The Squid Project uses BountyGraph to reward vulnerability reporters.
We are most interested in reproducible security bugs from the following categories:
Submissions violating at least one of the following rules are unlikely to receive a bounty:
The vulnerability must be reproducible with Squid built from official unpatched sources on a platform (including 3rd party libraries) supported by the Squid Project.
The vulnerability must apply to a stable Squid version supported by the Squid Project.
The above rules apply at the "reporting time". Reporting time is the time when an eligible report (i.e., a report violating no rules) was received by the Squid Project. Usually, the reporting time is the time when an eligible report was posted to our bug reporting mailing list.
For example, if reporter A submits a vulnerability report without a reproducer, reporter B submits essentially the same vulnerability report with a reproducer an hour later, and reporter A amends her report with a reproducer two hours later, report B will receive a bounty because amended report A will violate the "previously unknown vulnerability" rule.
These rules are subject to change without notice, and changes are likely while we gain more experience with BountyGraph. However, it is our intention to apply the rules that were current at the reporting time.
The Squid project will determine whether a reported issue is considered a security vulnerability and, if it is, give it a security rating of Low, Moderate, High, or Critical based on its anticipated effect on Squid deployments. Common sense factors such as ease of exploitation, resulting attacker control, and commonality of required configuration determine the rating.
The BountyGraph Panel will have final say on the amount paid out for the vulnerability, but will base this decision on the Squid Project assessment of the bug.
Please remember that not all submissions will qualify for a bounty. The final decision of the bounty reward is at the discretion of the BountyGraph Panel.
Bounties are paid to hackers and project maintainers at the discretion of the funding organizations and the BountyGraph team. To be eligible for a bounty, each submission must meet BountyGraph's report guidelines.