submit bug report: http://kyup.com

If you believe you've discovered a security vulnerability in Kyup, you may responsibly disclose your find by sending an email to security@kyup.com. Please include the following details with your disclosure:
Description of vulnerability and potential impact.
Detailed description of steps taken to reproduce the bug or proof of concept.
Name and/or link for (optional) attribution on this page.
We will review the bug and reply with details on eligibility for bounty and how to receive it.
Policy: https://kyup.com/bounty

submit bug report: http://www.independer.nl

Responsible Disclosure Policy Independer
Independer's mission is to restore confidence in financial institutions and products. In it we run themselves like lead. Independer customers can be confident that we are security and privacy seriously. Our systems are protected and continuously monitored for potential weaknesses. Yet it may happen that there is a problem with the security of one of our systems.
If you have found a flaw in one of our systems, we know. Then we can take steps as soon as possible. We like to work with you to better protect our clients and systems. So we have our security better for each other.
What we ask from you:
Mail your findings to beveiliging@independer.nl. Encrypt your findings with our [PGP key] (http://www.independer.nl/algemeen/info/responsible-disclosure/pgp-key.aspx) to prevent the information falling into the wrong hands.
Abuse not the issue. For example, by download more data than is necessary in order to demonstrate the problem or to view third-party data, to modify, or delete or modify systems.
Share it with others until the problem is resolved.
Erase the confidential information you obtained through the leak after closing the leak.
Do not use attacks on our physical security, social engineering, denial of service attacks, spam or third party applications.
Give us enough information to reproduce the problem so we can fix it as soon as possible. Usually the IP address or URL of the affected system and a description of the vulnerability sufficient, but more complex vulnerabilities can more information be needed..
What we promise you:
If you stick to the above conditions, we will take legal action against you as a result of the report.
We will respond within 3 working days your message with our assessment of the report and an expected date for a solution.
We treat your report confidentially and will not share your personal information with third parties without your permission unless it needs to fulfill a legal obligation. You can also report anonymously or under a pseudonym: we find it more important that you report it if you have found a vulnerability than that you announced.
We will keep you informed of the progress
In any reporting on the reported problem, we can include your name (or pseudonym) as the discoverer. Please mention it in your report to.
In return for your help, we offer a reward for any mention of a us unknown vulnerability. The size of the reward we determine according to the severity of the leak and the quality of the report with a minimum of a € 50, -.
Policy: http://www.independer.nl/algemeen/info/responsible-disclosure.aspx

submit bug report:https://www.hyperledger.org/

Rewards
Our rewards are based on the impact of a vulnerability. Please note these are general guidelines and examples, and that reward decisions are up to the discretion of the Hyperledger security team.
Critical severity bugs - minimum [$2000]
Types of impacts that Hyperledger would consider to be critical include:
Fabric Certificate Authority bypasses--all endorsers and authentication of who can and cannot create transactions that go into the blockchain rely on the Fabric CA.
Preventing consensus--figuring out a way to stop the distributed system from achieving consensus. * Fabric uses a pluggable architecture for distributed consensus. Issues that can prevent consensus would be considered critical.
Escaping from a chaincode container--breaking out of the VM.
Unauthorized modifications of chaincode--changing the code that is executed inside of the VM. Types of vulnerabilities that may result in these impacts include:
Vertical authentication bypass.
Recording unauthorized, invalid, or forged transactions in the blockchain.
Amplification attack where chaincode generates malicious network traffic.
Denial of service of the whole blockchain by stopping chaincode execution and/or the consensus network.
Establishing a persistent beachhead inside of the firewall protecting the Fabric network.
High severity bugs - minimum [$1500]
Types of impacts that Hyperledger would consider to be high include:
Confused deputy attack on the Fabric Certificate Authority--mistakenly issued credentials to access the permissioned network or being re-issued another user’s credentials or otherwise affecting the permissions of other users.
Taking down any Fabric component (e.g. endorser, ordering service, membership service, consensus network) through malformed data submitted from the outside via the API. Types of vulnerabilities that may result in these impacts include:
Lateral authentication bypass.
Remote denial of service.
Default configuration errors.
Medium severity bugs - minimum [$500]:
Types of impacts that Hyperledger would consider to be medium include:
Taking down any Fabric component (e.g. endorser, ordering service, membership service, consensus network) through malformed data and/or fuzzing of its API used for inter-service communication behind the firewall. If you fuzz from a privileged network position (e.g. behind the firewall), then the vulnerability is of medium severity unless you can show that it can also be triggered from an unprivileged network position. Types of vulnerabilities that may result in these impacts include:
General instability.
Low severity bugs - minimum [$200]:
Types of impacts that Hyperledger would consider to be low include:
Vulnerabilities found in demo/example configuration, chaincode, and applications. Types of vulnerabilities that may result in these impacts include:
Footgun attack.
Last updated on July 19, 2018.
View changes
Policy

NOTE: None of the web sites run by The Linux Foundation or by the Hyperledger Foundation are eligible for the bounty. That means only the code in the Hyperledger Fabric codebase is eligible for the bounty. Everything else, including our websites, are not in scope (e.g. JIRA, homepage, and wiki).
UPDATE: We now have a free online course that covers all of the details of setting up a Hyperledger Fabric test network for analysis.
Hyperledger is a global open source collaborative effort created to advance cross-industry blockchain technologies, hosted by The Linux Foundation, and developed by technologists in finance, banking, internet of things, supply chains, manufacturing and technology.
Because blockchain and distributed ledger technology has such a wide range of applications, ranging from critical infrastructure (e.g. energy markets, bank settlements, etc) to social systems (e.g. digital healthcare records, voting, etc) the Hyperledger community is eager to work with the broader security community to help identify any security vulnerabilities in the various Hyperledger technologies and report and fix them in a timely and responsible manner.
Because Hyperledger projects are in various stages of development and maturity, the community has chosen to limit our bug bounty program to those projects that have reached a “1.0” release maturity. Additional projects will be joining the bug bounty in the near future, and we invite you to also review those when they join the bounty program.
The Hyperledger Foundation security team consists of volunteer open source developers that will make a best effort to respond to incoming reports within 2 business days and make a bounty determination after validating a legitimate security issue within 60 business days. Our transparency is greater than other organizations, however we are using a confidential vulnerability reporting and resolution system. We will do our best to keep you informed about our progress throughout the process and per our security policy, all vulnerabilities will be disclosed responsibly.
To better stay connected with the Hyperledger developers, it is recommended that you create a Linux Foundation ID. With the Linux Foundation ID you can access our Wiki and JIRA. We also have active mailing lists that you can join by going to https://lists.hyperledger.org/. You will also be able to access our JIRA bug tracking system at https://jira.hyperledger.org. We use Discord for chat
Thank you for your consideration. We hope that you will come join us in making solid blockchain technologies and platforms for the benefit of many different industries/applications.
Dos
Follow HackerOne’s disclosure guidelines.
Provide detailed reports with reproducible steps. If there is insufficient detail and we cannot reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you can chain the vulnerabilities.
Treat everybody with respect, professionalism, fairness, and sensitivity to our many differences and strengths, including in situations of high pressure and urgency.
Be familiar with and follow our community code of conduct. Come hang out with us--or just lurk--in our chat and mailing lists. We’d love to meet you and have you join our community.
Don’ts
Social engineering of any kind (e.g. phishing, vishing, smishing). That is strictly prohibited and outside of the scope of this bounty program.
Program Rules
When duplicate reports occur, we will only award the first report received--provided that the report is well formed, can be fully reproduced, and meets all other submission criteria.
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Amounts below are the minimum we will pay per category. We aim to be fair; all reward amounts are at our discretion.
Rewards
Our rewards are based on the impact of a vulnerability. Please note these are general guidelines and examples, and that reward decisions are up to the discretion of the Hyperledger Foundation security team.
Critical severity bugs - minimum $2000
Types of impacts that Hyperledger would consider to be critical include:
Fabric Certificate Authority bypasses--all endorsers and authentication of who can and cannot create transactions that go into the blockchain rely on the Fabric CA.
Preventing consensus--figuring out a way to stop the distributed system from achieving consensus. * Fabric uses a pluggable architecture for distributed consensus. Issues that can prevent consensus would be considered critical.
Escaping from a chaincode container--breaking out of the VM.
Unauthorized modifications of chaincode--changing the code that is executed inside of the VM. Types of vulnerabilities that may result in these impacts include:
Vertical authentication bypass.
Recording unauthorized, invalid, or forged transactions in the blockchain.
Amplification attack where chaincode generates malicious network traffic.
Denial of service of the whole blockchain by stopping chaincode execution and/or the consensus network.
Establishing a persistent beachhead inside of the firewall protecting the Fabric network.
High severity bugs - minimum $1500
Types of impacts that Hyperledger would consider to be high include:
Confused deputy attack on the Fabric Certificate Authority--mistakenly issued credentials to access the permissioned network or being re-issued another user’s credentials or otherwise affecting the permissions of other users.
Taking down any Fabric component (e.g. endorser, ordering service, membership service, consensus network) through malformed data submitted from the outside via the API. Types of vulnerabilities that may result in these impacts include:
Lateral authentication bypass.
Remote denial of service.
Default configuration errors.
Medium severity bugs - minimum $500:
Types of impacts that Hyperledger would consider to be medium include:
Taking down any Fabric component (e.g. endorser, ordering service, membership service, consensus network) through malformed data and/or fuzzing of its API used for inter-service communication behind the firewall. If you fuzz from a privileged network position (e.g. behind the firewall), then the vulnerability is of medium severity unless you can show that it can also be triggered from an unprivileged network position.
Types of vulnerabilities that may result in these impacts include:
General instability.
Low severity bugs - minimum [$200]:
Types of impacts that Hyperledger would consider to be low include:
Vulnerabilities found in demo/example configuration, chaincode, and applications. Types of vulnerabilities that may result in these impacts include:
Footgun attack.
Scope
Only those projects listed, and the identified repositories are in scope.
Issues that may impact users with runtime components in production environments.
If you have any questions, please ask us at security@hyperledger.org BEFORE performing any testing.
Out of Scope
All of the Linux Foundation infrastructure in general and all of the Hyperledger Foundation infrastructure, specifically.
Any Hyperledger projects that have not reached 1.0 status. Only issues found against Hyperledger Fabric 1.0+ will be eligible for bounties.
All test and documentation code.
Issues in non-Hyperledger dependent projects. Issues in dependent projects should be reported directly to the respective project. Hyperledger projects regularly update dependency versions to fix issues identified in dependent projects.
If you identify any scopes not listed above that you believe belong to Hyperledger, please let us know at security@hyperledger.org BEFORE performing any testing.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
Intentionally malicious chaincode. Chaincode is Go running in a docker container. The security anchors in the controlled chaincode provisioning system that is designed to carefully manage what chaincode is installed and available to run.
Denial of service of any component (e.g. Endorser, etc) from a privileged network position (i.e. inside the firewall). Fabric is designed to run all components behind a corporate firewall. Clients outside the firewall will talk to a network service that uses the API to talk to the rest of the system behind the firewall.
Insecure configurations. We do our best to prevent the possibility of insecure configuration but we don’t see this as being in scope. If you find something, it would be great if you just filed a bug in our JIRA.
Documentation errors. We strive to keep the documentation up to date, but sometimes it becomes stale. We do not consider this to be in scope however we encourage you to file a JIRA bug or a pull request to fix it.
Thank you for helping keep Hyperledger and our users safe!
Getting Started
To help you get started with Hyperledger Fabric we have a few pieces of documentation:
The official Hyperledger Fabric documentation
We have also developed an introductory online course for Hyperledger Fabric, Sawtooth, and Iroha. It contains instructions for setting up a network and building an application on Hyperledger Fabric.
We also have a Hyperledger calendar of events where we will list community hackathons/hackfests where you can meet more Hyperledger developers and get more involved in our community.

submit bug report: https://hootsuite.com

We take security very seriously at Hootsuite, and have an Information Security Bug Bounty program geared towards the identification and remediation of security issues.
Submitting a Report
If you are interested in submitting your findings for review, please email hootsec@hootsuite.com. Please note that, upon your submission, it might take up to 5 business days to triage and identify the right severity for the issue. If Hootsuite is already aware of the issue, we do not offer any reward for the finding. We request you not to share or publish an unresolved vulnerability with any third parties.
Please make sure the findings you are submitting are reproducible and not self-exploitation issues. Make sure to include the following content in the submission:
Title of the finding
Description of the finding
Location of the finding (product module/page)
Steps to reproduce (include Request/Response logs if applicable)
Screenshots/Video recording (if applicable)
Severity
Please refer to the policy page to find out more about bug eligibility.
Contact Hootsuite Help for Other Inquiries
For incidents that affect a single account, please contact support request, they are your fastest response for single-user security issues.
Policy: https://hootsuite.com/security

submit bug report

Email us about vulnerabilities at security@hirevue.com or submit reports at HackerOne. Please use our public key for all communication.
Rules for Testing HireVue
Do not email us requesting an invite to our private HackerOne program. If you've found an issue, email us (security@hirevue.com) with the basics and we'll send you an invite if it is an eligible finding.
Do not use any automated tools of any kind. It disrupts our service and the bugs found by them will all be duplicates.
Submit only bugs which you have actually tested and found a problem. Do not submit generic reports about a "possible" security problem. We need specific attack vectors.
Do not send us "Security Best Practices" reports. We already know about these.
Do not game the HackerOne system. Don't report bugs that don't exist just in case they do. We will work with HackerOne to ban your account.
Please only report issues that are very clearly security problems. If in doubt, don't submit it.
Do not harass us asking for rewards or bounties. We will offer you a bounty if your report is serious enough. We want to reward you for your work, but clicking a button on some tool you downloaded is not a way to get rewarded.
You may only email security@hirevue.com with findings. Do not spam public email addresses you've found online. We will report anyone who does this to HackerOne.
HireVue's marketing site (www.hirevue.com) is not within the scope of our product offering, any information provided with relation to that site will be treated as informational.
If we find that you're in violation of any of these rules we will reject your reports. We ask that you be respectful and we'll do the same.
Disclosure Policy
Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Bounty Program
To show our appreciation of responsible security researchers, HireVue offers swag and/or monetary bounties for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion.
Exclusions
While researching, we'd like to ask you to refrain from:
Denial of service
Spamming
Social engineering (including phishing) of HireVue staff or contractors
Any physical attempts against HireVue property or data centers
HireVue's marketing site (www.hirevue.com) is not within the scope of our product offering, any information provided with relation to that site will be treated as informational.
Thank you for helping keep HireVue and our users safe!