Bug bounty - Hack me contest of Pandit.Tech

Why are you here?

It seems you or your web spider has visited this page either to hack me or purely out of curiosity or coincidence. Whatever is your intention, feel welcome.

The contest

You will get our kudos and a reward if you can provide proof of a successful hack into our website. You also need to show how the vulnerability was exploited and can be remedied or patched.


We are on a shared server; please do not use DDOS or DRDOS. Also please do not use high speed or intensive scans. Those are techniques used by novices. Instead of finding a vulnerability; you are likely to irritate our host and your IP address will get banned by our firewalls.

Bug bounty

We follow the industry standard practices for bug bounty programs. We only pay for real vulnerability. This does not include minor disclosures (e.g. Cloudflare) or a version number disclosure. We know that Cloudflare uses its own cookie for our visitors; and currently there is no technical way to use the "samesite" flag for that cookie. Please also note the DNS records for the webserver and the mailserver are in the public domain. We know that we do not have IPv6 on our mailserver. That is a Tutanota limitation we have already raised with the supplier. Also, we have consciously chosen not to go for HPKP - HTTP Public Key Pinning for our assets. Please note that Sucuri will show you fictitious pages starting with "404..." that do not really exist. We use Robots.txt and sitemap.xml for valid reasons. We do not yet have DNSSEC yet but have raised the query. You may get a false alarm on "HTTP compression" - so hack us with "BLEED" if you can. Finally, we know that the cipher and Key Exchange for our website can be a bit stronger - It is 90 instead of 100. No stars for telling that to us.

Good luck!

Please inform your IP address if you want me to whitelist the same.