Beat the scanner
Calling all security researchers, developers, and API security enthusiasts! Create an API with known vulnerabilities, run the APIsec scanner against it, and report any flaws that were missed. Find a gap, get a reward.
.png)
How it Works
1. Build a Vulnerable App
Create an API containing one or more known security flaws.
Vulnerabilities should be intentional and documentable (e.g., broken authentication, excessive data exposure, BOLA, etc.).
The API must be deployed in a testable environment (self-hosted, cloud, or sandbox).
2. Run APIsec Scanner
Scan your API using the APIsec automated security scanner.
Document any security issues that APIsec successfully detects.
3. Report a Missed Finding
If APIsec fails to identify a vulnerability present in the API, submit a detailed report, including:
~ API documentation & endpoint details
~ Vulnerability type and proof-of-concept (PoC)
~ Steps to reproduce
~ Expected vs. actual scan results
Earn Rewards & Recognition
Improve your API security knowledge in a hands-on way and gain recognition as an API security expert. If the missed vulnerability is valid and reproducible, you'll get a reward based on severity
Rewards Include:
- Low: APIsec University CASA exam voucher
- Medium: APIsec University CASA + ASCP exam vouchers
- High/Critical: APIsec University CASA + ASCP exam vouchers + 1 year APIsec Pen Test License
- All accepted submissions earn you public recognition (LinkedIn, badging)
Rules of Participation:
- No real-world or production APIs all testing must be done in safe environments
- Submissions must follow responsible disclosure guidelines
- All reports will be reviewed by the APIsec team
- Participants must not attempt to exploit vulnerabilities in unauthorized environments