This project has been sponsored by the European Commission as part of the EU- Free and Open Source Software Auditing (EU-FOSSA) project designed to improve the security of free software.
This program will be open for submissions for 8 weeks, though rewards may be processed beyond the 8 week period in order to allow for full evaluation of the impact of valid vulnerability reports.
While researching, we'd like to ask you to refrain from:
Below is a description of the Notepad++ packages (both 32/64 bit binary releases) but see Scope for what should be tested:
Notepad++ core is composed in 2 parts:
notepad++.exe: the main executable binary.
source : https://github.com/notepad-plus-plus/notepad-plus- plus/tree/master/PowerEditor __
SciLexer.dll: Scintilla (https://www.scintilla.org/ __) is the editor component used by Notepad++. It's modified slightly to meet Notepad++'s need.
source : https://github.com/notepad-plus-plus/notepad-plus- plus/tree/master/scintilla __
Check https://github.com/notepad-plus-plus/notepad-plus- plus/blob/master/README.md __to learn how to build both binaries.
The scope should be limit to the minimal 7z package , which corresponds to https://notepad-plus-plus.org/repository/7.x/7.6.3/npp.7.6.3.bin.minimalist.7z __
The PoC must work on the master branch of https://github.com/notepad-plus-plus/notepad-plus-plus.git __, or the latest build. Older builds are explicitly out of scope.
The PoC must work on the latest version of Windows. Other platforms like Linux and MacOSX with WINE are out of scope.
Here are the steps to build your test environment ( that prevent from wasting your time to find fixed issues ):
Vulnerabilities are to be evaluated given contemporary computer architectures.
The PoC must work on the respective repository trunk heads or the latest released version. Older builds are explicitly out of scope.
Please always provide the Debug Info via menu
?->Debug Info... with your
Our rewards are based on the severity of a vulnerability. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.
SEVERITY | CVSS SCORE | REWARD
critical | 9.0 - 10.0 | €5000
High | 7.0 - 8.9 | €2500
Medium | 4.0 - 6.9 | €1000
Low | 0.1 - 3.9 | €250
There is a 20% bonus for including a fix in the report, when accepted by the maintainers.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Notepad++ and our users safe!
If you have any questions or concerns on this challenge, please contact tpm- firstname.lastname@example.org.