Real world bug bounty – powered by LocalTapiola.


The challenge is over.


In this private bug bounty, you will face a real world business application. The target system is a modern web based insurance application running in production environment serving actual customers. While LocalTapiola has been running a bug bounty for while, this particular application will be t2 exclusive for the duration of the challenge and has not been previously part of a bug bounty.

Some Finnish/Swedish/Google translate skills may be required. In later stages of the application TUPAS authentication is used, which requires you to have such credentials or collaborate with someone who does.

This being a t2 challenge, we’re expecting quality submissions and have adjusted the bug bounty rules to favor elegance and proven real world exploitability.

The bug bounty is run on the HackerOne -platform.

Operational information

  • Sign-up to the private bug bounty by e-mail challenge-2017@lists.t2.fi and either provide a current working HackerOne-username you would like to use for this challenge, or supply an email-address for which you will need to create a new hackerone-account later in the process.
  • Read through and follow the bug bounty rules
  • The person with the most elegant vulnerability submission will win a free admission to t2’17 infosec conference
  • LocalTapiola may, at their discretion, also award other submissions according to their normal bug bounty policy and rules
  • In this private bug bounty, the elegance matters, not speed. Read through the Challenge 2017 bug bounty policy available on HackerOne to see what we mean.
  • The challenge ends 2017-09-17 23:59:59 UTC+3
  • Update: The challenge covers all of LocalTapiola bug bounty program

Rules of the Challenge

  • 0x0 Anybody can participate, excluding the organizers and employees of the companies/organizations that made the challenge
  • 0x1 Follow the bug bounty rules
  • 0x2 Proof of exploitation does not mean all-out electric post-exploitation boogaloo with firmware implants and interdiction of spare parts
  • 0x3 Seriously, we ask you to respect the fact that the target system is running an actual live production environment


Business application: LocalTapiola, Bugbounty platform: HackerOne, Jury: t2 staff