Check Badoo for strength! Vulnerability Search Month

The company Badoo, following its colleagues - the largest representatives of the IT-industry, such as Google, Facebook and Yandex, begins to pay for the found vulnerabilities. We are announcing the “Test Badoo's Strength!” Competition , which starts on March 19 and will last for exactly one month.

Anyone can participate in the competition, except for Badoo employees. Each participant can send any number of applications.
Participants undertake to keep the found vulnerabilities in secret until Badoo reports on their correction in the application table, but not longer than May 31, 2013.
We pay for all new vulnerabilities found.
Vulnerabilities will be ranked from the 5th ( 500 pounds sterling ) to the 1st category ( 50 pounds sterling ) depending on their criticality. The category of criticality is determined by the jury of the competition.

In addition, we have a special prize! According to the results of the competition, the 3 most active participants will receive £ 1000 each. If you find something very serious, then we can give out a super premium above 500 pounds.

Where to look for vulnerabilities:

badoo.com , eu1.badoo.com , us1.badoo.com and corp.badoo.com .
The competition does not participate mobile versions of the site and applications for social networks.

Prizes and categories

5 category - 500 pounds ;
4 category - 300 pounds ;
Category 3 - 150 pounds ;
2 category - 100 pounds ;
Category 1 - 50 pounds
')
We do not want to link our categories to traditional vulnerability assessment systems. The more damage the found vulnerability can cause, the more valuable it is for us and the higher category we assign to it.

How we award categories

To make it easier, we want to orient you and tell you how categories will be assigned.

• In our experience, most of the vulnerabilities that are found from the outside fall into the category of HTML or XSS injections. If the found vulnerability cannot do any damage at all (for example, you can only change the output of the page), then it will receive the lowest 1st category.
• SQL injections are more dangerous. Suppose you have found a vulnerability that “breaks” an SQL query, but the only result is only an incorrect display of content on the site. Most likely, such a vulnerability will receive only the 2nd category.
  However, if an attacker can gain access to some data of one or several users with the help of a SQL vulnerability, this vulnerability can even get the 5th category.
  If using the vulnerability, you can update the data in the user profile, then depending on how critical the data is, we can assign higher categories, up to the 5th.
• CSRF vulnerabilities are also dangerous, but the category will be the higher, the more damage can be.

And do not forget that Badoo can give out a super premium above £ 500 if you find something very serious.

We take care to

• participants received quick feedback;
• participants could track their applications and see which vulnerabilities have already been resolved;
• Approved bidders received a prize BEFORE the vulnerability is resolved;
• Payment of money was fast and without bureaucratic red tape.

The process looks like this

• The participant sends the request through the form with a detailed description of the vulnerability, steps to reproduce and screenshots / files (optional). The application must contain enough information to reproduce the vulnerability.
• If the form is filled in correctly, a message is displayed that everything is good and the report has flown to us.
• Within 3 working days we review the application and decide whether the new vulnerability has been found. Following the results of the author comes the answer to the mail.
• If we accept an application, it appears in the table “Status of applications” with the status “In progress”.
• If your application has received the status “In Process”, then our representative contacts you within a week and agrees to transfer the money. This happens regardless of whether the vulnerability is fixed or not.
• When the vulnerability is fixed, the description of the vulnerability and the “Resolved” status will appear in the table. Up to this point the participant has no right to talk about the vulnerability.

Join the game >>>>>>

Competition Jury

Evgeny Sokolov
Head of Badoo Development

In Badoo came in 2012. Before that, he worked at Google Moscow as the head of a team of engineers in Moscow. In 2010, he headed Google's Moscow Engineering Center.
Prior to working at Google, he developed financial systems and founded several small companies. Has a Ph.D. Stony Brook University.

Alexey Rybak
Deputy Head of Badoo Development

She has been developing web projects since 1999. The main direction of work in recent years is mass social services, photo and video hosting, and dating. Took part in the development of badoo.com projects - 172 million users, mamba.ru, DIV VGTRK, Memonet.
In 1999, he graduated with honors from the Physical Faculty of Moscow State University.

Pavel Dovbush
Head of Client Development Badoo Development

Engaged directly in the development of JavaScript as the main developer.
He specializes primarily in the architecture and optimization of large web applications.

Ilya Ageev
Head of Testing at Badoo Development

Supervises the testing and display processes. Before Badoo worked in a runner.