Gitcoin Passport bug bounty

The integrity of our identity verification application is one of our highest priorities. Therefore, our bug bounty program for the Gitcoin Passport rewards up to $600 (paid in DAI).

Here’s how the bounty works.

What we want you to investigate

All code in the repository https://github.com/gitcoinco/dPopp is eligible for the bounty.

The Gitcoin product ecosystem, in general, is not part of this bug bounty program.

What vulnerabilities to look for

We, of course, want to know every vulnerability, but in particular:

Safety bugs
Denial of service vectors
Inconsistencies in assumptions, like situations where somebody could create fake credentials
Calculation or parameter inconsistencies
Data leaks that might make an individual passport personally identifiable

How Gitcoin Passport works

Many social organizations, online particularly, have difficulty ensuring that every participant is a unique human and does not have multiple participating accounts. Most existing digital identity solutions are either centralized (e.g., national identity cards) or individualistic (e.g., most “self-sovereign” identity models). However, identity is naturally intersectional and social; everybody shares different data and relationships with a unique set of others. The Gitcoin Passport aims to provide a more collaborative and secure infrastructure for digital identity by capturing the richness of our diversely shared lives.

The Gitcoin Passport is an identity verification application. We have written software enabling people to grow personal ledgers of verifiable credentials about themselves and organizations to assess their identities to coordinate rights and responsibilities. The institutions define, verify, and utilize identity as functions of the networked records of the individuals. While we build the Passport agnostic to specific applications, we are actively exploring its benefits for personhood proofs and plurality in organizational designs.

The rules

We follow many of the bug bounty rules that the Ethereum Foundation does:

Decisions on the eligibility and size of a reward are the sole discretion of Gitcoin.
Any disclosure of a vulnerability to the public or other third parties (such as the media) before Gitcoin makes it public will disqualify the bounty. You must privately submit issues to securitybounty@gitcoin.co.
Issues must be new to the team. Another builder or an audit can’t have already identified them.
No employees, contractors, or others with current or prior commercial relationships with Gitcoin are eligible for rewards -- this includes auditors used by Gitcoin.
Provide the steps required to demonstrate an issue. If we cannot reproduce a problem, we will not be able to reward it.

Bounty size

The bounty's size will vary depending on the severity of the issue discovered. We calculate the severity according to the OWASP risk rating methodology based on impact and likelihood.

We guide decisions on the eligibility and size of a reward by the rules above. Nevertheless, any determination is at the sole discretion of Gitcoin.

Critical: $600
High: $225
Medium: $125
Low: $30

Other considerations

In addition to severity, we may also consider factors like:

Quality of description. We pay higher rewards for clear, well-written submissions.
Quality of reproducibility. Please include test code, scripts, and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.
Quality of fix, if included. We pay higher rewards for submissions with a clear description of how to fix the issue.

Please also

Give us time to investigate anything you report before sharing it publicly or with others
(And hopefully, this goes without saying) don't exploit an issue if you find one
Try wherever possible to avoid privacy violations, destruction of data, and interruption or degradation of our service

Submission process

Please email securitybounty@gitcoin.co.

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

Workers have applied to start work.

These users each claimed they can complete the work by 264 years, 2 months from now. Please review their action plans below:

1) jcbm123143 has applied to start work _(Funders only: approve worker | reject worker)_.

I already have a solution to other bugs in Gitcoin Passport that I emailed to passport@gitcoin.co and I will look for other bugs. I just want to share my knowledge to solve the bugs. 2) alex0xhodler has applied to start work _(Funders only: approve worker | reject worker)_.

I'm a seasoned QA engineer working for more than 10 year in software development for big tech 3) divvela07492 has applied to start work _(Funders only: approve worker | reject worker)_.

I have connected passport previously shown 125% but now showing 65% and today i verfied ENS also still showing 65% .its as bug please recitify. 4) ilyaskaram has applied to start work _(Funders only: approve worker | reject worker)_.

i am a software engineer and love to work in this 5) supersteemian has applied to start work _(Funders only: approve worker | reject worker)_.

Found a bug and want to display to the team. 6) prophet7821 has applied to start work _(Funders only: approve worker | reject worker)_.

Although I'm a beginner, I think I can manage 7) infantaanu has applied to start work _(Funders only: approve worker | reject worker)_.

Would love to work on this project 8) anvith1001 has applied to start work _(Funders only: approve worker | reject worker)_.

I would like to work on this project. 9) ttoansty has applied to start work _(Funders only: approve worker | reject worker)_.

dPopp cho phép người dùng chứng minh danh tính của họ thông qua giao diện người dùng an toàn, phi tập trung 10) tms1337 has applied to start work _(Funders only: approve worker | reject worker)_.

Applying so I can keep note.

Will submit or comment if bug found. 11) bhndt has applied to start work _(Funders only: approve worker | reject worker)_.

I agree to keep the funder informed of my progress every few days. 12) kelvin834 has applied to start work _(Funders only: approve worker | reject worker)_.

Using a concrete and standard equipment for my plan to bring out the standard building

Learn more on the Gitcoin Issue Details page.

gitcoinco / passport