Description
As FundRequest we want our community to audit the platform to make sure we get the best audit possible.
Scope of Ticket
For automated testing, use the staging environment:
- Find a Medium security breach
A medium security breach as described in the OWASP risk rating methodology:
Reward
The first reward is $1 000 in tokens, for each subsequent major security issue the bounty is lowered by $100 in tokens.
Precondition
- The auditor must be logged into fundrequest
- The auditor must have experience in pentesting, security audits, ...
Flow: Create Pull Request
- Create a new issue in this repository
- Edit
https://github.com/FundRequest/platform/blob/develop/vulnerabilities.md
- Add your name as an auditor
- Describe the security breach using the example template
- Create a pull request with a reference to the GitHub issue you created, this will be used by the FundRequest platform. (How to reference an issue in a GitHub Pull request?)
- FundRequest administrator(s) will review the pull request and validate the reported issue
Postcondition
- The auditor succesfully created a ticket and pull request
- The FundRequest team has successfully reviewed the pull request and funded the issue with $1,000 (or less) in tokens
- The FundRequest team merges the pull request
- The auditor can claim the funds
Acceptance criteria
- The reported issue is considered a medium security breach as stated in the ticket
- The security breach has to be unique.
- The first person reporting the breach will be awarded the bounty.
- The timestamp of the pull request will be used to define the first person who reported the security breach.
- The bug may only be reported in this the FundRequest Github repository and cannot be made public on other platforms/media without the consent of the FundRequest team.
- Determinations of eligibility, rewards and all terms related to an award are at the sole and final discretion of the FundRequest team.
- The bug is first discussed with the team on Telegram before disclosing
This issue has been funded using FundRequest. A developer can claim the reward by submitting a pull request referencing this issue. (How to Close Issues via Pull Requests?) e.g.
fixes #537