avatar
Bug bounty
Public

OpenPGP.js Bug Bounty Program

Securing Open Source Ecosystem

Reward

Bounty
Hall of fame
€250
Low
€1,000
Medium
€3,000
High
€5,000
Critical
€10,000

Program

Avg reward
-
Max reward
-
Scopes
3

Supported languages
English

Hacktivity

Reports
2
1st response
< 1 day
Reports last 24h
-
Reports last week
-
Reports this month
-

Project

OpenPGP.js is a JavaScript library that implements the OpenPGP standard for message encryption and signing. OpenPGP is typically used for end-to-end encrypted email, signing of git commits and software releases, and encrypted file storage, among other things. Therefore, OpenPGP.js may be used in a wide variety of applications.

This bug bounty program is paid for by the Bug Resilience Program.

Program Rules

Precautions

In this bug bounty, any issue in OpenPGP.js that may plausibly lead to a security vulnerability in an application that uses OpenPGP.js's high-level API correctly, is in-scope, as long as it's caused by OpenPGP.js's non-compliance with the OpenPGP standard, or if it's caused by an issue in the OpenPGP standard that can and should plausibly be worked around in OpenPGP.js.


Reward

Asset value CVSS
Low
CVSS
Medium
CVSS
High
CVSS
Critical
High
€1,000€3,000€5,000€10,000
Medium
€500€1,500€2,500€5,000
Low
€250€750€1,250€2,500

Scopes

ScopeTypeAsset value
Security Vulnerability in OpenPGP.js's high-level API other
High
Low
€1,000
Medium
€3,000
High
€5,000
Critical
€10,000
Security Vulnerability in the OpenPGP Standard other
Medium
Low
€500
Medium
€1,500
High
€2,500
Critical
€5,000
Interoperability Issue in OpenPGP.js other
Low
Low
€250
Medium
€750
High
€1,250
Critical
€2,500

Out of scopes

  • Security Vulnerabilities that can only be caused by using OpenPGP.js's low-level API, or by using OpenPGP.js's high-level API in an incorrect or unintended way
  • Security Vulnerabilities in the OpenPGP Standard that are not possible to fix or work around in OpenPGP.js (without causing interoperability issues)
  • Interoperability Issues that are caused by other OpenPGP implementations' non-compliance with the OpenPGP Standard

Vulnerability types

Qualifying vulnerabilities

  • OpenPGP.js incorrectly encrypts a message, causing (part of) it to be decryptable by an attacker
  • OpenPGP.js uses an insecure algorithm (by default) to encrypt a message, causing (part of) it to be decryptable by an attacker
  • OpenPGP.js incorrectly decrypts or signs the message, causing (part of) the private key to be extractable by an attacker
  • OpenPGP.js returns unauthenticated data (by default), potentially causing EFAIL-style vulnerabilities
  • OpenPGP.js incorrectly verifies an invalid signature
  • OpenPGP.js fails to parse a compliant OpenPGP public key, possibly causing the application or user to send the message in cleartext instead

Non-qualifying vulnerabilities

  • OpenPGP.js fails to parse a non-compliant OpenPGP public key
  • Another OpenPGP implementation fails to parse a (compliant) key generated by OpenPGP.js due to to non-compliance with the OpenPGP standard
  • OpenPGP.js fails to offer forward secrecy, due to a limitation of the OpenPGP standard
  • A browser's implementation of Web Crypto incorrectly implements a cryptographic algorithm used in the OpenPGP standard (this should ideally be fixed in the browser instead, although - if this doesn't happen - a workaround may be required, in which case it may qualify)

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.

To submit a vulnerability report, you need to login with your hunter account.