EC-Council Bug Bounty Program

EC-Council welcomes all the ethical hackers across the globe to participate in the EC-Council Bug Bounty program and collaborate with us in enhancing the security of our infrastructure. While we do our best, sometimes, certain issues escape our attention and may expose our applications to certain exploits.

We believe in working with the research community across the globe as it is a crucial part of identifying and mitigating security vulnerabilities in our products and technologies.We understand that this process is both challenging and time consuming and as such,we incentivize security researchers who report security vulnerabilities in our applications. This enables us to provide a coordinated response and helps us minimize the risk to our constituents.

If you believe you’ve found a security vulnerability in any of our applications, we encourage a responsible disclosure and invite you to work with us to mitigate the vulnerability. This document outlines the scope of the Bug Bounty program.

Terms and Conditions

Target / Scope

All EC-Council’s websites including sub domains and any third party web properties inside EC-Council’s websites.

Out of Scope

Websites which are in beta/under development/staging sites and third party websites/services for which EC-Council acts as a subscriber for resource sharing.

Who can participate ?

If you are above 15 years, you are eligible to participate in the program. Candidates under the age of 15 should obtain a permission from their parent/guardian before participating in the program.

Security professionals working for an organisation should ensure that their organisation permits to participate in the Bug bounty program.

Proof-of-Concept

Vulnerability Title:

Vulnerable Domain/URL: Severity: low, medium, high (as per owasp top 10)

Description:

Proof-of-concept: private video, screen shots with explanation for the vulnerability

Impact of the vulnerability: Explain if this vulnerability can be exploited supporting the above proof-of-concept

Steps to reproduce the issue:

Remediation:

Bug Classes
  • Security misconfiguration leading to configuration file disclosure
  • Directory traversal
  • Disclosure of highly Sensitive information
  • SQL injection
  • XSS – persistent
  • Local file inclusion
  • Privilege escalation
  • Remote code execution
  • Remote file inclusion
The following are excluded from the reward program:
  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms those are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  • Weak Captcha / Captcha Bypass
  • Forgot Password page brute-force and account lockout not enforced.
  • OPTIONS HTTP method enabled
  • Username / email enumeration via Login Page error message via Forgot Password error message
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/ List_of_useful_HTTP_headers), e.g. Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP, Content-Security-Policy-Report-Only, CORS.
  • SSL Issues, e.g.SSL Attacks such as BEAST, BREACH, Renegotiation attack, SSL Forward secrecy not enabled, SSL weak / insecure cipher suites
  • Email Security – SPF, DMARC, DKIM
Responsible Disclosure
  • At EC-Council, our primary goal is to ensure our customers are provided with a great user experience.
  • Vulnerabilities are addressed and resolved in a timely manner.
  • Vulnerability disclosures should remain confidential and can’t be disclosed to third parties.
  • Any details of disclosures should not be posted in public platforms/Social networks until remediation and acknowledgement is obtained from EC-Council.
  • The minimum time to acknowledge a vulnerability after submission is 7-30 working days and the Security team will notify the reporter when the vulnerability is fixed /resolved.
  • If the disclosed vulnerability belongs to any of the third party of EC-Council, the vulnerability will be forwarded to them and will be treated as a coordinated disclosure.
  • Bounty can’t be claimed by a single user with multiple identities and candidates identified with such disclosures will be suspended from the program and any rewards issued will be revoked.
  • Any vulnerabilities reported by the candidates will be considered as one across all EC-Council’s websites and candidates can’t claim a reward per website.
  • The bug must be original and previously unreported.
  • The rewards may be issued prior to remediating the vulnerability.
  • Vulnerability classification will be a sole decision of EC-Council after checking the Proof of concept submitted by the candidate.
  • A proof of concept needs to be submitted by the candidate which is irreversible until the remediation if the vulnerability.
  • The Bug Bounty rewards are awarded at the sole discretion of EC-Council.
  • The rewards cannot be redeemed or exchanged for its monetary value or in lieu of any other product.
  • No two rewards under the program can be clubbed together.
  • Rewards issued under the program are non-transferable.
  • The rewards awarded under the program are valid for a period specified at the time of release and cannot be extended.

Rewards

While finding bugs can be fun and educational, it also gives you the opportunity to get exclusive rewards.

When you find a security vulnerability, it gives us the opportunity to improve the experience for our users. Based on the severity of the issue that you identify and how they contribute to the enhancement of our applications, you will qualify for a wide range of exciting rewards mentioned here.

Note: EC-Council reserves the right to modify the program rules or cancel the bug bounty program without notice at any time. The final decision on bug eligibility and deeming any submission invalid will be made by EC-Council.

Violating any of the agreed policies would require the candidate to return any bounties rewarded for the particular vulnerability and disqualify them for future disclosures.

Rewards Severity
1) Certificate of Appreciation  All 
2) Inclusion in Hall of Fame  All 
3) 50% Discount on Any Courseware  Medium High
4) 1 year Membership Waiver  Medium High
5) 50% Discount on Any Exam  High

Report Bug

"*" indicates required fields

Name*
Please enter your First and Last Name
✓ Valid number ✕ Invalid number
Country*
Please select your country from the drop down menu.
What is the subject of the request
Please enter the details of your request. A member of our support staff will respond as soon as possible.
Max. file size: 128 MB.

  • Security misconfiguration leading to configuration file disclosure
  • Directory traversal
  • Disclosure of highly Sensitive information