Security Bug Bounty Program

2020-10-13 23:23

Beancount.io is excited to announce the brand new rewards program for developers in our community! A Security Bug Bounty program is an open offer to external individuals to receive compensation for reporting beancount.io and open-sourced Beancount mobile bugs related to the security of the core functionality.

No technology is perfect, and we believe that working with developers, engineers, and technologists across the globe is crucial in identifying weaknesses in our project while building. If you think you’ve found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Campaign Period

2020-10-15 17:00 PST to 2020-11-30 17:00 PST

Scope

The following components of Beancunt are included in 1 Stage of the Bug Bounty Campaign:

  1. beancount.io/ledger : Your personal finance manager.
  2. open-sourced Beancount mobile

Steps to participate and report bugs

  • If it is NOT related to personally identifiable information (PII) and exact ledger data. Provide information about bugs through the GitHub ISSUE request in https://github.com/puncsky/beancount-mobile/issues/:
    • Asset. Chose the repository the bug is related to and create a “New Issue” in it.
    • Severity. Chose the level of vulnerability according to “Qualifying Vulnerabilities”
    • Summary — Add a summary of the bug
    • Description — Any additional details about this bug
    • Steps — Steps to reproduce
    • Supporting Material/References — Source code to replicate, list any additional material (e.g., screenshots, logs, etc.)
    • Impact — What impact does the found bug has, what could an attacker achieve?
    • Your name, country, and Telegram id for contact.
  • If it is related to PII and exact ledger data, contact puncsky on Telegram and send the information above.
  • The Beancount.io team will review all bugs and will provide you with feedback as quickly as possible via the comments on the page with a specific bug or via Telegram in person if it is related to PII and exact ledger data.
  • Distribution of rewards will be carried out in Physical Gift, Gift Card, or USDT equivalent after the campaign finishes around 2020-12-01 PST.

Qualifying vulnerabilities

To qualify for the bounty, the security bug must be original and previously unreported.

Only the following design or implementation issues that substantially affect the stability or security of Beancount.io are qualified for the reward. Common examples include:

  • Leak of the PII and ledger data while the host machine is not compromised
  • A special action that causes the entire website or mobile app to suspend or crash
  • A user impacts another user without prior access grant

For scenarios that do not fall within one of the above categories, we still appreciate reports that help us secure our infrastructure and our users and reward those reports on a case-by-case basis.

Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider the attack scenario, exploitability, and security impact of the bug. The following issues are considered out of scope, and we will NOT accept any of the following types of attacks:

  • Denial of service attacks
  • Phishing attacks
  • Social engineering attacks
  • Reflected file download
  • Software version disclosure
  • Issues requiring direct physical access
  • Issues requiring exceedingly unlikely user interaction
  • Flaws affecting out-of-date browsers and plugins
  • Publicly accessible login panels
  • CSV injection
  • Email enumeration / account oracles
  • CSP Weaknesses
  • Email Spoofing
  • Techniques allowing you to view user profile photos (these are considered public)

Rewards

The prize for the most critical bug exposing PII and ledger data is an AirPods Pro (in the U.S.) or USDT equivalent.

The prize for a security bug is a $20 Amazon Gift Card or USDT equivalent.

We are a small team with a limited budget and could distribute only

  • 1 AirPods Pro for all.
  • 10 $20 rewards per month, up to 3 months. If the actual case exceeds that amount in that month, we will send the remaining reward in the next month. ($600 in total for this campaign)

Got questions?

Ask us at https://t.me/beancount

Beancount.io © 2020
Beancount.io is not affiliated with github.com/beancount but uses Fava under MIT license
Community