This year was legendary for the Patchstack Alliance bounty program project, and to finish this year on the highest note, we decided to make four additional weekly events for December. Some of you remember when we did that last year, and it was a mind-blowing competition that echoed for several months after. So let’s do it again!
Events
We have four full competition weeks in December, each dedicated to particular vulnerabilities.
🏁 Week #1 – December 4-10, 2023 (finished!)
The first week is an easy one – warm up before getting serious. In the first week, you will compete by reporting Broken Access Control and Cross-Site Request Forgery (CSRF) vulnerabilities.
Week 1 results
🥇 Mika – 115,40 AXP ($300 bounty)
🥈 Le Ngoc Anh – 67,45 AXP ($200 bounty)
🥉 Friday – 32,75 AXP ($100 bounty)
🎖️ Yudistira Arya – 16,90 AXP
🎖️ Joshua Chan – 16,40 AXP
🏁 Week #2 – December 11-17, 2023 (finished!)
The second week will get more serious as you will compete by reporting Cross-Site Scripting (XSS) and Sensitive Data Exposure vulnerabilities.
Week 2 results
🥇 Le Ngoc Anh – 252,05 AXP ($300 bounty)
🥈 Ngô Thiên An (ancorn_ from VNPT-VCI) – 214,7 AXP ($200 bounty)
🥉 Joshua Chan – 78,2 AXP ($100 bounty)
🎖️ Yudistira Arya – 42,6 AXP
🎖️ Dhabaleshwar Das – 14,2 AXP
🎖️ Dimas Maulana – 14,2 AXP
🎖️ Mika – 13,99 AXP
🎖️ Bryan Satyamulya – 8,85 AXP
🏁 Week #3 – December 18-24, 2023 (finished!)
On the third week of December, you can show your skills by reporting SQL Injection (SQLi), Open Redirection, and Broken Authentication/Bypass vulnerabilities.
Week 3 results
🥇 Le Ngoc Anh – 69,13 AXP ($300 bounty)
🥈 Yudistira Arya – 59,77 AXP ($200 bounty)
🥉 Joshua Chan – 27,9 AXP ($100 bounty)
🎖️ Ngô Thiên An (ancorn_ from VNPT-VCI) – 9,56 AXP
🏁 Week #4 – December 25-31, 2023 (finished!)
In the year’s final week, you’ll compete with other elite researchers in finding Remote Code Execution (RCE), PHP Object Injection, Arbitrary File (upload/download/deletion), and Privilege Escalation vulnerabilities.
Week 4 results
🥇 Yudistira Arya – 149,80 AXP ($300 bounty)
🥈 Ngô Thiên An (ancorn_ from VNPT-VCI) – 75,45 AXP ($200 bounty)
🥉 Le Ngoc Anh – 38,65 AXP ($100 bounty)
🏁 Monthly competition – December (finished!)
The great news is that monthly competition will also happen, and all points from weekly events will be counted in your monthly point pool. It means you can participate in five events in December.
Results
Bounties?
Yes, we have them. Each week, we will give bounties to TOP 3 researchers. 1st place is $300, 2nd place is $200, and 3rd place is $100 – meaning the weekly bounty pool is $600. Plus, at the end of December, we will count the points for the monthly results, and TOP 15 + 1 researchers will split up an additional $2450. It means that the overall December bounty pool is $4850!
Rules!
- Patchstack Alliance standard rules apply to these events. Please read the rules carefully. Please report particular vulnerability types on specific weeks to compete in dedicated week events.
- Yes, you will get extra AXP points for boosted products from Patchstack mVDP program, you can check the list of boosted products here – Extra points!
- We will create public profiles for all new researchers who will submit valid reports. Each public profile will include information about your results, also it will have your Twitter, GitHub, Linked, your personal and social links. Also we accept “BuyMeACoffee” links on the profiles and on database entries for vulnerabilities you have discovered.
- December results will be visible on this leaderboard. Weekly results will be announced by updating this article, on Patchstack Twitter account and on Patchstack Alliance Discord server.
- All valid reports will get their CVE IDs. Even if your report does not get any points (like admin+ vulnerabilities), you’ll still get the CVE ID if the report is valid.
- If you have any questions, create a ticket on the Patchstack Alliance Discord server or dm to darius.sveikauskas@patchstack.com.