Patchstack Alliance Bounty Program Events for December

Published 1 December 2023
Updated 28 November 2024
Table of Contents

This year was legendary for the Patchstack Alliance bounty program project, and to finish this year on the highest note, we decided to make four additional weekly events for December. Some of you remember when we did that last year, and it was a mind-blowing competition that echoed for several months after. So let’s do it again!

Events

We have four full competition weeks in December, each dedicated to particular vulnerabilities.

🏁 Week #1 – December 4-10, 2023 (finished!)

The first week is an easy one – warm up before getting serious. In the first week, you will compete by reporting Broken Access Control and Cross-Site Request Forgery (CSRF) vulnerabilities.

Patchstack Alliance December event / Week #1 - Broken Access Control and Cross-Site Request Forgery (CSRF) vulnerabilities

Week 1 results

🥇 Mika – 115,40 AXP ($300 bounty)
🥈 Le Ngoc Anh – 67,45 AXP ($200 bounty)
🥉 Friday – 32,75 AXP ($100 bounty)
🎖️ Yudistira Arya – 16,90 AXP
🎖️ Joshua Chan – 16,40 AXP

🏁 Week #2 – December 11-17, 2023 (finished!)

The second week will get more serious as you will compete by reporting Cross-Site Scripting (XSS) and Sensitive Data Exposure vulnerabilities.

Patchstack Alliance December event / Week #2 - Cross-Site Scripting (XSS) and Sensitive Data Exposure vulnerabilities

Week 2 results

🥇 Le Ngoc Anh – 252,05 AXP ($300 bounty)
🥈 Ngô Thiên An (ancorn_ from VNPT-VCI) – 214,7 AXP ($200 bounty)
🥉 Joshua Chan – 78,2 AXP ($100 bounty)
🎖️ Yudistira Arya – 42,6 AXP
🎖️ Dhabaleshwar Das – 14,2 AXP
🎖️ Dimas Maulana – 14,2 AXP
🎖️ Mika – 13,99 AXP
🎖️ Bryan Satyamulya – 8,85 AXP

🏁 Week #3 – December 18-24, 2023 (finished!)

On the third week of December, you can show your skills by reporting SQL Injection (SQLi), Open Redirection, and Broken Authentication/Bypass vulnerabilities.

Patchstack Alliance December event / Week #3 - SQL Injection (SQLi), Open Redirection and Broken Auth/Bypass vulnerabilities

Week 3 results

🥇 Le Ngoc Anh – 69,13 AXP ($300 bounty)
🥈 Yudistira Arya – 59,77 AXP ($200 bounty)
🥉 Joshua Chan – 27,9 AXP ($100 bounty)
🎖️ Ngô Thiên An (ancorn_ from VNPT-VCI) – 9,56 AXP

🏁 Week #4 – December 25-31, 2023 (finished!)

In the year’s final week, you’ll compete with other elite researchers in finding Remote Code Execution (RCE), PHP Object Injection, Arbitrary File (upload/download/deletion), and Privilege Escalation vulnerabilities.

Patchstack Alliance December event / Week #2 - Remote Code Execution (RCE), PHP Object Injection, Arbitrary File (upload/download/deletion), and Privilege Escalation vulnerabilities

Week 4 results

🥇 Yudistira Arya – 149,80 AXP ($300 bounty)
🥈 Ngô Thiên An (ancorn_ from VNPT-VCI) – 75,45 AXP ($200 bounty)
🥉 Le Ngoc Anh – 38,65 AXP ($100 bounty)

🏁 Monthly competition – December (finished!)

The great news is that monthly competition will also happen, and all points from weekly events will be counted in your monthly point pool. It means you can participate in five events in December.

Results

Bounties?

Yes, we have them. Each week, we will give bounties to TOP 3 researchers. 1st place is $300, 2nd place is $200, and 3rd place is $100 – meaning the weekly bounty pool is $600. Plus, at the end of December, we will count the points for the monthly results, and TOP 15 + 1 researchers will split up an additional $2450. It means that the overall December bounty pool is $4850!

Rules!

  • Patchstack Alliance standard rules apply to these events. Please read the rules carefully. Please report particular vulnerability types on specific weeks to compete in dedicated week events.
  • Yes, you will get extra AXP points for boosted products from Patchstack mVDP program, you can check the list of boosted products here – Extra points!
  • We will create public profiles for all new researchers who will submit valid reports. Each public profile will include information about your results, also it will have your Twitter, GitHub, Linked, your personal and social links. Also we accept “BuyMeACoffee” links on the profiles and on database entries for vulnerabilities you have discovered.
  • December results will be visible on this leaderboard. Weekly results will be announced by updating this article, on Patchstack Twitter account and on Patchstack Alliance Discord server.
  • All valid reports will get their CVE IDs. Even if your report does not get any points (like admin+ vulnerabilities), you’ll still get the CVE ID if the report is valid.
  • If you have any questions, create a ticket on the Patchstack Alliance Discord server or dm to darius.sveikauskas@patchstack.com.

The latest in Bug bounty

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu