avatar
Bug bounty
Public

ntpd-rs Bug Bounty Program

Securing Open Source Ecosystem

Reward

Bounty
Hall of fame
€250
Low
€500
Medium
€3,000
High
€5,000
Critical
€10,000

Program

Avg reward
-
Max reward
-
Scopes
3

Supported languages
English
Dutch

Hacktivity

Reports
3
1st response
< 1 day
Reports last 24h
-
Reports last week
1
Reports this month
3

Project

ntpd-rs is an open-source implementation of the Network Time Protocol written in Rust, with support for the Network Time Security protocol and a focus on exposing a minimal attack surface.

Scope

You can find our repository on Github

Program Rules

  • We welcome external reviews by security researchers in order to identify bugs in our components.
  • The scope of this program only applies to the software we build, not to our CI infrastructure or our git/website hosting, and any such attack is prohibited.
  • Issues must be reproducible in our setup in order to be accepted as valid.
  • We operate this bounty program on a "One Fix One Reward" basis. We consider an issue duplicated if it was previously reported through other channels, and also if it affects a common code module and it was already reported for a different component.

Precautions

  • Do not include Personally Identifiable Information (PII) in your report and redact or obfuscate any PII that is part of your PoC (logs, screenshot, terminal captures, etc.).

Eligibility

Every valid report that helps us improve the security of the project is welcome, however, in order to qualify for monetary rewards the following eligibility requirements must be met at a minimum:

  • Source of the issue must be in the code published and developed on ntpd-rs (as opposed to a different repository in the same org, or a distribution-specific patch).
  • The vulnerability must be new and not have been reported before, here or elsewhere.
  • The vulnerability must meet the qualifying criteria as defined in the relevant section.
  • A reproducer (code and/or configuration and/or sequence of commands) must accompany the report, the issue must be clearly described, and the issue must be reproducible.
  • You must not be a maintainer of the ntpd-rs project.
  • Our analysis is always based on the worst impact demonstrated in your PoC
  • Only reports affecting the main branch of the project are eligible.

Rating and Responsible Disclosure

CVSS is used to rate and categorize vulnerabilities. Vulnerabilities will be publicly disclosed after sufficient time has passed and fixes have been backported where needed, if deemed necessary in coordination with mainstream Linux distributions.

Advisories will be published on the advisory page of our GitHub repository, and where deemed necessary as CVEs and on external mailing-lists like oss-security.

We handle the full disclosure process and expect submitters not to disclose any findings themselves. If requested, we will fully credit the reporters in the advisories.

The process for external reporting is described on GitHub


Reward

Asset value CVSS
Low
CVSS
Medium
CVSS
High
CVSS
Critical
High
€500€3,000€5,000€10,000

Scopes

ScopeTypeAsset value
https://github.com/pendulum-project/ntpd-rs other
High
Low
€500
Medium
€3,000
High
€5,000
Critical
€10,000
https://github.com/pendulum-project/timestamped-socket other
High
Low
€500
Medium
€3,000
High
€5,000
Critical
€10,000
https://github.com/pendulum-project/clock-steering other
High
Low
€500
Medium
€3,000
High
€5,000
Critical
€10,000

Out of scopes

  • Known protocol limitations related to the NTP protocol
  • Anything related to the NTPv5 and/or NTS Pool KE features (both disabled by default), unless it impacts other parts of the software
  • Anything related to *.ntpd-rs.pendulum-project.org
  • Anything related to the CI pipeline or GitHub related hosting

Vulnerability types

Qualifying vulnerabilities

  • Remote code execution
  • Remote denial of service (excluding protocol limitations)
  • Privilege escalation
  • Misuse of cryptographic primitives
  • Arbitrary clock modifications, using only NTS sources, controlling at most a minority of the NTS sources.

Non-qualifying vulnerabilities

  • Everything not in the qualifying vulnerabilities list is not accepted by default, and might be considered solely at the discretion of the maintainers
  • Report on a purely hypothetical vulnerability containing no reproducible proof of concept
  • Issues only found in outdated versions of our software (i.e. not vulnerable on the HEAD of the main branch)
  • Issues found in external dependencies, including cryptographic backend libraries
  • Issues found by oss-fuzz or other upstream CI systems
  • Denial of Service attacks via our metrics Unix socket

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.