Open Bug Bounty selected among the
Top 5 Bug Bounty programs to watch
in 2021 by The Hacker News

For security researchers
Report a Vulnerability
Submit, help fixing, get kudos.
For website owners
Start a Bug Bounty
Run your bounty program for free.
974,433 coordinated disclosures
614,148 fixed vulnerabilities
1,323 bug bounty programs, 2,654 websites
22,784 researchers, 1,309 honor badges

Skillshare Bug Bounty Program

Skillshare runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Skillshare

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Skillshare and researchers.

Bug bounty program allow private submissions only.

Bug Bounty Scope

The following websites are within the scope of the program:

*.skillshare.com

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

Please include the steps to reproduce as well as the risk that exists to our business in a submission. The more details the better and screenshots are encouraged! Please see known issues and out of scope below.

Reporting Structure:

Title – This should be a quick and clear summary of the issue.
Asset – This should match exactly the asset you are reporting (example = www.skillshare.com)
Severity – The CVSS calculator is used to evaluate severity and bounty, so to avoid disappointment, be honest and critical when scoring severity.
Weakness – Select the most appropriate vulnerability type. (example = SQLi, Improper Access Control, etc.)
Description – A detailed description of the vulnerability and how to reproduce it. This will include videos and screenshots
Remediation - Details on how to remediate the vulnerability

Testing Requirements:

No automated security scanners, DDOS testing or destructive security tests. Please note we have Cloudflare WAF and rate limiting controls in place and this could block you!

Possible Awards:

We do offer bounty payments that are subject to the following:
- It is not already known/reported
- There is demonstrable risk to a user or the company (i.e. no self XSS)

Skillshare has the final say on the bounty level and payouts.

Special Notes:

Please note we have Cloudflare enabled and it is possible that malicious looking traffic will be blocked.

What causes a report to be closed as Informative, Duplicate, N/A or Spam?
- These are just some examples of what may drive your report to a particular type of closure and are not intended to form a complete list.

Spam
- Incomprehensible, abusive behavior or harassment within a report, or reports clearly having no effort to identify a security impact may be closed out as Spam.
- Submitting reports with an apparent intent to sell a product or service to detect or prevent the vulnerabilities described in the report are likely to be closed as Spam.

Duplicate
- When reports on the same asset using the same attack vector/exploit are received, only the first report received is triaged. All other subsequent reports will be marked as a duplicate.
- A vulnerability reported on one domain may exist on another domain if the sites share the platform.

Informative
- Issues with minimal impact or relating to common security practices that are not prioritized for remediation.
- Reports notifying us of broken links or abandoned social media accounts.
- Reports submissions might have a perceived security impact externally but internally Skillshare may have compensating controls.
- Notification of an existing indication of compromise. For example, if you report a subdomain takeover you encounter but did not execute yourself, this would be closed as informative.

N/A
- Violating program rules defined by the Skillshare bug bounty program policy.
- Reports submitted for assets that clearly do not belong to Skillshare.
- Reports identifying issues described in our list of exclusions.

Exclusions (out of scope or known issues)
- Rate limiting issues
- Self XSS
- HTML link embeds within things like courses and comment section of the website.
- Session related issues, as this is known at this time and is being addressed
- Clickjacking/X-Frame-Options and CSP are both known at this time
- CSRF issues unless you are able to use this to access sensitive information of another user like email address, password, etc
- Mobile related issues including "secrets" found within the application must have an associated business risk of abusing those secrets
- Google Dorking findings related to class/course material

Other Submissions Handling

Website owner want to receive information about other vulnerabilities

Notifications:

[email protected]

General Requirements:

Reporting Structure:

Title – This should be a quick and clear summary of the issue.
Asset – This should match exactly the asset you are reporting
Severity – The CVSS calculator is used to evaluate severity and bounty, so to avoid disappointment, be honest and critical when scoring severity.
Weakness – Select the most appropriate vulnerability type.
Description – A detailed description of the vulnerability and how to reproduce it. This will include videos and screenshots
Remediation - Details on how to remediate the vulnerability

Testing Requirements:

No automated security scanners, DDOS testing or destructive security tests. Please note we have Cloudflare WAF and rate limiting controls in place and this could block you!

Possible Awards:

We pay bounties for any new issues that are discovered. For the bounty to be accepted, we require proof of vulnerability, a valid business risk, and also a recommendation on how to address the issue.

Special Notes:

Please note we have Cloudflare enabled and it is possible that malicious looking traffic will be blocked.

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

 
Response Time  Information How quickly researchers get responses to their submissions.
Remediation Time  Information How quickly reported submissions are fixed.
Cooperation and Respect  Information How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched

 15.05.2021 nikkei.com
 15.05.2021 bebest.am
 15.05.2021 mindmajix.com
 15.05.2021 almontmichigan.gov
 15.05.2021 updato.com
 15.05.2021 laist.com
 15.05.2021 salma.ai
 15.05.2021 liveworksheets.com
 14.05.2021 quoka.de

  Latest Blog Posts

25.04.2021 by ParanjpeSanmarg
Testing Subdomain Takeover Vulnerability
11.04.2021 by Open Bug Bounty
Better Notifications Mechanism
28.03.2021 by febin_rev
Windows Stack Buffer Overflow in a real life app — Exploit development — CloudMe_1.11.2 Buffer Overflow-CVE-2018–6892
10.02.2021 by Renzi25031469
Sysadminotaur nº88
10.02.2021 by Open Bug Bounty
Higher Submissions Quality Standard

  Recent Recommendations

@philippejadin     14 May, 2021
    Twitter philippejadin:
Thank you for reporting an issue with the presentation website of the project and for the quick replies !
@DjMagrao_     11 May, 2021
    Twitter DjMagrao_:
Thanks for founding xss errors on my website and fixing then.
@DouglasRao42     10 May, 2021
    Twitter DouglasRao42:
Profissional competente que tem contribuído ativamente no campo da segurança da informação.
@obb20210429     6 May, 2021
    Twitter obb20210429:
Thanks for a quick and useful report that helped us find and resolve the issue.
@MrGviana     6 May, 2021
    Twitter MrGviana:
Ricardo, thank you for reporting vulnerabilities and helping me to solve them.