Bug bounty

Paid to prove us wrong.

Assessly runs exams that students and institutions depend on, so we pay researchers who find the flaws first. Valid findings earn cash, public credit in the hall of fame, and a certificate anyone can verify.

See the hall of fame

Rewards and recognition

What a finding is worth.

Bounties are tiered on real-world impact. We prioritize code execution escapes, data leaks, and database IDORs. Valid security findings are eligible for direct cash payouts from ₹100 to ₹1,000+, determined case by case on assessed severity, business impact, completeness of the proof-of-concept, and real-world exploitability. Payouts go out by UPI or bank transfer.

CriticalTop-tier cash reward + hall of fame + digital certificate + LinkedIn endorsement
HighPremium cash reward + hall of fame + digital certificate
MediumStandard cash reward + hall of fame
LowHall of fame recognition

Hall of fame

Public credit, with your findings on the record.

View the hall of fame

Verifiable certificate

A signed digital certificate with an ID anyone can check at assessly.in/verify.

LinkedIn endorsement

A personal endorsement for critical-class findings.

Cash bounties

Direct payout via UPI or bank transfer once the fix is deployed.

Scope

What counts, and what doesn’t.

In scope, what we’re looking for

  • Authentication bypasses and deep session hijacking.
  • Privilege escalation (e.g., student accessing instructor dashboards).
  • Breaking out of the Judge0 code execution sandbox.
  • Exploits that bypass our proctoring and anti-cheat telemetry.
  • Database IDORs exposing other users' submissions or PII.

Out of scope, closed as N/A

  • Volumetric attacks (DoS/DDoS) against Assessly endpoints.
  • Social engineering against Assessly staff, instructors, or students.
  • Theoretical issues without a demonstrable exploit chain.
  • Missing security headers, SPF/DMARC records, or basic IT hygiene issues.

Rules of engagement

Test hard, test fairly.

Real students sit real exams on this platform, so test in a way that never puts their data or sessions at risk. Want a safe target? Write to hello@assessly.in and we’ll set you up with a sandbox assessment, so you can probe the exam surface without touching a live cohort.

By submitting a report to Assessly, you agree to the following:

  • Keep all vulnerability information strictly confidential until we resolve it.
  • Do not exploit vulnerabilities beyond the minimum necessary to verify them.
  • Delete any sensitive data obtained through testing immediately after reporting.
  • Allow us reasonable time to address the issue before any disclosure.
  • Remove any public disclosure of vulnerabilities that put Assessly at risk, a strict condition of payment.

Safe harbor

We want researchers to feel safe reporting in good faith, so:

  • We will consider security research and vulnerability disclosure conducted in good faith under this policy to be authorized, and we will not pursue or support legal action against you for it.
  • If a third party brings legal action against you for activity that complied with this policy, we will make it known that your testing was authorized.
  • Good faith means staying within the scope above, accessing or modifying only the minimum data needed to demonstrate a finding, never degrading the service for real users, and giving us reasonable time to remediate before any disclosure.
  • This authorization does not cover out-of-scope activity (denial-of-service, social engineering, or accessing real student data) or anything that breaks applicable law.

Triage and evaluation

How a report becomes a payout.

I

Triage

We acknowledge receipt and perform initial triage within 1 to 2 business days.

II

Verification

We reproduce the exploit in a safe staging environment. Severity is evaluated solely by Assessly on actual technical and business impact, not the reporter's self-assessed severity.

III

Resolution

For valid findings we implement and test a patch. Cash payouts, certificates, endorsements, and hall-of-fame updates are finalized once the fix is deployed.

Evaluation criteria and exclusions

First-come, first-servedBounties are only paid for previously unreported vulnerabilities. Duplicates or known issues are not eligible for rewards or recognition.
Roadmap exclusionIssues already tracked on our internal roadmap or under active remediation are excluded from rewards.
Client-side telemetryClient-side enforcement (UI hiding, DevTools detection, local restrictions) is bypassable by design and is not high/critical unless paired with a backend exploit or RLS bypass.
No automated spamScanner-generated reports without manual validation, or purely theoretical concerns, are closed as N/A with no reward.
Single root causeMultiple reports sharing one root cause are grouped and treated as a single submission for a single reward.

Submit a report

Found something? Tell us.

We review and triage most reports within 24 to 48 hours. Prefer email? Send the same details to hello@assessly.in.

Responsible disclosure terms

By submitting a vulnerability to Assessly, you acknowledge that you have read and agree to our responsible disclosure terms, including the strict requirement to remove any public disclosures of vulnerabilities as a condition of payment. You agree to allow us reasonable time to address the issue before any disclosure.

Questions about the program? Email hello@assessly.in. The full security posture is on the security page.

Find the flaw. Take the credit.

File a report and, if it holds up, earn a cash payout, a place in the hall of fame, and a certificate anyone can verify.

See the hall of fame