z

Young Writers Society


Hacking YWS



User avatar
425 Reviews



Gender: Male
Points: 11417
Reviews: 425
Fri May 06, 2016 7:00 pm
Nate says...



If you have it in mind to try discovering some vulnerabilities on YWS, great! In the past, YWS has had several members who have reported potential security vulnerabilities to me, and this has made YWS stronger. However, I've never made up a set of rules for those who are interested in doing this, and that is in itself a potential vulnerability.


Segments in Scope

  • Anything that does not involve accessing sensitive user information, such as (but not limited to) emails, passwords, and private messages is in scope.
  • Anything that does not involve modifying a file is in scope.


Qualifying Vulnerabilities

  • Cross-site scripting,
  • Cross-site request forgery,
  • Mixed-content scripts,
  • Authentication or authorization flaws,
  • SQL injections,
  • Server-side code execution bugs.


Rules of Engagement

  • Please inform me about your intentions before testing vulnerabilities. This is not an absolute requirement, except if you are doing something that potentially compromises the security of the server, such as a remote execution exploit. While I understand most companies do not have this requirement, those are companies: I alone manage the code base and the server. As such, it's very easy to get in touch with me, and I'm a little bit more worried about someone doing something by accident that ruins the server.
  • Please inform me of your results as soon as possible.
  • Do not share with others anything about the vulnerability until I have plugged it. This includes just saying you successfully hacked YWS. After I have plugged it, you are free to say how you did it.


Questions?

I am keeping this thread locked just to keep it tidy. If you have any questions, please send me a PM.








By swallowing evil words unsaid, no one has ever harmed his stomach.
— Winston Churchill