Live Hacking Event Policy

Event Date: June 28, 2025 | Duration: 4-5 hours

Event Overview: Welcome to SLASH's Live Hacking Event powered by SecurityWall. Time to put your hacking skills to the test!

Program Scope

Instance/Asset URL/Endpoint Additional Info Status Purpose
Production slash.securitywall.co api-slash.securitywall.co OUT OF SCOPE Live production environment - Do NOT test
Main Domain securitywall.co All subdomains except listed in-scope OUT OF SCOPE Company website and other services
Leaderboard leaderboard.securitywall.co Event leaderboard system OUT OF SCOPE Leaderboard viewing only - Do NOT test
Testing Environment lhe-slash.securitywall.co api-lhe-slash.securitywall.co IN SCOPE Primary testing target for vulnerability hunting
S3 Buckets slash-attachments AWS S3 bucket for file attachments IN SCOPE AWS S3 Misconfigurations
S3 Buckets slash-avatars AWS S3 bucket for user avatars IN SCOPE AWS S3 Misconfigurations
Reporting Platform lhe-reporting.securitywall.co api-reporting-slash.securitywall.co REPORTING ONLY For submitting bug reports (credentials provided via email)
IMPORTANT: Testing production systems or out-of-scope domains will get you instantly disqualified — and rumor has it, no food or snacks for you at the live hacking event! So play nice and hack responsibly! 🎯

In-Scope Vulnerabilities

  • JWT Token Manipulation: Token forging, signature bypasses, claims manipulation, refresh token abuse (impersonation is fun, isn't it?)
  • Authentication & Authorization: Multi-role bypass (admin/client/pentester), session management flaws, privilege escalation (try logging in as the boss!)
  • Two-Factor Authentication Bypasses: TOTP bypasses, 2FA setup vulnerabilities (2FA? More like noFA!)
  • MongoDB Injection: NoSQL injection, aggregation pipeline manipulation, document structure attacks (who said $ne was safe?)
  • IDOR (Insecure Direct Object References): Client data isolation bypass, pentest access control, vulnerability report manipulation (sneak into someone else's pentest!)
  • File Upload Vulnerabilities: S3 upload bypasses, attachment manipulation, path traversal, malicious file uploads (your payload can wear a disguise!)
  • Cross-Site Scripting (XSS): Stored XSS in comments/reports, reflected XSS, DOM-based XSS (script kiddies, assemble!)
  • Business Logic Vulnerabilities: Pentest workflow bypasses, vulnerability status manipulation, role assignment flaws (bend the workflow to your will!)
  • API Security Issues: REST API authentication bypass, excessive data exposure (expose secrets like it's show-and-tell!)
  • Email Template Injection: SMTP injection, template manipulation (spam-yourself party anyone?)
  • AWS S3 Security Issues: Bucket misconfigurations, presigned URL abuse, unauthorized file access (bucket list: own the bucket!)
  • Cross-Site Request Forgery (CSRF): State-changing operations without proper CSRF protection (it's like magic without consent!)
  • Security Misconfigurations: Helmet bypass, MongoDB exposure (bypass helmet, hack the host!)
  • Jira Integration Vulnerabilities: OAuth token abuse, integration manipulation (open a ticket to your advantage!)

Out-of-Scope Vulnerabilities

  • Denial of Service (DoS/DDoS) attacks - Don't crash our servers, we need them for the event!
  • Social engineering attacks against SecurityWall employees - No bribing the staff with pizza
  • Physical attacks against facilities or personnel - Keep it digital, folks
  • Self-XSS that requires user interaction beyond normal usage
  • Brute force attacks on login forms (Turnstile protection is in place)
  • Missing security headers without demonstrable security impact
  • Username enumeration on login/signup forms
  • Clickjacking on non-sensitive pages
  • Open redirect without additional security impact
  • Logout CSRF - Who cares if someone logs you out?
  • Password policy violations - Weak passwords are a user problem
  • Missing CAPTCHA on non-critical forms
  • Autocomplete attributes on non-sensitive forms
  • Content spoofing without security impact
  • Host header injection without security impact
  • Email bombing - Don't spam our notification system
  • Third-party vulnerabilities (AWS, MongoDB, Node.js) - Not our code, not our problem
  • Reports without proof of concept - "Trust me bro" is not a valid PoC
  • Subdomain takeover on non-existent subdomains
  • SSL/TLS configuration issues - That's the infrastructure team's job
  • Insecure Local Storage - Design choice, not a bug

Bounty Structure

Severity Level Bounty Amount (USD) Description Examples
Critical $400 - $500 Severe vulnerabilities with immediate impact RCE, SQL Injection, Authentication Bypass
High $250 Significant security impact Privilege Escalation, XSS (Stored), IDOR
Medium $100 Moderate security impact XSS (Reflected), CSRF, Information Disclosure
Low $50 Minor security issues Security Misconfigurations, Minor Info Disclosure

Awards & Recognition

  • Swags will be provided to all participants
  • Leaderboard will be maintained throughout the event
  • Bragging rights for finding the most creative vulnerabilities
  • Recognition in the security community

Reporting Process

Step 1: Access Testing Environment Credentials

To obtain your testing credentials for lhe-slash.securitywall.co:

  1. 1
    Login to https://lhe-reporting.securitywall.co using credentials provided via email
  2. 2
    Navigate to "Assigned Pentests" section
  3. 3
    Click "Switch Client" if you haven't selected one already
  4. 4
    Choose the "LHE-SLASH" Client
  5. 5
    Access the pentest named "LHE-<YOURNAME>"
  6. 6
    Find your testing credentials in the right sidebar of the pentest dashboard
Account Management: The provided credentials are for admin role accounts. You may create additional client user role accounts and pentester role accounts as needed for your testing. Since all participants share the same testing environment, please do not delete other participants' testing accounts and maintain respectful conduct throughout the event.

Step 2: Submit Your Vulnerability Reports

To report your findings:

  1. 1
    Login to https://lhe-reporting.securitywall.co
  2. 2
    Navigate to the "Vulnerability Reports" section from the left panel
  3. 3
    Select the "LHE-SLASH" Client if you haven't already
  4. 4
    Click "Add Vulnerabilities" to access the reporting form
  5. 5
    Complete all required fields with detailed vulnerability information

Each vulnerability report should include:

  • Title: Clear and descriptive vulnerability title
  • Severity: Your assessment of the vulnerability's impact (Critical/High/Medium/Low)
  • Affected URL/Endpoint: Specific location where vulnerability exists
  • Vulnerability Type: Category of vulnerability (XSS, SQLi, IDOR, etc.)
  • Description: Detailed explanation of the vulnerability
  • Steps to Reproduce: Clear, numbered steps to reproduce the issue
  • Proof of Concept: Screenshots, videos, or code demonstrating the vulnerability
  • Impact: Explanation of the potential security impact
  • Recommended Fix: Suggested remediation steps

Step 3: Live Assessment

Our security team will:

  • Review submissions in real-time during the event
  • Reproduce and validate the vulnerability
  • Determine final severity and bounty amount
  • Update the leaderboard and provide immediate feedback
Pro Tip: Make your reports detailed and include solid proof of concept. Half-baked reports are like half-baked cookies - nobody wants them! 🍪

Rules of Engagement

Authorized Testing

  • Only test the in-scope domains listed above
  • Use only the testing environment (lhe-slash.securitywall.co)
  • Do not access, modify, or delete other users' data
  • Create your own test accounts for testing purposes
  • Respect rate limits and do not overload the system

Prohibited Activities

  • Do not test production systems (slash.securitywall.co)
  • Do not perform DoS/DDoS attacks
  • Do not access other participants' accounts or data
  • Do not perform social engineering against event staff
  • Do not attempt physical security testing
  • Do not disclose vulnerabilities publicly before resolution

Disqualification Criteria

Participants will be disqualified for:

  • Testing production systems (slash.securitywall.co)
  • Performing prohibited activities listed above
  • Attempting social engineering attacks
  • Sharing vulnerabilities publicly before resolution
  • Violating terms of service or acceptable use policies
  • Using automated scanners without prior approval

Timeline & Deadlines

  • Event Date: June 28, 2025
  • Event Duration: 4-5 hours
  • Report Submission: Real-time during the event
  • Results Announcement: End of event day
  • Payment Processing: Within 30 days of event completion

Contact Information

Event Coordinators:

  • Email: hisham@securitywall.co
  • Emergency Contact: 03116133769, 03179988799
  • Event Support: Available during event hours
  • Technical Issues: Report via email (support@securitywall.co)
Important: Check your email for reporting platform credentials and any event updates. Also keep an eye on the Whatsapp Group for latest updates.

SLASH - Powered by SecurityWall

© 2025 SecurityWall. All rights reserved.

Happy Hunting! 🎯