Project

CycloneDX Rust is a project to read, write and generate CycloneDX SBOMs.

It is split into two main projects:

• cyclonedx-bom is a Rust library to read and write CycloneDX SBOMs to and from Rust structs
• cargo-cyclonedx is a Rust application, which generates CycloneDX SBOMs for Cargo based Rust projects (it uses cyclonedx-bom for that purpose)

This bug bounty program is paid for by the Sovereign Tech Resilience program.

Scopes

You can find our repository on GitHub.

Unfortunately we have to say this: github.com (the website) is not ours and is out of scope. This bounty concerns only the cyclonedx-rust-cargo project and its code found at that location.

Program Rules

• We welcome external reviews by security researchers in order to identify bugs in our components.
• The scope of this program only applies to the software we build, not to our CI infrastructure or our git/website hosting, and any such attack is prohibited.
• Issues must be reproducible in our setup in order to be accepted as valid.
• We operate this bounty program on a "One Fix One Reward" basis. We consider an issue duplicated if it was previously reported through other channels, and also if it affects a common code module and it was already reported for a different component.

Precautions

• Do not include Personally Identifiable Information (PII) in your report and redact or obfuscate any PII that is part of your PoC.

Eligibility

Every valid report that helps us improve the security of the project is welcome, however, in order to qualify for monetary rewards the following eligibility requirements must be met at a minimum:

• Source of the issue must be in the code published and developed on https://github.com/CycloneDX/cyclonedx-rust-cargo (as opposed to a different repository in the same org, or a distribution-specific patch), no modifications allowed!
• The vulnerability must be new and not have been reported before, here or elsewhere.
• The vulnerability must meet the qualifying criteria as defined in the relevant section.
• A reproducer (code and/or configuration and/or sequence of commands) must accompany the report, the issue must be clearly described, and the issue must be reproducible.
• You must not be a maintainer of the cyclonedx-rust-cargo project.
• Our analysis is always based on the worst impact demonstrated in your PoC
• Only reports affecting the main branch of the project are eligible.

Rating and Responsible Disclosure

CVSS is used to rate and categorize vulnerabilities. Vulnerabilities will be publicly disclosed after sufficient time has passed and fixes have been backported where needed, if deemed necessary in coordination with mainstream Linux distributions.

Advisories will be published on the advisory page of our GitHub repository, and where deemed necessary as CVEs and on external mailing-lists like oss-security.

We handle the full disclosure process and expect submitters not to disclose any findings themselves. If requested, we will fully credit the reporters in the advisories.