Open Bug Bounty selected among the
Top 5 Bug Bounty programs to watch
in 2021 by The Hacker News

For security researchers
Report a Vulnerability
Submit, help fixing, get kudos.
For website owners
Start a Bug Bounty
Run your bounty program for free.
1,006,104 coordinated disclosures
628,908 fixed vulnerabilities
1,348 bug bounty programs, 2,698 websites
23,362 researchers, 1,318 honor badges

Skillshare Bug Bounty Program

Skillshare runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Skillshare

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Skillshare and researchers.

Bug bounty program allow private submissions only.

Bug Bounty Scope

The following websites are within the scope of the program:

*.skillshare.com

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

Please include the steps to reproduce as well as the risk that exists to our business in a submission. The more details the better and screenshots are encouraged! Please see known issues and out of scope below.

Reporting Structure:

Title – This should be a quick and clear summary of the issue.
Asset – This should match exactly the asset you are reporting (example = www.skillshare.com)
Severity – The CVSS calculator is used to evaluate severity and bounty, so to avoid disappointment, be honest and critical when scoring severity.
Weakness – Select the most appropriate vulnerability type. (example = SQLi, Improper Access Control, etc.)
Description – A detailed description of the vulnerability and how to reproduce it. This will include videos and screenshots
Remediation - Details on how to remediate the vulnerability

Testing Requirements:

No automated security scanners, DDOS testing or destructive security tests. Please note we have Cloudflare WAF and rate limiting controls in place and this could block you!

Possible Awards:

We do offer bounty payments that are subject to the following:
- It is not already known/reported
- There is demonstrable risk to a user or the company (i.e. no self XSS)

Skillshare has the final say on the bounty level and payouts.

Special Notes:

Please note we have Cloudflare enabled and it is possible that malicious looking traffic will be blocked.

What causes a report to be closed as Informative, Duplicate, N/A or Spam?
- These are just some examples of what may drive your report to a particular type of closure and are not intended to form a complete list.

Spam
- Incomprehensible, abusive behavior or harassment within a report, or reports clearly having no effort to identify a security impact may be closed out as Spam.
- Submitting reports with an apparent intent to sell a product or service to detect or prevent the vulnerabilities described in the report are likely to be closed as Spam.

Duplicate
- When reports on the same asset using the same attack vector/exploit are received, only the first report received is triaged. All other subsequent reports will be marked as a duplicate.
- A vulnerability reported on one domain may exist on another domain if the sites share the platform.

Informative
- Issues with minimal impact or relating to common security practices that are not prioritized for remediation.
- Reports notifying us of broken links or abandoned social media accounts.
- Reports submissions might have a perceived security impact externally but internally Skillshare may have compensating controls.
- Notification of an existing indication of compromise. For example, if you report a subdomain takeover you encounter but did not execute yourself, this would be closed as informative.

N/A
- Violating program rules defined by the Skillshare bug bounty program policy.
- Reports submitted for assets that clearly do not belong to Skillshare.
- Reports identifying issues described in our list of exclusions.

Exclusions (out of scope or known issues)
- Rate limiting issues
- Self XSS
- Wordpress admin endpoints exposed without demonstratable exploit
- HTML link embeds within things like courses and comment section of the website.
- Session related issues, as this is known at this time and is being addressed
- Clickjacking/X-Frame-Options and CSP are both known at this time
- CSRF issues unless you are able to use this to access sensitive information of another user like email address, password, etc
- Mobile related issues including "secrets" found within the application must have an associated business risk of abusing those secrets
- Google Dorking findings related to class/course material

Other Submissions Handling

Website owner want to receive information about other vulnerabilities

Notifications:

[email protected]

General Requirements:

Reporting Structure:

Title – This should be a quick and clear summary of the issue.
Asset – This should match exactly the asset you are reporting
Severity – The CVSS calculator is used to evaluate severity and bounty, so to avoid disappointment, be honest and critical when scoring severity.
Weakness – Select the most appropriate vulnerability type.
Description – A detailed description of the vulnerability and how to reproduce it. This will include videos and screenshots
Remediation - Details on how to remediate the vulnerability

Testing Requirements:

No automated security scanners, DDOS testing or destructive security tests. Please note we have Cloudflare WAF and rate limiting controls in place and this could block you!

Possible Awards:

We pay bounties for any new issues that are discovered. For the bounty to be accepted, we require proof of vulnerability, a valid business risk, and also a recommendation on how to address the issue.

Special Notes:

Please note we have Cloudflare enabled and it is possible that malicious looking traffic will be blocked.

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

 
Response Time  Information How quickly researchers get responses to their submissions.
Remediation Time  Information How quickly reported submissions are fixed.
Cooperation and Respect  Information How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched

 21.06.2021 govtech.com
 20.06.2021 gdrfad.gov.ae
 20.06.2021 realcommercial.com.au
 20.06.2021 allofustec.nnlm.gov
 19.06.2021 getchu.com
 19.06.2021 explorelearning.com
 19.06.2021 fibre2fashion.com
 19.06.2021 tme.eu
 18.06.2021 www1.caixa.gov.br
 18.06.2021 butantan.gov.br

  Latest Blog Posts

25.05.2021 by 0xrocky
Google XSS Game
25.05.2021 by ShivanshMalik12
Testing for XSS (Cross Site Scripting)
25.05.2021 by darklotuskdb
Easy XSS On Mostly Educational Websites Via Moodle
25.04.2021 by ParanjpeSanmarg
Testing Subdomain Takeover Vulnerability
11.04.2021 by Open Bug Bounty
Better Notifications Mechanism

  Recent Recommendations

@darione90     19 June, 2021
    Twitter darione90:
Many thanks to garlet_marco for finding an XSS vulnerability on our website!
@RyanBoehm12     16 June, 2021
    Twitter RyanBoehm12:
Vighnesh Gupta was professional, considerate, and thorough in helping us resolve a security flaw on our website. He communicated with in a timely manner, and provided all necessary support to fix the issue. I highly recommend him.
@rus_cert     16 June, 2021
    Twitter rus_cert:
Thanks for informing us about the vulnerability and providing helpful details :-)
@Cyber91998806     16 June, 2021
    Twitter Cyber91998806:
He responded to my mails quickly and helped us how to fix the vulnerability in a professional way. I recommended this guy.
@contactsplus     15 June, 2021
    Twitter contactsplus:
Tuhin reported 3 valid vulnerabilities to us of severities High, Medium and Low.

He was very professional and helped us recreate the issues until we were able to verify.
He was awarded a bounty for his efforts.

Thank you Tuhin!

Contacts+ Security Team.