BigBlueButton Bug Bounty Program

About BigBlueButton

BigBlueButton is the leading open-source virtual classroom software, purpose-built for world-class online teaching organizations. Unlike traditional video conferencing applications, BigBlueButton understands the goal of the virtual classroom is not to meet, but to learn. By focusing on pedagogy applied learning and live analytics, BigBlueButton improves learner outcomes for every virtual class.

At BigBlueButton, our platform offers features such as video, live chat, an interactive whiteboard, learning analytics, emojis, breakout rooms, and collaborative tools. Designed with a focus on education, our platform is ideal for remote learning, virtual classrooms, online training, and webinars.

BigBlueButton is integrated into learning management systems (LMS), including but not limited to Moodle, Canvas, Sakai, and Schoology. As a completely open-source project, BigBlueButton was created by a community of dedicated developers passionate about helping improve online learning. It is constantly evolving and improving through a dedicated, growing international user and developer community.

About the scope

This program is limited to a specific list of assets :

• https://github.com/bigbluebutton/bigbluebutton
• https://github.com/bigbluebutton/greenlight
• https://github.com/blindsidenetworks/scalelite
• https://github.com/bigbluebutton/bbb-presentation-video
• https://github.com/bigbluebutton/bbb-playback
• https://github.com/bigbluebutton/bbb-webrtc-sfu
• https://github.com/bigbluebutton/bbb-webrtc-recorder

Reports about other assets won't be eligible for reward and only issues that can be reproduced on the latest stable version will be considered.

Documentation

You may find everything you need to understand how to setup and use our assets in our (ressource center)[https://docs.bigbluebutton.org/].

For a swift setup you may use bbb-install.sh or our docker. Of course, make sure you're using the latest stable version in any case.

Program rules

About report's content

To be eligible, your reports must include the hereafter information :

• General description of the issue
• Details about the impacted function and specific conditions to be met, including the vulnerable code snippet
• Impacted version
• A step by step proof of concept allowing to reliably reproduce the issue, including network exploitation
• Recommendations and fix suggestions

A detailed template will be provided automatically when submitting a report, please stick to it. This will help us ensure a smooth and swift processing of your reports.

Mind that reports that do not follow the template’s guidelines won’t be eligible for reward. Abuse may lead to further sanctions (e.g. spamming or repeated submission of invalid reports).

Testing Policy, Responsible Disclosure

Please adhere to the following rules while performing research on this program:

• Denial of service (DoS) attacks on our applications, servers, networks or infrastructure are strictly forbidden
• All reports must be validated manually, submission from automated tools won't be considered and may lead to sanctions (code analysis tools, AI, …)
• Targeting other users' instances is forbidden, only test against your own
• DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
• Same with secrets, keys and credentials
• No vulnerability disclosure, full, partial or otherwise, is allowed without prior agreement from us
• Please avoid submitting security issues on our repositories before reporting it to this program, your report might be considered as a duplicate if a related submission already exists on our repositories
• The following topics won’t be considered as a valid finding eligible for reward nonetheless, you’re welcome to suggest improvements about it through our repositories but not our bug bounty program :
  • Code improvements/code quality issues without security impact
  • Insecure default/basic configurations
  • Mistakes or lack of precision in our documentation

Furthermore, reports about behaviours that relies on leveraging a legitimate access as an administrator won't be considered for reward. Being administrator of a BigBlueButton realm grants extended rights which could be abused as for any application. Due to our threat model and context of use we won't consider reports that leverage legitimate administrator access under the assumption that the administrator may have malicious intent and could abuse his level of rights.

Reward Eligibility

We are happy to thank everyone who submits valid reports which help us improve the security, however only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability
• You must not break any of the testing policy rules listed above
• You must not be a former or current employee nor a maintainer of our project or one of its contractors
• The vulnerability must be a qualifying vulnerability
• The report must contain the following elements:
  • Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and the company, and remediation advice on fixing the vulnerability
  • Proof of exploitation: screenshots demonstrating the exploit was performed, and showing the final impact
  • Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc
• Identical vulnerabilities present in different versions will be considered as a single issue/will warrant a single reward
• Multiple vulnerabilities caused by one underlying issue will be considered as a single issue/will warrant a single reward

Reward amounts are based on:

• Reward grid of the report's scope
• CVSS scoring and actual business impact of the vulnerability upon performing risk analysis