Switch ROESTI

Participating organizations of the Switch ROESTI day operate various services. Only services from explicitly given domains/URLs or IP address spaces are in the scope of the event. All other domains or IP addresses are therefore not eligible for reward and do not fall under the Legal Safe Harbor Agreement. Willfully investigating or scanning anything out of scope will automatically lead to disqualification. It is only allowed to search for vulnerabilities during the hacking hours of the event. Please note that third-party services are not in scope. The scopes are distributed physically during the event. It is encouraged that teams change to a different target after a maximum of two hours, to allow for teams that want to target all organizations during the day. In the course of the event, participants shall never knowingly use software or processes that have been obtained or retained either illegally or unethically.

By participating in this event, participants undertake to document information about any vulnerability found exclusively via the platform's designated reporting form and not in any other places. They also agree to keep the found vulnerability secret unless given the explicit agreement of the organization to do so. If they receive the permission to publish their findings, they allow the organization enough time so they can minimize the risk of misuse. Finally, if they have obtained any customer or personal data as part of the event they must delete any local copies after the event and not distribute them further.

Participants must only search for vulnerabilities from the network access provided by the University of Bern. This means that participants are not allowed to use a VPN, proxy, mobile hotspot, etc. during the event.

Participants must immediately cease an investigation when requested to do so by the ROESTI team. If at any point participants think that they may have caused a disruption to the environment, they must halt their investigation, and immediately report to the ROESTI team.

Hacking Methods

In participating in the event, participants agree not to use methods that would adversely affect the tested applications or their users. These include:

• Social engineering
• Spamming
• Phishing
• Denial-of-service attacks or other brute force attacks
• Physical attacks
• Clearing databases and deleting, modifying, or adding records

In addition to the prohibited hacking methods listed above, participants are required to immediately discontinue vulnerability scanning if they determine that their conduct will result in a significant degradation (negative impact on regular users or on the operations team) of the Platform's or Service's operations.

Qualified vulnerabilities

Any design or implementation problem can be reported that is reproducible and affects security.

Typical examples:

• Cross Site Request Forgery (CSRF)
• Cross Site Scripting (XSS)
• Insecure Direct Object Reference
• Remote Code Execution (RCE) - Injection Flaws
• Information Leakage an Improper Error Handling
• Unauthorized access to properties or accounts

Other examples:

• Data/information leaks
• Possibility of data/information exfiltration
• Backdoors that can be actively exploited
• Potential for unauthorized system use
• Misconfigurations

Non-qualified vulnerabilities

The following vulnerabilities and forms of documentation are generally not wanted and will be rejected:

• Attacks that require physical access to a user's device or network
• Forms with missing CSRF tokens (unless the criticality exceeds CVSS level 5)
• Self-XSS
• The use of a library known to be vulnerable or publicly known to be broken (unless there is active evidence of exploitability)
• Reports from automated tools or scans without explanatory documentation
• Social engineering targeting individuals or entities of the organisation
• Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
• Bots, spam, bulk registration
• Submission of best practices that do not directly result in an exploitable vulnerability (e.g., certificate pinning, missing security headers)
• Use of vulnerable and "weak" cipher suites/ciphers
• Missing Rate limiting without further security impact