OpenPGP.js Bug Bounty Program
OpenPGP.js is a JavaScript library that implements the OpenPGP standard for message encryption and signing. OpenPGP is typically used for end-to-end encrypted email, signing of git commits and software releases, and encrypted file storage, among other things. Therefore, OpenPGP.js may be used in a wide variety of applications.
This bug bounty program is paid for by the Bug Resilience Sovereign Tech Resilience program.
In this bug bounty, any issue in OpenPGP.js that may plausibly lead to a security vulnerability in an application that uses OpenPGP.js's high-level API correctly, is in-scope, as long as it's caused by OpenPGP.js's non-compliance with the OpenPGP standard, or if it's caused by an issue in the OpenPGP standard that can and should plausibly be worked around in OpenPGP.js.
| Scope Type | Scope Name |
|---|---|
| undefined | Security Vulnerability in the OpenPGP Standard |
| web_application | Security Vulnerability in OpenPGP.js's high-level API |
| web_application | Interoperability Issue in OpenPGP.js |
| Scope Type | Scope Name |
|---|---|
| undefined | Security Vulnerabilities that can only be caused by using OpenPGP.js's low-level API, or by using OpenPGP.js's high-level API in an incorrect or unintended way |
| undefined | Interoperability Issues that are caused by other OpenPGP implementations' non-compliance with the OpenPGP Standard |
| web_application | Security Vulnerabilities in the OpenPGP Standard that are not possible to fix or work around in OpenPGP.js (without causing interoperability issues) |
This program have been found on Yeswehack on 2024-07-08.
FireBounty © 2015-2025
