EC-Council Bug Bounty Program
EC-Council welcomes all the ethical hackers across the globe to participate in the EC-Council Bug Bounty program and collaborate with us in enhancing the security of our infrastructure. While we do our best, sometimes, certain issues escape our attention and may expose our applications to certain exploits.
We believe in working with the research community across the globe as it is a crucial part of identifying and mitigating security vulnerabilities in our products and technologies.We understand that this process is both challenging and time consuming and as such,we incentivize security researchers who report security vulnerabilities in our applications. This enables us to provide a coordinated response and helps us minimize the risk to our constituents.
If you believe you’ve found a security vulnerability in any of our applications, we encourage a responsible disclosure and invite you to work with us to mitigate the vulnerability. This document outlines the scope of the Bug Bounty program.
Terms and Conditions
All EC-Council’s websites including sub domains and any third party web properties inside EC-Council’s websites.
Out of Scope:
Websites which are in beta/under development/staging sites and third party websites/services for which EC-Council acts as a subscriber for resource sharing.
Who can participate:
If you are above 15 years, you are eligible to participate in the program. Candidates under the age of 15 should obtain a permission from their parent/guardian before participating in the program.
Security professionals working for an organisation should ensure that their organisation permits to participate in the Bug bounty program.
- Privilege escalation
- Remote code execution
- Remote file inclusion
- SQL injection
- XSS – persistent
- Local file inclusion
- Security misconfiguration leading to configuration file disclosure
- Directory traversal
- Disclosure of highly Sensitive information
The following are excluded from the reward program:
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Fingerprinting / banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms those are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
- Weak Captcha / Captcha Bypass
- Forgot Password page brute-force and account lockout not enforced.
- OPTIONS HTTP method enabled
- Username / email enumeration via Login Page error message via Forgot Password error message
- Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g. Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP, Content-Security-Policy-Report-Only, CORS.
- SSL Issues, e.g.SSL Attacks such as BEAST, BREACH, Renegotiation attack, SSL Forward secrecy not enabled, SSL weak / insecure cipher suites
- Email Security – SPF, DMARC, DKIM
Severity: low, medium, high (as per owasp top 10)
Proof-of-concept: – private video, screen shots with explanation for the vulnerability
Impact of the vulnerability: Explain if this vulnerability can be exploited supporting the above proof-of-concept
Steps to reproduce the issue:
- At EC-Council, our primary goal is to ensure our customers are provided with a great user experience.
- Vulnerabilities are addressed and resolved in a timely manner.
- Vulnerability disclosures should remain confidential and can’t be disclosed to third parties.
- Any details of disclosures should not be posted in public platforms/Social networks until remediation and acknowledgement is obtained from EC-Council.
- The minimum time to acknowledge a vulnerability after submission is 7-30 working days and the Security team will notify the reporter when the vulnerability is fixed /resolved.
- If the disclosed vulnerability belongs to any of the third party of EC-Council, the vulnerability will be forwarded to them and will be treated as a coordinated disclosure.
- Bounty can’t be claimed by a single user with multiple identities and candidates identified with such disclosures will be suspended from the program and any rewards issued will be revoked.
- Any vulnerabilities reported by the candidates will be considered as one across all EC-Council’s websites and candidates can’t claim a reward per website.
- The bug must be original and previously unreported.
- The rewards may be issued prior to remediating the vulnerability.
- Vulnerability classification will be a sole decision of EC-Council after checking the Proof of concept submitted by the candidate.
- A proof of concept needs to be submitted by the candidate which is irreversible until the remediation if the vulnerability.
— Candidates may not be required to participate in the program if they do not agree to the above terms and conditions.