Hall of fame

The researchers who made Assessly safer.

Every entry below is a real vulnerability, reported responsibly through the bug bounty program, fixed, and credited. Find a flaw, and your name goes here.

The count

14

Vulnerabilities reported and patched

7

Researchers inducted

Inductees receive a signed digital certificate per finding, each carrying an ID verifiable at assessly.in/verify.

The ledger

Every name, every finding, on the record.

01

Bhavya Saini

@bhavya_saini

4 findings · hall of fame inductee

  • May 2026High

    IDOR on get_assessment_for_student RPC Allowing Pre-Exam Question Leakage

    Discovered that the database retrieval function did not validate student enrollment or active attempts, allowing any authenticated user to fetch exam questions, public test cases, and hidden counts before the exam timer started.

  • May 2026High

    Authenticated Bulk Profile Disclosure via Weak RLS on /profiles Endpoint

    Identified overly permissive Row-Level Security (RLS) policies on the main profiles table, exposing 43 sensitive database columns (including suspension states, skill levels, and timeouts) to student peers.

  • May 2026Low

    Java Boilerplate Compilation Mismatch with Judge0 Execution Engine

    Reported a compilation mismatch where Java boilerplate templates used class Solution instead of Main, leading to failures inside the isolated compiler sandbox container.

  • May 2026Medium

    Anti-Cheat Proctoring Bypass via Client-Side Fetch Interception

    Demonstrated that overriding window.fetch before an assessment could silently intercept and block all proctoring violation events from reaching the backend, effectively rendering the anti-cheat system non-functional while maintaining a clean risk profile.

02

Pratham Reet

@pratham_reet

5 findings · hall of fame inductee

  • June 2026High

    Student Self-Escalation to Instructor via Unrestricted Column Writes on the Profiles Table

    Showed that the profiles table row-level security let a student directly write identity and security critical columns (role, suspension and ban flags, institution, and USN) with only their own session, escalating from student to instructor and self-clearing moderation. Fixed with a BEFORE UPDATE trigger that blocks non-privileged writes to those columns, a read-only USN field, and disabled production source maps.

  • May 2026High

    Practice Problem Test-Case Validation Bypass via Direct REST API Injection (BOLA)

    Demonstrated that a user could insert status validation directly into practice submissions without executing code. Gated and secured with a database validation trigger.

  • May 2026Medium

    Backend Code Execution Queue Bypass and DoS via Unvalidated mode Parameter

    Found a logic gap where standard users could trigger queued-mode operations, potentially exhausting sandbox worker slots. Gated by restricting queued actions to system-level calls.

  • May 2026Low

    Client-Side Maintenance Mode Bypass via Hardcoded Static Token

    Uncovered a static token in the frontend bundle that could be used to bypass client-side maintenance mode displays. Fixed by moving the bypass logic server-side.

  • May 2026Low

    Anti-Cheat / Proctoring Event Modification via Direct Database Writes

    Reported a possibility of client-side anti-cheat event forging through unauthorized direct database writes. Gated with strict RLS check parameters.

03

Riddhi K

@riddhi_k

1 finding · hall of fame inductee

  • May 2026High

    Assessment Integrity Bypass via Network Disconnection (Full-Screen Escape)

    Exposed a vulnerability where disconnecting internet connection bypassed the browser fullscreen enforcement. Patched using offline fail-closed client state caching.

04

Akhin S

@akhin_s

1 finding · hall of fame inductee

  • May 2026Medium

    Missing SELECT RLS Policies on Multiple Supabase Tables (e.g. user_roles)

    Identified overly permissive SELECT permissions on roles mapping table that could allow students to enumerate all administrative role assignments.

05

Pamidi Mohith Eswar

@pamidi_mohith

1 finding · hall of fame inductee

  • May 2026Medium

    Anonymous Access to Internal Educational and Assessment Content via Weak RLS

    Found that educational practice modules and problem specifications were fetchable without proper session verification. Fixed by applying standard read RLS policies.

06

Bachu Akshaya Sree

@akshaya_sree

1 finding · hall of fame inductee

  • May 2026Low

    Java Class Naming Mismatch Causing Compilation Failures in Code Runner

    Highlighted a developer experience issue where boilerplate syntax conflicted with internal compilation rules, creating artificial sandbox errors.

07

Nishant Lungare

@nishant_lungare

1 finding · hall of fame inductee

  • June 2026High

    Authenticated Disclosure of Model Solutions & Hidden Test Cases via PostgREST Column Exposure

    Reported that any authenticated student could read the reference model solutions and hidden test cases for the entire practice problem bank directly through the REST API (382 model solutions and 343 hidden test sets), undermining scoring integrity. Fixed by relocating answer keys into a service-role-only table with column access removed from the student role.

Responsible disclosure

Report it the right way, and the credit is permanent.

01ReportSubmit through the bug bounty program, with enough detail for us to reproduce the flaw and confirm its impact.
02FixWe triage, patch, and verify the remediation. Every entry on this page corresponds to a fix that actually shipped.
03CreditValid findings earn cash, a verifiable certificate, and a permanent place in this ledger under your name.

Every flaw found here is a flaw a student never has to face. The researchers above made the platform safer.

The next entry is yours.

Valid findings earn cash, a verifiable certificate, and a permanent place on this page. The scope and rules are on the bug bounty page.