Challenge Rules

Anyone registering for the Caduceus Bug Bounty Challenge agrees to abide by the following rules:

  • Make a good faith effort to avoid privacy violations, destruction of data, interruption, or degradation of our businesses, including Denial of Services (DoS) attacks
  • Do not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program)
  • Do not publicly disclose any vulnerabilities without our consent. Caduceus will not approve Public Disclosure requests until the vulnerability has been resolved
  • Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure
  • Do not use scanners or automated tools to find vulnerabilities. They are noisy and we may ban your IP address
  • Submit only one vulnerability per submission unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities
  • In case Caduceus receives duplicate reports of a specific vulnerability, only the first report is eligible for a reward