs and issues. Security Bug Hunting Programs by large enterprises have helped to create strong bug-hunting communities across the globe. The A' Design Award bounty program recognizes these researchers and provides a return for their efforts.

What is a Vulnerability?
If you’ve found a vulnerability, please submit it by contacting us. But it is important to remember what's a security vulnerability?: For A' Design Award a security vulnerability is an unintended security hole that results from a mistake of the programmer; it is an unintended security exposure. For us, security vulnerabilities are a result of a security problem in the design of the product, software or program. Problems that result from following the best practices and widely accepted standards are not security vulnerabilities, even if these best practices are imperfect. Furthermore, if you could crash our system or utilize all our computing resources with DDOS attacks, that would not be considered a security vulnerability, however for example if there is one single link that could crash the whole site, for example a link to a program that divulges into infinite loop, we could consider it a security vulnerability. Furthermore, we usually do not consider error messages that reveals links to files as security issues, unless you can access the file and under the condition that the file should not be accessible by public.

Important Issues - Unknowns Open for Rewards
There are issues that we would consider serious issues, for example if you can 1) inject code, 2) gain administrative privileges to our system, 3) access confidential information such as private user details, 4) download our source code, as well as other issues such as 5) SQL Injection, 6) Remote Code Execution, 7) Authentication or Authorization flaws, 8) Bypassing Login, 9) Server-side code execution bugs, 10) Content Spoofing or Injection that could create a security risk (remember that any user is already able to spoof and inject content as this is indeed how the system works, but if they can inject code for example, than we will consider this an issue).

Known Issues - Design Decisions - Not Eligible for Rewards
Regardless of what is eligible or not eligible, we are happy to hear about it, send us a letter and we might consider a reward or at least send a postcard or thank you letter, that being said, it is important to also understand what we do not think as security issues: 1) Explanatory error messages such as descriptive server errors. 2) Non HTTP 200 codes (such as 404 not found, 403 forbidden) 3) URL Redirection, 4) Flaws affecting the users who use out-of-date browsers and plugins 5) Logout cross-site request forgery, 6) Bugs requiring ridiculously unlikely user interaction 7) Physical Attacks and Social Engineering 8) Bugs that do not have any real life effect on anything 9) Any vulnerability found through automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic. 10) Password Reset Links 11) Issues that are not intrinsic to our code; for example if there is an issue with server software not developed by us, if the issue relates to a third-party software or plugin, if the issue is about a product or service by another company etc. 12) Rivals' issues, 13) Cross-site scripting (this is a design issue as we use multiple websites), 14) Cross-site request forgery (this is a design issue as we use multiple websites). 15) Changing amounts in payments forms (we manually approve the payments, and we know this issue, it is a design decision we have). 16) Redressing: We allow external iframes as a design decision, therefore there is no need to report user interface redressing or clickjacking.

Submit Unlisted Vulnerabilities
You may submit other types of vulnerabilities that we did not list here and we would try to find a way to recognize your effort. In practice, if we take action after your letter, we would issue a reward; that means if your bug report triggers us to change our code update our configuration then we shall reward you. The amount of the reward depends on the security bug or threat level. You will qualify for bounty and reward eligibility only if you are the first person to responsibly disclose an unknown issue. Our security team and development teams have thirty (30) days to respond to your report, and up to a possible ninety (90) days to implement a solution based on the severity of the issue. Please allow for this process to fully complete before you would publicly disclose the vulnerability you found. Note that posting details or conversations about this report before it has been approved for disclosure or posting details that reflect badly on this program and the A' Design Award brand, will result in immediate removal from the program. You can test the software, services or mobile apps and demonstrate their vulnerabilities only from your own account. Hacking into others' account is strictly forbidden. By submitting a bug report you agree to comply with our Responsible Disclosure Policy, i.e. you do not disclosure of the details of any vulnerability found on our system for 90 days and furthermore if possible do not mention our name at all. Please duly note that we can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at our discretion, this bug bounty program is not a competition, it is rather an experimental and discretionary rewards program. If two or more researchers happen to find the same bug, the bounty will be paid only to the one whose submission came in first, if the report happens the same day and hour, we will divide it between the two (or more) people who submit it. The bounty will be paid after we fix the issue (or, in specific cases, decide to not fix it). We reserve the right to change the rules of the program or to cancel it at any time. It is the researcher’s own responsibility to pay any taxes and other applicable fees in his/her country of residence for revenues from your bug bounties. Please do not attempt to carry out DoS attacks, leverage black hat SEO techniques, spam others, or do other similarly questionable things in respect to this program. The reports should be submitted in English. If possible, please invoice us as “Security Consultancy” for payments related to bug bounties, we can pay via PayPal and WireTransfer as you see fit. Once you send your report, you should receive a response from our support team acknowledging receipt of your email. If you do not receive a response, please contact us again and be patient, we reply all mails but sometimes it takes long. Reward amounts start from 50 Euro and up. When reporting a bug, please help us to better understand the nature and scope of the possible issue by indicating 1) Type of issue (Cross-Site Scripting, SQL Injection, Privilege Escalation, Authentication and Authorization, Remote Code Execution, Cross-Site Request Forgery, Directory Traversal, Confidential Information Access, Content Spoofing etc.) 2) Product that contains the bug. 3) How you access the bug, such as the URL, procedure, link etc. 4) Any special configuration or preparation required to reproduce the issue. 5) Step-by-step instructions to reproduce the issue. 6) Proof-of-concept or exploit code, 7) Impact of the issue, including how an attacker could exploit the issue 8) If possible make it visual, put images and videos perhaps, you can include screenshots, written explanations etc. If you believe you have found a security vulnerability on A' Design Award, we encourage you to let us know right away. To show our appreciation for security researchers such as yourselves, we offer a monetary bounty for certain qualifying security bugs. When you figure out a vulnerability, please contact us before exploiting it; i.e. if you found a bug that would damage our database, instead of running the bug please do contact us before causing any damage.

We created this bounty program for A' Design Award because we care about our users as well as our reputation as a safe and secure program to support good design. We wish to sincerely thank you for your input in making a better, safer and trusted design award and we are looking forward for your honest contributions towards advancing our system, software, program and platforms.

The A' Design Award and Competition is aimed to fix any issues as fast as possible to ensure a safe and trustable platform for designers to nominate their designs.