Hacking-Lab Bug Bounty Program
Program Overview
Starting immediately, Compass Security will be overseeing the bug bounty program for all Hacking-Lab Cyber Range systems. This initiative underscores the Hacking-Lab AG commitment to security and the ongoing improvement of our platform. We encourage ethical hackers to participate and help us identify vulnerabilities. Generous rewards await those who contribute to our system's safety. Moreover, the program will provide an opportunity for all security enthusiasts to showcase their skills while contributing to the overall security of the lab environment.
Thank you for your continued support and happy hunting!
Program Details
| Property | Value |
|---|
| Last Updated | 13.08.2025 |
| Max. Bounty | CHF 5000 |
| Min. Bounty | CHF 100 |
| Avg. Bounty | CHF 500 |
| Last Payout | 13.08.2025 |
| Budget | no-cap |
Terms, Rules & Standards
This program follows the Platform Standards and the Terms and Conditions. Please review both documents before testing or submitting any reports. They define general rules of engagement, eligibility for bounty rewards, netiquette, confidentiality requirements, and further legal guidelines that apply to all participants.
Scope & Asset Lists
High Risk
- Low: CHF 300
- Medium: CHF 300-640
- High: CHF 640-2560
- Critical: CHF 2560-5000
Assets:
- HL applications (tenants) listed at https://www.hacking-lab.com/customer-logins/
- HL Auth: auth.ost-dc.hacking-lab.com
Medium Risk
- Low: CHF 200
- Medium: CHF 200
- High: CHF 200-512
- Critical: CHF 512-1000
Assets:
- level1.idocker.hacking-lab.com
- cotm.idocker.hacking-lab.com
- acsc.idocker.hacking-lab.com
- kookarai.idocker.hacking-lab.com
- itsa23.idocker.hacking-lab.com
- kuma.hacking-lab.com
Low Risk
- Low: CHF 100
- Medium: CHF 100
- High: CHF 100-256
- Critical: CHF 256-500
Assets:
- 206.189.248.203 (www.hacking-lab.com)
- 159.89.215.106 (infra.hacking-lab.com)
- 165.22.77.217 (update.hacking-lab.com)
- 51.15.43.110 (*.idocker.hacking-lab.com)
Excluded Items
The bug bounty exclusion list comprises targets that are excluded from the program, and no rewards will be granted for reported vulnerabilities on these targets:
- *.vuln.land
- play.hacking-lab.com
- Vulnerabilities in Kookarai Pentesting Linux (Kali) available at https://livecd.hacking-lab.com/largefiles/livecd
- Hacking-Lab VPN used by students of the cyber range (https://github.com/Hacking-Lab/hl2-openvpn-ost.ch)
- Vulnerabilities that can be found in:
- Hacking-Lab code/resources on GitHub.com
- Hacking-Lab code/resources on Gitlab.com
- Hacking-Lab code/resources on Docker Hub
- All systems/applications that are launched by Hacking-Lab students for the purpose of a cyber security training
- Docker containers started by a Hacking-Lab student (vuln.land)
- File artefacts downloaded by a Hacking-Lab student (vuln.land)
- Vulnerable Virtual Machines (vuln.land)
- Any 3rd Party-Services (M365, O365, Atlassian, Azure, etc.)
- Everything belonging to Compass Security (please visit the Compass Security Bug Bounty Program)
Specific Program Rules
- HL is a multi-tenant application. An approved bug in a tenant will be existing in all other tenants too. Such a bug is eligible for one bounty at maximum (not per tenant).
Acknowledgement
Hacking-Lab may give public acknowledgment to individuals who have identified significant vulnerabilities under the program and received bounties. Hacking-Lab might choose to acknowledge you on websites or printed materials, unless you specifically request your name to be excluded.