The Squid Project uses BountyGraph to reward vulnerability reporters.
We are most interested in reproducible security bugs from the following categories:
Submissions violating at least one of the following rules are unlikely to receive a bounty:
The vulnerability must be reproducible with Squid built from official unpatched sources on a platform (including 3rd party libraries) supported by the Squid Project.
The vulnerability must apply to a stable Squid version supported by the Squid Project.
The above rules apply at the "reporting time". Reporting time is the time when an eligible report (i.e., a report violating no rules) was received by the Squid Project. Usually, the reporting time is the time when an eligible report was posted to our bug reporting mailing list.
For example, if reporter A submits a vulnerability report without a reproducer, reporter B submits essentially the same vulnerability report with a reproducer an hour later, and reporter A amends her report with a reproducer two hours later, report B will receive a bounty because amended report A will violate the "previously unknown vulnerability" rule.
These rules are subject to change without notice, and changes are likely while we gain more experience with BountyGraph. However, it is our intention to apply the rules that were current at the reporting time.
The Squid project will determine whether a reported issue is considered a security vulnerability and, if it is, give it a security rating of Low, Moderate, High, or Critical based on its anticipated effect on Squid deployments. Common sense factors such as ease of exploitation, resulting attacker control, and commonality of required configuration determine the rating.
The BountyGraph Panel will have final say on the amount paid out for the vulnerability, but will base this decision on the Squid Project assessment of the bug.
Please remember that not all submissions will qualify for a bounty. The final decision of the bounty reward is at the discretion of the BountyGraph Panel.
Bounties are paid out according to the severity of the vulnerability and the available funds at the time of bounty payout. The following percentages serve as a guide during this process, but individual bugs may earn slightly more or less depending on impact.
Of this bounty, 20% is paid to project maintainers if a working patch is released within 30 days of receiving the report, and 80% is paid to the hacker. If the patch is released after 30 days, 15% is paid to project maintainers and 85% is paid to the hacker.
Low | Medium | High | Critical
~5% | ~10% | ~15% | ~25%
Contact us if you want more information.