This primarily exists to help us find critical vulnerabilities in the Monero and Kovri applications, which are written in C++, with some C and assembly, and QtQuick for the Monero GUI. We are not terribly interested in website vulnerabilities (both the Monero and Kovri sites use Jekyll and produce static HTML) or metadata leaks from volunteer hosting infrastructure.
The projects that are in-scope are listed below in the "Project-specific policies" section. Please read the policy notes as well.
If you are looking to disclose web app vulnerabilities, or low-hanging fruit like CSRF / XSS bugs, you are looking at the wrong project. These are not web apps!
Only the following projects are in scope. Other projects, such as the Monero forum, are either being deprecated or are out of scope.
* Monero (CLI) (https://github.com/monero-project/monero/blob/master/VULNERABILITY_RESPONSE_PROCESS.md)
* Monero (GUI) (https://github.com/monero-project/monero-core/blob/master/VULNERABILITY_RESPONSE_PROCESS.md)
* Monero (website) (https://github.com/monero-project/monero-site/blob/master/resources/vrp/index.md)
* Kovri (https://github.com/monero-project/kovri-docs/blob/master/i18n/en/vrp.md)
* Kovri (website) (https://github.com/monero-project/kovri-site/blob/master/VULNERABILITY_RESPONSE_PROCESS.md)
Note: as a pro-privacy project we have volunteers running copies of the websites on hidden services on Tor and I2P, as well as on multiple public domains. The live sites are NOT in scope, only the code is!
We award bounty through our FFS (https://forum.getmonero.org/8/funding-required/87597/monero-bounty-for-hackerone).
Hall of Fame