Hall of fame
Every entry below is a real vulnerability, reported responsibly through the bug bounty program, fixed, and credited. Find a flaw, and your name goes here.
The count
14
Vulnerabilities reported and patched
7
Researchers inducted
Inductees receive a signed digital certificate per finding, each carrying an ID verifiable at assessly.in/verify.
The ledger
01
@bhavya_saini
4 findings · hall of fame inductee
May 2026High
Discovered that the database retrieval function did not validate student enrollment or active attempts, allowing any authenticated user to fetch exam questions, public test cases, and hidden counts before the exam timer started.
May 2026High
Identified overly permissive Row-Level Security (RLS) policies on the main profiles table, exposing 43 sensitive database columns (including suspension states, skill levels, and timeouts) to student peers.
May 2026Low
Reported a compilation mismatch where Java boilerplate templates used class Solution instead of Main, leading to failures inside the isolated compiler sandbox container.
May 2026Medium
Demonstrated that overriding window.fetch before an assessment could silently intercept and block all proctoring violation events from reaching the backend, effectively rendering the anti-cheat system non-functional while maintaining a clean risk profile.
02
@pratham_reet
5 findings · hall of fame inductee
June 2026High
Showed that the profiles table row-level security let a student directly write identity and security critical columns (role, suspension and ban flags, institution, and USN) with only their own session, escalating from student to instructor and self-clearing moderation. Fixed with a BEFORE UPDATE trigger that blocks non-privileged writes to those columns, a read-only USN field, and disabled production source maps.
May 2026High
Demonstrated that a user could insert status validation directly into practice submissions without executing code. Gated and secured with a database validation trigger.
May 2026Medium
Found a logic gap where standard users could trigger queued-mode operations, potentially exhausting sandbox worker slots. Gated by restricting queued actions to system-level calls.
May 2026Low
Uncovered a static token in the frontend bundle that could be used to bypass client-side maintenance mode displays. Fixed by moving the bypass logic server-side.
May 2026Low
Reported a possibility of client-side anti-cheat event forging through unauthorized direct database writes. Gated with strict RLS check parameters.
03
@riddhi_k
1 finding · hall of fame inductee
May 2026High
Exposed a vulnerability where disconnecting internet connection bypassed the browser fullscreen enforcement. Patched using offline fail-closed client state caching.
04
@akhin_s
1 finding · hall of fame inductee
May 2026Medium
Identified overly permissive SELECT permissions on roles mapping table that could allow students to enumerate all administrative role assignments.
05
@pamidi_mohith
1 finding · hall of fame inductee
May 2026Medium
Found that educational practice modules and problem specifications were fetchable without proper session verification. Fixed by applying standard read RLS policies.
06
@akshaya_sree
1 finding · hall of fame inductee
May 2026Low
Highlighted a developer experience issue where boilerplate syntax conflicted with internal compilation rules, creating artificial sandbox errors.
07
@nishant_lungare
1 finding · hall of fame inductee
June 2026High
Reported that any authenticated student could read the reference model solutions and hidden test cases for the entire practice problem bank directly through the REST API (382 model solutions and 343 hidden test sets), undermining scoring integrity. Fixed by relocating answer keys into a service-role-only table with column access removed from the student role.
Responsible disclosure
Every flaw found here is a flaw a student never has to face. The researchers above made the platform safer.
Valid findings earn cash, a verifiable certificate, and a permanent place on this page. The scope and rules are on the bug bounty page.