Challenge - Secret Manager

• ⏳ Active until : 20th Mars 2026

• 🎁 Three random winners who submit a proper report, including a clear description, PoC, and impact, will receive a special swag pack.

• 📝 One report from these three random winners will be selected as the official solution and published on our blog.

BRUTE FORCE IS NOT ALLOWED!

(Applies only to the Dojo challenge page itself)

A valid solution for the challenge must meet these requirements:

• Your report must include a proof of concept (PoC) showing how you obtained the flag

• The flag must be included in the report

Challenge rules

Those rules applies for each challenge:

• Challenges solves are accepted exclusively in the form of reports on this program.

• The 3 bests quality write-up reports will be rewarded with a swag pack!

• Any report without a fully qualified write-up report will be discarded.

• Flags inside the YesWeHack Dojo sample databases are without value and are publicly accessible from the challenge pages. This is a feature, not a bug.

• Hack smart, don't brute-force or automate testing, challenges are made for manual solving.

• If you leak a solution as a reply to one of our social media thread instead of filling a report, you are spoiling the challenge for the others, don't do it before the challenge ends and winner list is known.

• Don't forget to link your Twitter or Linkedin profile, if you want a highlight in the Winners announcement we will post as a reply to the challenge initial post.

Write-up report

What is a "write-up report"?

The challenges are drawn from real-life vulnerabilities, if you manage to solve a challenge, you must create a report explaining the logic behind your solution: "How did you solve the challenge?"

Why is this important?

• It avoids copy-paste solutions.

• It shows your unique talent as a professional bug bounty hunter.

The best write-up report will be published along with the winners list for each challenge session on our blog.

🎁 Rewards

Swag pack with Yeswehack goodies

We fiercely protect your privacy, no personal information from your profile will ever be used by anyone, except for individual exchanges between you and YesWeHack for the purpose of this challenge and for awarding gifts.

About the Dojo platform

The YesWeHack Dojo is a unique training and learning tool, it allows to witness how code is manipulated by inputs and parameters in real time.

The YesWeHack Dojo also can be used to rebuild complex exploitation scenarios from scratch and share them.

Scopes

Out of scopes

• Everything that's out of the scope root URL

Vulnerability types

Qualifying vulnerabilities

• A working, reproducible, one shot, input string that solves the challenge.

Non-qualifying vulnerabilities

• Anything that isn't related to the current challenge.
• Obtaining the flag without showing a proof of concept on how to solve the challenge.

Hunting requirements

Account access

No automated probes, exploit manually.

To submit a vulnerability report, you need to login with your hunter account.