Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
Squid logo
Hall of Fame



Program Rules

The Squid Project uses BountyGraph to reward vulnerability reporters.


We are most interested in reproducible security bugs from the following categories:

  1. Remote code execution (RCE)
  2. Cache poisoning (sending an attacker-controlled response while satisfying an unrelated request from the cache)
  3. Message leaks (violations of MUST-level protocol or configuration requirements for sharing protocol messages and their parts)
  4. Message smuggling (mistaking an attacker-controlled content for a valid request or response)
  5. Dangerous access control violations (allowing messages prohibited by configuration)
  6. Denial of service (assertions and other crashes controlled by a remote attacker)


Submissions violating at least one of the following rules are unlikely to receive a bounty:

  1. The report must be about a vulnerability unknown to the Squid Project. Known vulnerabilities include, but are not limited to, yet unpublished/undisclosed problems reported to the Squid Project outside BountyGraph channels.
  2. The report must include a reproducer. The "reproducer" is defined as a program or procedure that can be used by an independent developer to reliably trigger the reported vulnerability within reasonable amount of time and after spending a reasonable amount of resources.
  3. The vulnerability must be reproducible with Squid built from official unpatched sources on a platform (including 3rd party libraries) supported by the Squid Project.

  4. The vulnerability must apply to a stable Squid version supported by the Squid Project.

  5. The report must include Squid build parameters, a summary of the deployment environment, and complete Squid configuration (with external helpers where applicable).
  6. The reported Squid configuration must be supported by the Squid Project.

The above rules apply at the "reporting time". Reporting time is the time when an eligible report (i.e., a report violating no rules) was received by the Squid Project. Usually, the reporting time is the time when an eligible report was posted to our bug reporting mailing list.

For example, if reporter A submits a vulnerability report without a reproducer, reporter B submits essentially the same vulnerability report with a reproducer an hour later, and reporter A amends her report with a reproducer two hours later, report B will receive a bounty because amended report A will violate the "previously unknown vulnerability" rule.

These rules are subject to change without notice, and changes are likely while we gain more experience with BountyGraph. However, it is our intention to apply the rules that were current at the reporting time.


The Squid project will determine whether a reported issue is considered a security vulnerability and, if it is, give it a security rating of Low, Moderate, High, or Critical based on its anticipated effect on Squid deployments. Common sense factors such as ease of exploitation, resulting attacker control, and commonality of required configuration determine the rating.

The BountyGraph Panel will have final say on the amount paid out for the vulnerability, but will base this decision on the Squid Project assessment of the bug.

Please remember that not all submissions will qualify for a bounty. The final decision of the bounty reward is at the discretion of the BountyGraph Panel.

BountyGraph Payout Policy

Bounties are paid to hackers and project maintainers at the discretion of the funding organizations and the BountyGraph team. To be eligible for a bounty, each submission must meet BountyGraph's report guidelines.

FireBounty © 2015-2019

Legal notices