Menu

Drupal 8 Security bug bounty program: Get paid to find security issues in D8

June 2nd, 2015

Drupal 8 is nearing release, and with all the big architectural changes it brings, we want to ensure D8 upholds the same level of security as our previous releases. That's where you come in!

The security team is using monies from the D8 Accelerate fund to pay for valid security issues found in Drupal 8, from now until August 31, 2015 (open to extension). This program is open for participation by anyone.

How does this work?

Install a local copy of Drupal 8 from Git (https://www.drupal.org/project/drupal/git-instructions). Find security issues such as XSS, SQL Injection, CSRF, Access Bypass etc. If you find any, go to www.bugcrowd.com/drupal and submit them. You will have to sign up for an account on bugcrowd.com for this. Bugcrowd is a crowdsourced security bug finding platform suggested by security team members, and it is used by many, including LastPass, Pinterest, Heroku, Pantheon, and CARD.com.

I can get paid to do this?

We will be paying anywhere from $50-$1000 per issue. The more serious the issue, the more the security team will be paying. Issues must first be confirmed by a security team member before being approved for payment. You must provide a detailed explanation of the issue and steps to reproduce the issue. The quality of your report will be taken into account when assigning a value to it. We will also take into account the severity of the security issue.

Can I get paid for finding issues in contrib or Drupal 7?

No, however if you do find security issues in Drupal core other than version 8 or in contrib projects please submit them via our issue reporting process.

Who is running this program?

The Drupal Security Team with funds from the D8 Accelerate program.

If I find something will I get credit?

Yes, just like our regular reporting policy you will get credit as long as you don’t disclose it until a fix is released. If an issue is suitable for public discussion, we will disclose it and give you credit.

Do all security issues count?

If a task requires the attacker to have one of the following roles it would not count:
Access site reports (a.k.a. "View site reports"), Administer filters, Administer users, Administer permissions, Administer content types, Administer site configuration, Administer views, Translate interface.

Issues excluded from the bounty program:
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Fingerprinting / banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
- Lack of Security Speedbump when leaving the site.
- Username enumeration
- Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
- Strict-Transport-Security
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
- Content-Security-Policy-Report-Only
- SSL Issues, e.g.
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL weak / insecure cipher suites
- Other exceptions not listed.

However, we would still like to know about it, and you will still get credit for it. but we will not be issuing payments for it.

I have a question not listed here

Email security@drupal.org