-
Notifications
You must be signed in to change notification settings - Fork 4
/
bug-bounties.html
170 lines (147 loc) · 7 KB
/
bug-bounties.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<link href="favicon.ico" rel="icon" />
<meta property="og:type" content="website" />
<meta property="og:image" content="http://shadowproject.io/img/sdc-sharing_promo.png" />
<link rel="stylesheet" href="css/shadowproject.css">
<title>Bug Bounties • Shadow Project</title>
<meta property="og:title" content="Bug Bounties • Shadow Project" />
<meta property="og:description" content="According to Linus’ Law, “given enough eyeballs, all bugs are shallow”." />
<meta property="og:url" content="http://shadowproject.io/bug-bounties" />
</head>
<body>
<div id="header">
<div class="row">
<div class="column">
<div class="logo">
<h1 class="logotype"><a href="//shadowproject.io">
<i class="ico ico-shadow"></i>Shadow<span class="red">Project</span><span class="grey">.io</span>
</a></h1>
</div>
</div>
</div>
</div><!-- #header -->
<div class="row">
<div class="medium-4 large-3 columns">
<div id="sidebar">
<ul class="nav">
<li><a href="introduction">Introduction</a></li>
<li><a href="getting-started">Getting started</a></li>
<li><a href="features">Features</a></li>
<li><a href="documentation">Documentation</a></li>
<li><a href="development">Development</a></li>
<li><a href="roadmap">Roadmap</a></li>
<li><a class="active" href="bug-bounties">Bug Bounties</a></li>
<li><a href="community">Community</a></li>
<li><a href="faq">FAQ</a></li>
</ul>
<div class="part">
<div class="donate desc">Donate</div>
<a class="donate secondary button btc" title="Donate Bitcoin" href="bitcoin:1GiosBkSpN8RS9pm1kgZU8AZUBEnLKYFem&label=SDC%20Dev%20Fund">
<i class="ico ico-bitcoin"></i>
</a>
<a class="donate secondary button sdc" title="Donate ShadowCash" href="shadowcoin:SdcDevWEbq3CZgZc8UNbST1TaYLA5vLZTS&label=SDC%20Dev%20Fund">
<i class="ico ico-shadow"></i>
</a>
</div>
</div><!-- #sidebar -->
</div>
<div class="medium-8 large-9 columns">
<div id="content">
<h2>Shadow Bug & Bounty Program</h2>
<p>
According to <a href="http://en.wikipedia.org/wiki/Linus">Linus’ Law</a>, <em>“given enough eyeballs, all bugs are shallow”</em>. That’s one of the reasons why Shadow’s source code is publicly available; but merely making the source code available doesn’t accomplish anything if people don’t read it!
</p>
<p>
For this reason, Shadow has a series of bug bounties. Similar to the bounties offered by <a href="http://www.mozilla.org/security/bug-bounty.html">Mozilla</a> and <a href="http://blog.chromium.org/2010/01/encouraging-more-chromium-security.html">Google</a>, Shadow bug bounties provide an opportunity for people who find bugs to be compensated. Unlike those programs, however, Shadow’s bounties are not limited to security vulnerabilities.
</p>
<p>
Depending on the type of bug and when it is reported, different bounties will be awarded. Bounties are paid out in SDC, at the 3-day average of each to a fixed US Dollar value.
</p>
<h3>Things that do not qualify under the bug bounty</h3>
<ul>
<li>Bugs found on third-party/community sites, software or services, which is not due to an improper configuration issue specific to us. Please submit any potential issues to the maintainers of that site or providers of that service.</li>
<li>Vulnerabilities which are too broad or not documented properly (i.e. do not include a specific example relevant to a Shadow-controlled site or application).</li>
<li>Bugs or issues with a third-party site, software, or service that we use, which is not due to an improper configuration issue specific to us. Please submit any potential issues to the maintainers of that site or providers of that service.</li>
<li>Bugs and errors found in software/code that is still undergoing alpha or beta testing.</li>
<li>Usability issues</li>
<li>Anything requiring social engineering</li>
<li>DOS/DDOS attacks</li>
<li>Missing HSTS (HttpOnly flags), Secure flag, Browser Cache vulnerabilities</li>
<li>CSRF that doesn’t affect the victim</li>
<li>Referrer leakage to pages an attacker cannot control.</li>
<li>The presence of unnecessary files, e.g. for backups, when these files do not expose any sensitive information.</li>
<li>Anything that is the result of an automated Nessus/PCI scans (too general)</li>
<li>DNS issues (e.g. lack of an SPF record)</li>
<li>SSL certificate issues</li>
<li>Bugs that have received mainstream tech media or community attention before the date of your disclosure.</li>
</ul>
<h2>Bug Bounties & Rewards</h2>
<table>
<tr>
<th>$1500</th>
<td>Deanonymize ShadowChat or ShadowSend (proof that a protocol is not anonymous)</td>
</tr>
<tr>
<th>$750</th>
<td>A flaw in the protocol that allows for theft or loss of funds</td>
</tr>
<tr>
<th>$500</th>
<td>A bug in the reference client that leads to consensus issues</td>
</tr>
<tr>
<th>$250</th>
<td>A bug which causes data corruption or loss</td>
</tr>
<tr>
<th>$100</th>
<td>A bug which causes the application to crash</td>
</tr>
<tr>
<th>$50</th>
<td>Other non-harmless bugs</td>
</tr>
<tr>
<th>$10</th>
<td>‘Harmless’ bugs, e.g. cosmetic errors</td>
</tr>
</table>
<div class="message">
<em>Note</em> — Bounties will be paid out for bugs found in the <a href="https://github.com/ShadowProject/shadow/tree/master">master branch of the official GitHub repositories</a>.
</div>
<div class="edit-me">
<a href="https://github.com/shadowproject/shadowproject.github.io/edit/master/bug-bounties.html" class="secondary button">Edit this page</a> Found a mistake or outdated information? Edit this page on GitHub!
</div>
</div><!-- #content -->
</div>
</div>
<div id="footer">
<div class="row">
<div class="medium-5 columns">
<div class="copyright">
<p>© 2015 <a href="http://shadowproject.io">shadowproject.io</a> • contact [at] shadowproject.io</a><p>
</div>
</div>
<div class="medium-7 columns">
<div class="links">
<p>
<a href="development">Contribute</a> • <a href="legal">Legal</a> • 
<a href="https://github.com/shadowproject"><i class="icon ico-github"></i></a>
<a href="https://www.facebook.com/shadowcrypto"><i class="icon ico-facebook"></i></a>
<a href="https://twitter.com/sdcoin"><i class="icon ico-twitter"></i></a>
<a href="https://google.com/+ShadowCash-SDC"><i class="icon ico-gplus"></i></a>
<a href="https://www.youtube.com/channel/UC-Nhf9JWCXvQi4pXxXNqy7Q"><i class="icon ico-youtube"></i></a>
</p>
</div>
</div>
</div>
</div><!-- #footer -->
<script src="js/jquery-1.11.2.min.js"></script>
<script src="js/shadowproject.js"></script>
</body>
</html>