The below information is for reference only. The SPECIAL public challenge is now closed. |
What is SPECIAL?
The SPECIAL project addresses the contradiction between Big Data innovation and privacy-aware data protection by proposing a technical solution that makes both of these goals realistic. SPECIAL allows citizens and organisations to share more data, while guaranteeing data protection compliance, thus enabling both trust and the creation of valuable new insights from shared data. We develop technology which:
- supports the acquisition of user consent at collection time and the recording of both data and metadata (consent policies, event data, context) according to legislative and user-specified policies;
- caters for privacy-aware, secure workflows which include usage/access control, transparency and compliance verification;
- aims to be robust in terms of performance, scalability and security, all of which are necessary to support privacy preserving innovation in Big Data environments; and
- provides a dashboard with feedback and control features which make privacy in Big Data comprehensible and manageable for data subjects, controllers, and processors.
SPECIAL Platform
The SPECIAL platform is an extensible environment for managing personal data usage policies, ensuring compliance with such policies, and tracking personal data usage along with the context it is being used in. The high-level overview of this policy-aware Linked Data architecture and engine is given below:
A demo video is available here. For a detailed description of the system and its components, we strongly recommend consulting at least:
Other relevant project deliverables are also public, and can be found here. Additionally, we also suggest reading about:
What is the SPECIAL Public Challenge?
The SPECIAL Public Challenge is an open call to researchers, ethical hackers, IT professionals and other interested individuals to test and inspect the SPECIAL platform and point out any security vulnerabilities, bugs or flaws in the system or its components.
“I am not familiar with some of the technologies. Can I still participate?”Basic knowledge of semantic web technologies (OWL, RDF, reasoning engines) is desirable, but not mandatory. There are many other ways you can contribute. Please see the description of the program scope below. |
Scope
We are interested in learning about any shortcomings of the SPECIAL platform that could result in a data breach or a violated data usage policy. Examples of such shortcoming could include bugs pertaining to authentication/authorization, the APIs or other bugs related to data flows, the logs or log formats, the front-ends, the policy language, etc. The platform can be deployed and tested locally or on any remote server under your control. Additionally, the policy language can be tested outside the platform setup.
Note: This is an early prototype of what is expected to reach TRL5 by 2020. It is, therefore, not production ready. |
Below, we describe what is in and out of scope of our Public Challenge program.
In-scope platform components
- Integrated system as a whole
- Compliance engine (but not HermiT itself)
- Consent management front-end(s)
- Transparency & compliance front-end(s)
- Usage policy language
- Policy log vocabulary
Out of scope platform components
- Apache Kafka
- RethinkDB
- Keycloak
- HermiT
- Any other components not built and maintained by the SPECIAL Consortium
Qualifying attacks & vulnerabilities
- Authentication vulnerabilities
- Privilege escalation
- Significant Security Misconfiguration
- Information Disclosure
- Injection vulnerabilities
Non-qualifying attacks & vulnerabilities
- Clickjacking
- Denial of service attacks
- Phishing attacks
- Social engineering attacks
- Content spoofing
- Issues requiring direct physical access
- Flaws affecting out-of-date browsers and plugins
- Weak password policies
- HTTP 404 codes/pages or other HTTP non-200 codes/pages
Process
The process is simple. The challenge program is organized into three 3-month runs, with the last one ending on May 31, 2019. During each of the runs, you get as much time as you want to examine the system and look for flaws. Any time you find something you consider worth mentioning, you prepare a comprehensive report and send it to us for assessment. If we find the report valid, we will immediately reward you with points, based on the severity level of the finding. (Please see ‘Rewards’ below.)
How do I report security issues?Please send all your findings to special-bugs@ercim.eu, including:
|
Rewards
Rewards are based on a public score granted entirely at the discretion of the SPECIAL Consortium. To qualify for points under this program, you should:
- Be the first to report a vulnerability;
- Disclose the vulnerability report directly and exclusively to us.
Severity assessment
The more convincing the demonstration of breaking defined policies and compliance rules or otherwise highlighting limitations of our system or its parts, the more points you get. The SPECIAL Consortium reserves the right to determine the level of severity (based on a number of criteria, including the CVSS score), decide if the minimum severity threshold is met, and assess whether the vulnerability was previously reported.
Severity level |
Low |
Medium |
High |
Points |
5 |
10 |
15 |
Ranking
The first time your report is resolved and closed, your name or chosen alias will be added to our public “Thank you” scoreboard. (Please see ‘Personal data’ for additional information.) For that and every subsequent report, the awarded points will be added to your total score. The total number of accumulated “Thank you” points will determine the participant ranking at the end of the run. The top-3 contributors at the end of each run will get rewards!
This run’s bounties
The prizes will be sent out to the top 3 contributors within 30 days of a completed 3-month run. The SPECIAL Consortium reserves the right to change any of the below awards without prior notice.
1st place |
A high-end smartphone |
2nd place |
A mid-range smartphone |
3rd place |
A € 50 Amazon voucher |
Terms
Participation in the SPECIAL Public Challenge is entirely voluntary. By submitting a report, you are indicating that you have read and agree to our Terms, as outlined below. The SPECIAL Consortium reserves the right to change or modify the terms of this program at any time.
Ground Rules
- Always research and disclose in good faith.
- Never leave any system in a more vulnerable state than you found it.
- Never publicly disclose a vulnerability without our consent, unless the vulnerability has already been disclosed by us.
Eligibility to Participate
To be eligible to participate in our Public Challenge, you must:
- Not be directly affiliated with SPECIAL or any of the project partners.
- Not be in violation of any law or regulation with respect to any activities directly or indirectly related to the SPECIAL Public Challenge, and the involvement must not be an infringement of any law or regulation for SPECIAL or its project partners (e.g. export regulations).
Not meeting the above eligibility criteria or breaching these Terms in any other way gives us the right to, in our sole discretion, remove you from the SPECIAL Public Challenge and disqualify you from receiving any benefit of the SPECIAL Public Challenge.
Personal Data
Please keep in mind that we do not require any personal data apart from what we believe is absolutely necessary for processing vulnerability reports and paying out bounties. We will never ask for more than this. Should you ever disclose more than what is requested of you, we will erase such data on receipt.
As a privacy project SPECIAL allows anonymous or pseudonymous (alias) submissions to be processed for conducting the hacking challenge. Contact data are however greatly appreciated for questions and getting back to you. Your name or alias will be publicly displayed on the scoreboard. To hand out prizes to winners these will be asked their name and address for shipment as well as a confirmation that the prize has been received. Depending on the regulatory framework of the partner donating the prize in question the the latter information may be necessary to be stored with their financial information for audit-purposes. Contact information of the contributors will be deleted at latest three month after the SPECIAL project has ended.
You have the right to access your personal data processed by us. You may withdraw your consent to process your personal data – your contributions will then be handled as anonymous or under an alias of your choice.
Getting started
We offer preconfigured installation packages representing different real-world scenarios inspired by our pilot use cases.
BeFit
This is the default package. In this scenario, a fitness tracking application collects personal data, such as physical characteristics and workout activity, for different commercial purposes. It comes with a simple UI for consent management per user, a log generator for synthesizing application processing events, and a transparency and compliance dashboard.
You will find everything you need to get started in our official GitHub repository.
Questions?
Feel free to drop us an e-mail at special-bugs@ercim.eu