VeraCrypt is an open-source utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file or encrypt a partition or the entire storage device with pre-boot authentication.
To report a security issue in VeraCrypt, e-mail firstname.lastname@example.org.
Accepted reports must follow VeraCrypt's Security Model __.
PGP Public Key __for contact.
We will make every effort to abide by HackerOne's disclosure guidelines.
Only critical vulnerabilities that demonstrate complete compromise of the system's integrity or confidentiality are eligible for a bounty - typically Arbitrary Code Execution or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not in scope at this time.
Impact | Amount
High Demonstrate that remote exploitation of this bug can be easily, actively, and reliably achieved. | $2,500+
Medium Demonstrate that remote exploitation of this bug is very likely (e.g. good control a register). | $1,250
Minimum Demonstrate the presence of a security bug with probable remote exploitation potential. | $500
Additionally, any bugs that can cause broad information disclosure or decryption of information within containers or encrypted drives will be considered.
Awards are increased for fixes that include giving the developers any custom tools that you developed to locate the bugs, as it provides a longevity boost to your work and eliminates the chances for regressions or reintroducing similar bugs of the same class. Make sure your tools have documentation and proper commenting in the code so that the developers can utilize / enhance / improve upon your work in the future to receive increased awards.
The project maintainers have final decision on which issues constitute security vulnerabilities. The Internet Bug Bounty Panel __will respect their decision, and we ask that you do as well.
Only versions currently supported by the upstream project are eligible. Please verify your issue is present in a current release before submission. Note that other forks of TrueCrypt and any fork of VeraCrypt code are not eligible.
It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.
Contact us if you want more information.