WELCOME TO THE BYOS BUG BOUNTY

LAS VEGAS 2019

 

 

About

The Byos Bug Bounty is a challenge designed for you to show your bounty skills in a safe and rewarding environment. We will provide you with one unit of our Secure Endpoint Edge device, and a platform to keep the scores. The only thing you have to do is bring your laptop, Software tools, your knowledge and expertise.

Our plans with this game is to make our product and company better, and we need your help with it.

When

The Bug Bounty will run on August 8th, 9th and 10th, 2019. The schedule is:

  • August 8th: 2 pm - 7 pm

  • August 9th: 11 am - 7 pm

  • August 10th: 11 am - 9 pm (it includes the award ceremony and after party)

Where

We rented an amazing house off the Strip. We will pick you up near the Caesar’s with a limo and take you to the house, where we will receive you with beer, an Argentinean-style barbecue, a pool, and enough space and time for you to take a swing at our product.

And we’ll pay for the beer. And the barbecue. And the limo. And your findings.

How to play

The Byos Bug Bounty is split in 4 levels, according to different bug categories:

  • Low (XSS, CSRF, RFI, broken Web feature)

  • Medium (Stored XSS, SSRF, LFI, DDoS)

  • High (IDOR, SSRF, Auth Bypass, Breaking the Encryption layer)

  • Critical (RCE, IDOR, SSRF, SQLi, Core Protection Mechanism Bypass)

Once you get your device, you will have absolute freedom to try whatever you can think of. Software attacks, Hardware attacks, communication attacks, USB-based, anything. We won’t stop you.

You can find bugs in every level you want. Our goal is to learn from your expertise and findings, to reward you for your work, and for all of us to have fun in the process.

Prizes

The bounties will be paid in prepaid credit cards or in BTC, according to the researcher’s preference.

The top 3 finalists with the most findings will also receive extra gifts:

  • First Researcher: Apple Watch

  • Second Researcher: Byos µGateway

  • Third Researcher: Apple AirPods

You can also submit feature requests that you think would be cool or useful for our product. These are not vulnerabilities, but proactive items to implement on our product.

We’ll give you a gift in exchange for each feature request you submit (they have to make sense, though!).

Submitting Reports

Vulnerability reports need to describe the weakness or the type of potential issue discovered, in full detail.

The report should include the following components:

  1. A description of the proof of concept

  2. The nature and classification of the vulnerability, including the severity in the opinion of the researcher

  3. The steps required to reproduce the vulnerability

  4. What the potential implications for the company, if an attacker were to exploit the vulnerability

  5. A demo of the method, including but not limited to screenshots and videos.

Disclosure

  • Full disclosure from all participating researchers allows Byos to be fully transparent about the security vulnerabilities found in the Byos µGateway. 

  • The disclosure process for this Bug Bounty program is meant to balance transparency with control over what information is shared, to ensure that Byos can create a product that withstands its security claims.

Awards and After Party

Upon conclusion of the Byos Bug Bounty, there will be a party and awards ceremony, rewarding those researchers who have disclosed vulnerabilities. 

 

Want to participate?

Contact your Byos Bug Bounty mentor to confirm your interest in participating. The address will only be disclosed to the confirmed players.

 

Rules

  • The Byos Bug Bounty will be located at a unique Airbnb; by invitation only, it is reserved for Security Researchers only. 

  • The Byos Secure Endpoint Edge Bug Bounty will run for 24 hours straight. If any researcher wishes to stay at the Bug Bounty, there are individual bedrooms available. Availability is limited so please reserve a spot ASAP.

  • Each researcher will receive one Byos Secure Endpoint Edge hardware device for Bug Bounty purposes. 

  • No researcher is permitted to leave the Byos Bug Bounty with the Secure Endpoint Edge Hardware; anyone can leave the Airbnb at any time return later.

  • There is a strict non-disclosure of vulnerabilities found for a period of 90 days (known as the Lockdown Period). If new vulnerabilities are found post Lockdown period, these do not fall under the coverage of the Bug Bounty. Researchers are encouraged to report all vulnerabilities post-Lockdown period and will be compensated appropriately.

  • If the source code is discovered during the Bug Bounty, no public disclosure is permitted. The researcher must only disclose the method used to the Byos team. 

  • Any actions to intentionally harm or break the device are forbidden.

  • No remote access to the Byos Secure Endpoint Edge is permitted; this also prohibits any participant from giving any third party control of their computer.

  • Only testing against the Byos Secure Endpoint Edge is permitted; any testing method outside of this is forbidden.

  • By participating in the Byos Bug Bounty and submitting all findings, the researcher does not have the right to claim the vulnerability later in time. The content, intellectual property, copyright, and ownership belongs to Byos (Mkit North America Inc.).

  • Vulnerability Disclosure Reports must be clear and reproducible. If two reports disclose the same vulnerability, the more clear and reproducible report will be awarded the prize.

  • All vulnerabilities found must be reported.

  • Names and faces will not be shown publicly, unless given explicit permission by the researcher.

     

If you have questions, please contact your Byos Bug Bounty mentor.