Announcing a Drupal security bug bounty program paying up to €15.000

The Drupal Security Team is using funding from the EU-FOSS to pay for valid security issues found in Drupal 7 and 8 and top contributed modules. This program is open for participation by anyone.

The Drupal Security Team will be authorizing payment anywhere from €350 ($401) – €15.000 ($17,100) per issue. The more serious the issue, the more the Drupal Security Team will authorize for payment.

Who is running this program?

The Drupal Security Team with funds from the EU-FOSSA on the intigriti reporting platform.

What is covered?

• Drupal 7 core
• Drupal 8 core
• The 5% most used contrib projects that have stable releases supported by both their maintainers and are covered by the security team's policy.

Third-party libraries, even those bundled with Drupal core or contributed projects, are excluded from this program.

Can anyone participate?

You may not participate in this program if you fall into one of the following categories:

• If you are a project maintainer (module, theme, etc), or you contribute a large amount to a project, you may not get paid for the project you maintain. This does not apply to Drupal Core.
• You cannot report a bug you yourself created or committed. (If you find one, however, do report it via our normal processes (https://www.drupal.org/security-team/report-issue)

To get paid, you must have an account on Drupal.org.
Security Team members that are involved with the administration of this program and/or its funds are not eligible for payouts under the program.
This program is only valid for new issues submitted after 2019-01-29. (Duplicate reports of in-progress issues known to the Security Team may not eligible for payment.)
All issues submitted must be original research. Do not copy and paste results from a scanner without validating them first.

How can I get started?

Install a local copy of Drupal 8 or Drupal 7 from git (https://www.drupal.org/project/drupal/git-instructions). Find security issues such as XSS, SQL Injection, CSRF, Access Bypass etc.
Any submissions about a public Drupal website (including Drupal.org) will result in your account being blocked from any further payments. This bounty program applies to public Drupal open source code only. Not hosted website that run Drupal.

If you find a security issue you should:

1. Write up the steps to reproduce the issue.
2. Make sure you have a Drupal.org account created. Include this in your submission.
3. Go to the intigriti platform and create a new report.
4. WAIT, do not discuss or post anything anywhere yet. Members of the intigriti team and the Drupal Security Team must validate your report. This can take up to 3 weeks depending on the report and the complexity involved.
5. If you have a valid report, we will issue payment. You still can not disclose this bug until we publish a release that fixes the bug.
6. If you do not have a valid report, we will inform you as well.

What must be included in the report?

• The reporter must provide a detailed explanation of the issue and steps to reproduce the issue.
• The quality of the report will be taken into account when assigning a value to it.
• We will also take into account the severity of the security issue.
• Reporters will also need to confirm that the Drupal Security team will be the group to release the information.
• Include your Drupal.org username.
• Issues will be confirmed by the security team before payment is approved.

Do all security issues count?

Your testing should be done on a local environment, testing should NEVER be done on live Drupal sites. Any testing on ANY Drupal site that is not under your control (local or server you own) will automatically be rejected and your account blocked from further payment. We have a page on how to get started installing Drupal locally.

If a task requires the attacker to have advanced permissions as listed on our permission policy page (e.g. 'Access site reports', 'Administer users', 'Translate interface', etc.) will not be eligible for a payout. Other advanced permissions that are not white listed are at the discretion of the security team. Contributed modules (non-core code) must be eligible for a security advisory according to the security advisory policy. A list of projects currently eligible for the program is available.

Security issues excluded from the bounty program

The following are not being considered; while some may be legitimate security issues, they are out of scope for this bounty program.

• Descriptive error messages (e.g. Stack Traces, application or server errors).
• HTTP 404 codes/pages or other HTTP non-200 codes/pages.
• Fingerprinting / banner disclosure on common/public services.
• Disclosure of known public files or directories (e.g. robots.txt).
• Clickjacking and issues only exploitable through clickjacking.
• CSRF on forms that are available to anonymous users (e.g. the contact form).
• Logout Cross-Site Request Forgery (logout CSRF).
• Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
• Lack of Secure/HTTP-Only flags on non-sensitive Cookies.
• Lack of Security Speedbump when leaving the site.
• User enumeration.
• Missing HTTP security headers
• Any Denial of service attack.
• Other exceptions not listed.

We would still like to know about issues in these categories, and you may still get credit for reporting them, but we will not be issuing payments for them.

Other questions?

Questions regarding additional specifics of this program should be emailed to security-bounty@drupal.org.