Reward

Bounty

Hall of fame

€250

Low

€1,000

Medium

€3,000

High

€5,000

Critical

€10,000

Program

Avg reward

Max reward

Scopes

Supported languages

English

Hacktivity

Reports

1st response

< 1 day

Reports last 24h

Reports last week

Reports this month

Program description

Program activity

Project

OpenPGP.js is a JavaScript library that implements the OpenPGP standard for message encryption and signing. OpenPGP is typically used for end-to-end encrypted email, signing of git commits and software releases, and encrypted file storage, among other things. Therefore, OpenPGP.js may be used in a wide variety of applications.

This bug bounty program is paid for by the Bug Resilience Program.

Program Rules

Precautions

In this bug bounty, any issue in OpenPGP.js that may plausibly lead to a security vulnerability in an application that uses OpenPGP.js's high-level API correctly, is in-scope, as long as it's caused by OpenPGP.js's non-compliance with the OpenPGP standard, or if it's caused by an issue in the OpenPGP standard that can and should plausibly be worked around in OpenPGP.js.

Reward

Asset value	CVSS Low	CVSS Medium	CVSS High	CVSS Critical
High	€1,000	€3,000	€5,000	€10,000
Medium	€500	€1,500	€2,500	€5,000
Low	€250	€750	€1,250	€2,500

Scopes

Scope	Type	Asset value
Security Vulnerability in OpenPGP.js's high-level API	other	High
Low €1,000 Medium €3,000 High €5,000 Critical €10,000
Security Vulnerability in the OpenPGP Standard	other	Medium
Low €500 Medium €1,500 High €2,500 Critical €5,000
Interoperability Issue in OpenPGP.js	other	Low
Low €250 Medium €750 High €1,250 Critical €2,500

Out of scopes

Security Vulnerabilities that can only be caused by using OpenPGP.js's low-level API, or by using OpenPGP.js's high-level API in an incorrect or unintended way

Security Vulnerabilities in the OpenPGP Standard that are not possible to fix or work around in OpenPGP.js (without causing interoperability issues)

Interoperability Issues that are caused by other OpenPGP implementations' non-compliance with the OpenPGP Standard

Vulnerability types

Qualifying vulnerabilities

OpenPGP.js incorrectly encrypts a message, causing (part of) it to be decryptable by an attacker

OpenPGP.js uses an insecure algorithm (by default) to encrypt a message, causing (part of) it to be decryptable by an attacker

OpenPGP.js incorrectly decrypts or signs the message, causing (part of) the private key to be extractable by an attacker

OpenPGP.js returns unauthenticated data (by default), potentially causing EFAIL-style vulnerabilities

OpenPGP.js incorrectly verifies an invalid signature

OpenPGP.js fails to parse a compliant OpenPGP public key, possibly causing the application or user to send the message in cleartext instead

Non-qualifying vulnerabilities

OpenPGP.js fails to parse a non-compliant OpenPGP public key

Another OpenPGP implementation fails to parse a (compliant) key generated by OpenPGP.js due to to non-compliance with the OpenPGP standard

OpenPGP.js fails to offer forward secrecy, due to a limitation of the OpenPGP standard

A browser's implementation of Web Crypto incorrectly implements a cryptographic algorithm used in the OpenPGP standard (this should ideally be fixed in the browser instead, although - if this doesn't happen - a workaround may be required, in which case it may qualify)

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.

Submit report