Open Bug Bounty selected among the
Top 5 Bug Bounty programs to watch
in 2021 by The Hacker News

For security researchers
Report a Vulnerability
Submit, help fixing, get kudos.
For website owners
Start a Bug Bounty
Run your bounty program for free.
837,323 coordinated disclosures
468,274 fixed vulnerabilities
1278 bug bounties with 2,437 websites
21,730 researchers, 1281 honor badges

Skillshare Bug Bounty Program

Skillshare runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Skillshare

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Skillshare and researchers.

Bug bounty program allow private submissions only.

Bug Bounty Scope

The following websites are within the scope of the program:

*.skillshare.com

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

Please include the steps to reproduce as well as the risk that exists to our business in a submission. The more details the better and screenshots are encouraged! Please see known issues and out of scope below.

Reporting Structure:

Title – This should be a quick and clear summary of the issue.
Asset – This should match exactly the asset you are reporting (example = www.skillshare.com)
Severity – The CVSS calculator is used to evaluate severity and bounty, so to avoid disappointment, be honest and critical when scoring severity.
Weakness – Select the most appropriate vulnerability type. (example = SQLi, Improper Access Control, etc.)
Description – A detailed description of the vulnerability and how to reproduce it. This will include videos and screenshots
Remediation - Details on how to remediate the vulnerability

Testing Requirements:

No automated security scanners, DDOS testing or destructive security tests. Please note we have Cloudflare WAF and rate limiting controls in place and this could block you!

Possible Awards:

We do offer bounty payments that are subject to the following:
- It is not already known/reported
- There is demonstrable risk to a user or the company (i.e. no self XSS)

Skillshare has the final say on the bounty level and payouts.

Special Notes:

Please note we have Cloudflare enabled and it is possible that malicious looking traffic will be blocked.

What causes a report to be closed as Informative, Duplicate, N/A or Spam?
- These are just some examples of what may drive your report to a particular type of closure and are not intended to form a complete list.

Spam
- Incomprehensible, abusive behavior or harassment within a report, or reports clearly having no effort to identify a security impact may be closed out as Spam.
- Submitting reports with an apparent intent to sell a product or service to detect or prevent the vulnerabilities described in the report are likely to be closed as Spam.

Duplicate
- When reports on the same asset using the same attack vector/exploit are received, only the first report received is triaged. All other subsequent reports will be marked as a duplicate.
- A vulnerability reported on one domain may exist on another domain if the sites share the platform.

Informative
- Issues with minimal impact or relating to common security practices that are not prioritized for remediation.
- Reports notifying us of broken links or abandoned social media accounts.
- Reports submissions might have a perceived security impact externally but internally Skillshare may have compensating controls.
- Notification of an existing indication of compromise. For example, if you report a subdomain takeover you encounter but did not execute yourself, this would be closed as informative.

N/A
- Violating program rules defined by the Skillshare bug bounty program policy.
- Reports submitted for assets that clearly do not belong to Skillshare.
- Reports identifying issues described in our list of exclusions.

Exclusions (out of scope or known issues)
- Rate limiting issues
- Self XSS
- HTML link embeds within things like courses and comment section of the website.
- Session related issues, as this is known at this time and is being addressed
- Clickjacking/X-Frame-Options and CSP are both known at this time
- CSRF issues unless you are able to use this to access sensitive information of another user like email address, password, etc
- Mobile related issues including "secrets" found within the application must have an associated business risk of abusing those secrets
- Google Dorking findings related to class/course material

Other Submissions Handling

Website owner want to receive information about other vulnerabilities

Notifications:

[email protected]

General Requirements:

Reporting Structure:

Title – This should be a quick and clear summary of the issue.
Asset – This should match exactly the asset you are reporting
Severity – The CVSS calculator is used to evaluate severity and bounty, so to avoid disappointment, be honest and critical when scoring severity.
Weakness – Select the most appropriate vulnerability type.
Description – A detailed description of the vulnerability and how to reproduce it. This will include videos and screenshots
Remediation - Details on how to remediate the vulnerability

Testing Requirements:

No automated security scanners, DDOS testing or destructive security tests. Please note we have Cloudflare WAF and rate limiting controls in place and this could block you!

Possible Awards:

We pay bounties for any new issues that are discovered. For the bounty to be accepted, we require proof of vulnerability, a valid business risk, and also a recommendation on how to address the issue.

Special Notes:

Please note we have Cloudflare enabled and it is possible that malicious looking traffic will be blocked.

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

 
Response Time  Information How quickly researchers get responses to their submissions.
Remediation Time  Information How quickly reported submissions are fixed.
Cooperation and Respect  Information How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched

 08.03.2021 zootemplate.com
 08.03.2021 meteociel.fr
 08.03.2021 shipmonk.com
 08.03.2021 nikq.nothing.sh
 08.03.2021 imprint5.com
 08.03.2021 viva.ro
 08.03.2021 xsky.me
 07.03.2021 steersearch.com
 07.03.2021 pasadena.wr.usgs.gov

  Latest Blog Posts

10.02.2021 by Renzi25031469
Sysadminotaur nº88
10.02.2021 by Open Bug Bounty
Higher Submissions Quality Standard
25.12.2020 by _Y000_
How to bypass mod_security (WAF)
10.12.2020 by _Y000_
sql injection to bypass Mod_Security
10.12.2020 by _Y000_
Create encoded sql payloads

  Recent Recommendations

@_mrjd0g_     4 March, 2021
    Twitter _mrjd0g_:
Thank you for the report and responding so quickly to our request for more information, it helped us track the issue down and fix it. Appreciate the work you do.
@_lhordd     3 March, 2021
    Twitter _lhordd:
Thanks for helping me with the flaws in my site. The best work i’ve ever seen.
@_Kkommi     3 March, 2021
    Twitter _Kkommi:
Thanks for reporting xss in my site.
@_Kkommi     3 March, 2021
    Twitter _Kkommi:
Thanks
@CERT_rlp     1 March, 2021
    Twitter CERT_rlp:
The team of CERT-rlp would like to thank Cyber_India for a responsible and coordinated disclosure of vulnerabilities.