The OSTIF Bug Bounty Program – How to submit bugs

THE BUG BOUNTY PROGRAM IS ONLY ACTIVE FOR VERACRYPT AND OPENVPN. YOU CANNOT SUBMIT BUGS FOR ANY OTHER PROJECTS AT THIS TIME. THE BOUNTY PROGRAM WILL BE ACTIVE FOR OTHER PROJECTS AFTER THEY ARE AUDITED.

This page is to get information on how to report bugs for bounty. Make sure you understand what the bug bounty is, and the rules.

The process is as follows:

  • You SECURELY submit your bug to the official contact on this page. Do not send information about 0-day vulnerabilities in the clear. We will disqualify you from any award if you do this.
  • Your contact responds to you about your submission and its severity.
  • You allow a reasonable time-frame for the project to patch the software, create CVEs and otherwise complete a response to your report.
  • After the CVEs are live and the issue is patched, the project will give you a unique code that is simultaneously given to us through a secure channel. You then contact the OSTIF securely via PGP, and give us the payment information for your bounty as well as the code.
  • Note – Awards are increased for fixes that include giving the developers any custom tools that you developed to locate the bugs, as it provides a longevity boost to your work and eliminates the chances for regressions or reintroducing similar bugs of the same class. Make sure your tools have documentation and proper commenting in the code so that the developers can utilize / enhance / improve upon your work in the future to receive increased awards.
  • After final verification, we pay out the bounty through your preferred method, and give you credit on the OSTIF website for helping us make the world more secure.

OpenSSL (No bounty active until audit completed)

Click here for the official contact email and PGP key.
Eligible versions: OpenSSL 0.98, 1.00, 1.01, 1.02 and 1.1 beta (current releases only)
Ineligible versions: any forks of this software.

OpenVPN (Maximum Award $5000 USD)

Click here for the official contact email and PGP key.
Eligible versions: OpenVPN 2.3.x and 2.4.x and 3.x (current releases only)
Ineligible versions: any forks of this software, custom VPN clients based on OpenVPN.
Targets: Remote Vulnerabilities, Local Vulnerabilities that that may impact the security of the operating system.

GnuPG (No bounty active until audit completed)

Click here for the official contact email and PGP key.
Eligible versions: All apps within the GPG4WIN suite, GnuPG Stable, GnuPG Modern, GnuPG Classic (current releases only)
Ineligible versions: any forks of this software, custom front-ends, commercial software based on GnuPG code

VeraCrypt (Maximum Award $5000 USD)

Click here for the official contact email and PGP key. (thumbprint 738161CE)
Eligible versions: Current release of VeraCrypt only.
Ineligible versions: other forks of TrueCrypt, any fork of VeraCrypt code.
Targets: Any flaw that weakens the cryptography or leads to information disclosure, or flaws within VeraCrypt that may impact the security of the operating system. Excludes virtual servers / Cloud instances for Full Disk Encryption.

Off the Record (No bounty active until audit completed)

Click here for the official contact email and PGP key.
Eligible versions: Pidgin-OTR, libotr, Adium (current releases only)
Ineligible versions: any forks of OTR, commercial software based on OTR code,  other implementations of OTR in chat clients