Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
20/04/2016
Dovecot logo
Thanks
Gift
Hall of Fame
Reward

Reward

In Scope

Scope Type Scope Name
web_application https://github.com/dovecot/pigeonhole
web_application https://github.com/dovecot/core

Out of Scope

Scope Type Scope Name
web_application *.dovecot.fi
web_application *.dovecot.org

Dovecot

Introduction to Dovecot and program rules

Dovecot is an open source email server with an installed base of over 3 million servers all over the world and a global market share over 60% of all IMAP servers, Dovecot is the IMAP server of choice for ISPs, Telcos and Enterprises everywhere in the world.

Dovecot was designed since the beginning with security in mind and with many ways to provide privilege separation. Although the code is written with C, it's a little bit special C variant that makes it much more difficult to write security holes accidentally than with most other C-based projects. Dovecot is an excellent choice for both small and large installations. It is fast, simple to set up, requires no special administration and it uses very little memory.

Scope

Please note that our websites and infrastructures are in no way part of this program, and are explicitly out of scope.

This Program solely targets software vulnerabilities within Dovecot components. The report must be reproducible on currently supported versions and operating systems. Vulnerabilities need to be documented in a way that they can be reproduced. Send screen-shots, code, video; whatever helps to understand the flaw.

How to research

Documentation

Learn more and find installation guides at https://wiki2.dovecot.org/ __.

Software packages

Since we're open-source, you can use a locally installed instance of Dovecot. Especially when using local installations, we expect that you're using up to date versions on supported operating systems, hardened configurations of those services as well as a set of strong credentials.

Check out your favourite Linux distribution for a pre-compiled version of Dovecot or use https://repo.dovecot.org/ __

Source-code

You can get access to our source-code publicly at https://github.com/dovecot/core __and https://github.com/dovecot/pigeonhole __, but please do not report any potential security issue to the public bug tracker.

Exclusions

While researching we'd like to ask you to refrain from the following non- qualifying issues and techniques, they will not be considered for bounty:

  • Vulnerabilities of our websites
  • Issues with our DNS configuration
  • Issues located within third party components
  • Social Engineering of Dovecot employees and contractors
  • Physical attacks against infrastructure, employees and offices of Dovecot
  • Upload, sending or inject malware to Dovecot employees and contractors
  • Research that results in spam, harassment or any kind of unauthorized communication
  • Using data acquired by compromising customer or employee accounts
  • Vulnerabilities which have been made possible by purposely weakening the default configuration while using authorized privileged access
  • Vulnerabilities which are already publicly known or variations of such
  • Denial of service attacks
  • Vulnerabilities which are purely hypothetical or already publicly known or variations of such, including vulnerabilities that are made possible by exploiting another reported vulnerability.

Eligibility and disclosure

  • You must agree and comply to our Program rules
  • You must be the first person to responsibly disclose an unknown issue
  • You must not publicly disclose the vulnerability prior to our public disclosure

Our security team will review each committed finding and establish communication as soon as possible to reproduce and solve the reported vulnerability. Please allow 3 working days for our initial response. We ask you to make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research.

Rewards

Besides our respect and attribution, Dovecot may provide rewards to eligible reporters of qualifying vulnerabilities. Rewards include:

  • Dovecot branded clothing: T-Shirts, Polo Shirts, Hoodies
  • Minimum reward of $100 USD for vulnerabilities we consider to be serious, up to a maximum of $5000 USD for the most severe vulnerabilities.
  • For reward, you must show that there is potential for damage or exposure of private data. E.g. local crashes or assertions do not qualify. These will award points only.

Dovecot will determine in its discretion whether a reward should be granted and the amount of the reward. In particular we may choose to pay higher rewards for severe vulnerabilities or lower rewards for vulnerabilities that are considered less severe. This is not a contest or competition.

Due to logistical issues and subsequent overhead and disappointment on both sides, we're not sending Swag packages to locations with notorious weak infrastructure. In this case we're awarding a amount below the minimum reward to compensate.

Dovecot will determine in its discretion whether a reward should be granted and the amount of the reward. In particular we may choose to pay higher rewards for severe vulnerabilities or lower rewards for vulnerabilities that are considered less severe. When doing our estimation we're using CVSS and map the score against our payout-grades.

This means certain aspects are of importance when considering the reward for a specific issue, for example:

  • Does it affect all users or would a practical attack require significant effort to compromise a wider range of users?
  • What level of authentication at the attacker and victim side is required to make the attack work?
  • Are social-engineering vectors (e.g. phishing) required to execute the vulnerability?
  • Is the attack vector remotely exploitable and are multiple steps required to execute it?
  • Does the attack require interaction of the victim to be effective?
  • Does the attack rely on weaknesses in third party components on the victims side?

Based on this evaluation of impact and severity it could be that issues which is similar on a technical side gets different ratings and subsequently payout. We're not having a fixed amount of reward for a specific kind of issue. Note that the scale between minimum and maximum payout is not linear. We reserve the right to change these program rules at any time without prior announcement.

Thank you for helping to keep Dovecot and its users safe! And by the way, we're hiring... __

FireBounty © 2015-2019

Legal notices