Our bugcrowd program is over, please report all vulnerabilities to security@drupal.org

Drupal 8 is nearing release, and with all the big architectural changes it brings, we want to ensure D8 upholds the same level of security as our previous releases. That's where you come in!

The security team is using monies from the D8 Accelerate fund to pay for valid security issues found in Drupal 8, from now until December 31, 2015 (open to extension). This program is open for participation by anyone.

How does this work?

Install a local copy of Drupal 8 from Git (https://www.drupal.org/project/drupal/git-instructions). Find security issues such as XSS, SQL Injection, CSRF, Access Bypass etc. If you find any, go to www.bugcrowd.com/drupal and submit them. You will have to sign up for an account on bugcrowd.com for this. Bugcrowd is a crowdsourced security bug finding platform suggested by security team members, and it is used by many, including LastPass, Pinterest, Heroku, Pantheon, and CARD.com.

I can get paid to do this?

We will be paying anywhere from $50-$1000 per issue. The more serious the issue, the more the security team will be paying. Issues must first be confirmed by a security team member before being approved for payment. You must provide a detailed explanation of the issue and steps to reproduce the issue. The quality of your report will be taken into account when assigning a value to it. We will also take into account the severity of the security issue.

Can I get paid for finding issues in contrib or Drupal 7?

No, however if you do find security issues in Drupal core other than version 8 or in contrib projects please submit them via our issue reporting process.

Who is running this program?

The Drupal Security Team with funds from the D8 Accelerate program.

If I find something will I get credit?

Yes, just like our regular reporting policy you will get credit as long as you don’t disclose it until a fix is released. If an issue is suitable for public discussion, we will disclose it and give you credit.

Do all security issues count?

If a task requires the attacker to have one of the following permissions it would not count:
Access site reports (a.k.a. "View site reports"), Administer filters, Administer users, Administer permissions, Administer content types, Administer site configuration, Administer views, Translate interface.

Issues excluded from the bounty program:
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Fingerprinting / banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
- Lack of Security Speedbump when leaving the site.
- Username enumeration
- Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
- Strict-Transport-Security
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
- Content-Security-Policy-Report-Only
- SSL Issues, e.g.
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL weak / insecure cipher suites
- Other exceptions not listed.

However, we would still like to know about it, and you will still get credit for it. but we will not be issuing payments for it.

I have a question not listed here

Email security@drupal.org

Comments

greggles’s picture

A big thanks to the D8 Accelerate donors for funding this initiative and to Michael Hess for his effort coordinating and organizing the bounty!

sarciszewski’s picture

This is a great example that other open source projects should follow. I intend to poke as many holes in D8 this weekend and report anything I can find ASAP. :)

MyBankai’s picture

this is a really good news :)
Thanks for this iniative

AndresNavarro90’s picture

Very good new! Thanks for iniciative! :)

prakashsingh’s picture

Hopefully..this will attract good security auditors even hackers to some extent to find and report issues that they would disclose otherwise to gain credit or money etc..

I mean to some extent only..

stevesmename’s picture

I asked a couple good security auditors, their feedback summarized into not being worth their time for the "chance" of reward. It was pretty honest feedback IMO; I personally think there should more definition of how a reward amount is decided.

Jaypan’s picture

I don't work on spec myself, so I fully understand their response. That's why this is a community initiative for an open source project, rather than something that's been outsourced.

greggles’s picture

Hi Steve,

In deciding amounts we look at the criticality of the issue and the quality of the report including advice they on how to mitigate. If it's easy to exploit, affects the vast majority of installations, and allows arbitrary code execution then a well-written report will probably get the full bounty. If it affects a minority of sites, is only exploitable if there are other extenuating weaknesses, and the report is hard to understand then the reward will be towards the lower end of the scale.

Since starting the program we've received 85 issue submissions, reviewed and closed 75 of them (whether dupes or real), and rewarded $1,825.

Security bug bounties have been around for several years, but are still a somewhat new field. I'm definitely not in favor of spec work and I think that bug bounties are a bit of a grey area. If someone finds a bug that meets the scope of this bounty they will get paid - there's no doubt about that. The question is only whether someone will find a bug.

Many security researchers find bugs outside of their paid jobs. Bounties help them get paid for that effort when they otherwise would "just" get a hall-of-fame mention.

The "chance" in our bounty program comes down to whether or not people will find a bug in the first place and how critical it will be.

Maddie35000’s picture

Good to know ! Thanks. Hope I wouldn't have any issue the day I do it !!

Tzu-Chi Huang’s picture

D8 is nearing release? Are you kidding? (or yes, amazing and exciting somehow)

Check out the documents for developers. Many documents are not prepared. Furthermore, certain examples addressed in the documents in fact do not work in the current D8 beta version by copying and pasting. I even have to delete the old one (including its database) and install a clean new one, each time a new beta version is released for the purpose of testing.

Would you please postpone the release of D8 if API documents for developers are not ready yet?

Marinade’s picture

This is a good initiative since this is the first time i see something like that. Wordpress never did that if i can well remember even thought they have more $$ than Drupal.

ajay_reddy’s picture

Good to hear from Drupal.org. Hope this will draw attention for good security reviewers (also developers) to look into this.
Hope no issues will be found... :)