This bounty program is for the FileZilla Client and the libfilezilla library
While researching, we'd like to ask you to refrain from:
The bug bounty program will test only:
All reported bugs must have a security impact. If you encounter ordinary bugs without security impact, please report them on https://trac.filezilla- project.org/ __
(Note: A separate bounty program for FileZilla Server may be creatd in the future)
The following components are also explicitly not in the scope:
While FileZilla is cross-platform, vulnerabilities are to be evaluated given contemporary computer architectures.
Submissions must include either:
FileZilla uses the GNU autotools as build system.
It, as well as almost all its dependencies, can be built using the familiar
configure && make && make install trinity.
The following two guides have recently been updated and can be used to build FileZilla:
FileZilla directly depends on the following libraries:
FileZilla is organized in different components. The most important components are, identified by subdirectory:
src/engine: The protocol implementations
src/engine/ftp: FTP specific functionality
src/engine/sftp: SFTP specific functionality, wraps around fzsftp
src/engine/http: Everything specific to HTTP functionality
src/interface: The user interface and controlling logic such as the transfer queue
src/putty: Source for fzsftp, a heavily modified version of PuTTY's psftp
src/fzshellext: The Windows shell extension to facilitate Drag&drop from Explorer into FileZilla.
Due to their importance or complexity, we think these parts of the code warrant a closer look:
src/engine/directorylistingparser.cpp: The directory listing parser in
src/interface/updater.cpp: The update mechanism
src/engine/http/request.cpp: The HTTP state machine capable of request pipelining
lib/tls_layer_impl.cpp: Certificate verification
lib/encryption.cpp: The asymmetric encryption scheme used for the master password functionality
Our rewards are based on the severity of a vulnerability. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity.
SEVERITY | CVSS SCORE | REWARD
critical | 9.0 - 10.0 | €5000
High | 7.0 - 8.9 | €2500
Medium | 4.0 - 6.9 | €1000
Low | 0.1 - 3.9 | €250
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
If you have any questions or concerns on this challenge, please contact email@example.com.
Thank you for helping keep FileZilla and our users safe!
|Scope Type||Scope Name|
|Scope Type||Scope Name|
Firebounty have crawled on 2019-11-08 the programe FileZilla on the platform Hackerone.