Dreamhack Bug Bounty Program

Program Overview

Dreamhack is South Korea's largest cybersecurity education platform, providing theory, practice, competitions, and community functions all in one platform—a playground for white-hat hackers. It serves students who want to study hacking and security, developers who want to write safer code, and security experts who want to upgrade their knowledge and skills. The platform provides a space where everyone can study, practice, share knowledge, and improve their abilities.

The goal of this program is to identify security vulnerabilities in the Dreamhack platform early and create a safer educational environment.

Program Details

Program Period: 2021.10.05 ~ 2026.10.05

Disclosure Policy: Partial disclosure

Default Report Disclosure Level: Private

Total Reports: 122

Reports Received in Last 90 Days: 11

Bounty Range: ~2,000,000 KRW

Average Bounty: 200,000 KRW

Response Rate (Last 3 Months): 99%

Average Time to First Response (Total): 10 days

Average Time to Bounty (Total): 45 days

Scope

Dreamhack service in its entirety (refer to scope page for detailed information)

Reward Structure

Severity	Bounty
Critical	2,000,000 KRW
High	1,000,000 KRW
Medium	500,000 KRW
Low	100,000 KRW
None	0 KRW

Rewards are determined based on vulnerability classification risk range and CWSS (Common Weakness Scoring System), but the final bounty amount may be changed at the discretion of the evaluator.

Submission Requirements

Reports must include the following items:

Vulnerability summary and overview
Vulnerability details
Detailed vulnerability explanation
Proof-of-concept code
Expected bug cause (optional)
Solution method (optional)

Response Timeline

Stage	Timeline
First Response	1 business day
Triage	5 business days
Resolution	Varies by vulnerability
Bounty	According to PatchDay payment schedule

Excluded Vulnerability Types

The following are excluded from this program:

Reports lacking security-related headers (mitigation)
Known risks being managed
Arbitrary code execution within wargame instances
Intentional vulnerabilities in Lecture interactive modules
Open Redirect
Self XSS
Frontend exposure of Sentry, GA, Clarity API keys
Admin account service activity logs and information exposure
General account personal information exposure in areas difficult to identify as sensitive
Vulnerabilities with negligible impact or very low severity/feasibility

Reward Exclusions

Rewards will not be given in the following cases:

Vulnerability cannot be reproduced at the time of bug report submission
Vulnerability is already known and being tracked internally by Theori
- In this case, Theori will provide explanation of internal discovery circumstances and timeline to the researcher
Sensitive information was obtained through unnecessary actions beyond vulnerability proof
Vulnerability was already reported by another researcher
Vulnerability possibility presented without proof

Additional Restrictions and Disclosure Policy

Excessive automated tool use or dummy data creation that could strain the service may be excluded from reward eligibility
Before vulnerability information is disclosed through PatchDay, if the researcher leaks vulnerability information externally, PatchDay may exclude that researcher from reward payment
For other inquiries, contact: [email protected]
- Emails must not contain any parts or detailed information about vulnerabilities