!!! DO NOT SUBMIT CSRF / XSS RELATED REPORTS. THEY WILL BE CLOSED AS NOT APPLICABLE !!!
This primarily exists to help us find critical vulnerabilities in the Monero and Kovri applications, which are written in C++, with some C and assembly, and QtQuick for the Monero GUI. We are not terribly interested in website vulnerabilities (both the Monero and Kovri sites use Jekyll and produce static HTML) or metadata leaks from volunteer hosting infrastructure.
If you are looking to disclose web app vulnerabilities, or low-hanging fruit like CSRF / XSS bugs, you are looking at the wrong project. These are not web apps!
Only the projects listed in our Vulnerability Response Process are considered in scope.
Other projects, such as the Monero forum, are either being deprecated or are out of scope.
Note: as a pro-privacy project we have volunteers running copies of the websites on hidden services on Tor and I2P, as well as on multiple public domains. The live sites are NOT in scope, only the code is!
Firebounty have crawled on 2017-08-31 the program Monero on the platform Hackerone.