March 19, 2013 at 13:16

Check Badoo for Strength! Vulnerability Search Month

    Badoo, following its colleagues - the largest representatives of the IT industry, such as Google, Facebook and Yandex, begins to pay for the vulnerabilities found. We announce the contest "Test Badoo for Strength!" , which starts March 19 and will last exactly a month.

    Everyone can participate in the competition, except for Badoo employees. Each participant can send any number of applications.
    Participants undertake to keep the discovered vulnerabilities secret until Badoo notifies them of their correction in the application table, but no longer than May 31, 2013.
    We pay for all new vulnerabilities found.
    Vulnerabilities will be ranked from the 5th ( 500 pounds sterling ) to the 1st category ( 50 pounds sterling)) depending on their criticality. The criticality category is determined by the jury.

    In addition, we have a special prize! According to the results of the competition, the 3 most active participants will receive 1,000 pounds. If you find something very serious, then we can give out a super bonus above 500 pounds.

    Where to look for vulnerabilities:


    badoo.com , eu1.badoo.com , us1.badoo.com and corp.badoo.com .
    The competition does not involve mobile versions of the site and applications for social networks.

    Prizes and categories


    Category 5 - £ 500 ;
    Category 4 - 300 pounds ;
    Category 3 - 150 pounds ;
    Category 2 - 100 pounds ;
    Category 1 - 50 pounds.

    We do not want to link our categories to traditional vulnerability assessment systems. The more damage the vulnerability found can cause, the more valuable it is for us and the higher the category we assign to it.

    How do we award categories


    To make it easier, we want to orient you and tell you how the categories will be assigned.

    • In our experience, most of the vulnerabilities that are found from outside belong to the category of HTML or XSS injections. If the found vulnerability cannot be inflicted any harm at all (for example, you can only change the output of the page), then it will receive the lowest 1st category.
    • More dangerous SQL injections. Suppose you find a vulnerability that breaks an SQL query, but the only result is an incorrect display of content on the site. Most likely, such a vulnerability will receive only the 2nd category.
      However, if using an SQL vulnerability an attacker could gain access to some data of one or more users, this vulnerability could even be assigned to category 5.
      If using the vulnerability it is possible to update the data in the user profile, then depending on how critical this data is, we can assign higher categories, up to the 5th.
    • CSRF vulnerabilities are also dangerous, but the category will be the higher, the greater the damage may be.

    And do not forget that Badoo can give out a super bonus above 500 pounds if you find something very serious.

    We make sure that


    • participants received quick feedback;
    • Participants could track their applications and see which vulnerabilities have already been fixed.
    • approved bidders received a prize BEFORE the vulnerability is resolved;
    • the payment of money was quick and without bureaucratic red tape.

    Process looks like this


    • The participant sends an application through a form with a detailed description of the vulnerability, steps for reproduction and screenshots / files (optional). The application should contain enough information to reproduce the vulnerability.
    • If the form is filled out correctly, then a message is displayed stating that everything is fine and the report flew to us.
    • Within 3 working days, we analyze the application and decide whether it is a new vulnerability. As a result, the author receives an answer to the mail.
    • If we accept the application, then it appears in the table "Status of applications" with the status "In progress".
    • If your application has received the status "In Process", then our representative will contact you within a week and agree on the transfer of money. This happens whether the vulnerability has been fixed or not.
    • When the vulnerability is fixed, a description of the vulnerability and the status of "Resolved" will appear in the table. Up to this point, the participant has no right to talk about the vulnerability.

    Join the game >>>>>>



    Competition Jury


    Evgeny Sokolov
    Head of Badoo Development

    Joined Badoo in 2012. Prior to that, he worked at Google Moscow as the head of the engineering team in Moscow. In 2010, he headed Google's Moscow Engineering Center.
    Prior to joining Google, he developed financial systems and founded several small companies. He has a Ph.D. Stony Brook University. Alexey Rybak Deputy Head of Development Badoo Development He has been developing web projects since 1999. The main area of ​​work in recent years is mass social services, photo and video hosting, dating. He took part in the development of badoo.com projects - 172 million users, mamba.ru, DIV VGTRK, Memonet. In 1999, he graduated with honors from the Physical Faculty of Moscow State University.







    Pavel Dovbush
    Head of Client Development Badoo Development

    He is directly involved in JavaScript development as the main developer.
    He specializes primarily in the architecture and optimization of large web applications. Ilya Ageev Head of Testing Badoo Development Manages the testing and calculation processes. Prior to Badoo, he worked in Runner.




    Tags:

    Also popular now: