Gitcoin.co Security Bounty

[owocki]

Gitcoin Security Bounty Program

Gitcoin is an open-source marketplace with our code available for inspection and research. If you discover a severe bug affecting the privacy, data, or security of our users we ask that you disclose responsibly and privately. For security related vulnerabilities we reward researchers for private and professional disclosure.

Non-security issues (style issues, gas optimizations) are not eligible for this bounty.

Guidelines

Participating in our security bounty program requires you to follow our guidelines. Responsible investigation and reporting includes, but not limited to the following:

• Don't download, modify, or destroy other users' data.

• Don't cause a denial-of-service on our platform through exploits, vulnerabilities, traffic, or causing issues with our technology providers.

• Don't repeatedly request updates on your reports. Gitcoin is a small team and constant requests for updates can render your report ineligible. Allow us up to 7 days to respond to your emails.

• Do only use your own account to test issues in production. You can also download our open source code and run your own instance to research and test for vulnerabilities.

• Social engineering attacks, DDOS, physical access, spearfishing, etc. are not eligible.

• Payouts will be made to the first individuals who submit a report.

The Gitcoin team has the final say in all determinations of bounty payouts including severity, classification, amount, whether the report falls under our guidelines, etc.

Vulnerabilities should be disclosed directly to the Gitcoin team by emailing engineering@gitcoin.co - reports should not be made publically or to any third party. These communications must remain confidential to be eligible.

Threats, ransom demands, unprofessional language, etc. of any kind will automatically disqualify you from participating in the program.

The only domain eligible for the bounty program is https://gitcoin.co - no subdomains, related services, etc. are within the scope of the program. Vulnerabilities found in support services (ex: Slack, Wordpress, etc.) are not eligible.

Vulnerability Scope

Any significant vulnerability may be eligible for an award provided it follows the guidelines set in this document.

Some examples of eligible issues are:

• Cross-Site Request Forgery (CSRF)

• Cross-Site Scripting (XSS)

• Code Executions

• SQL Injection

• Server Side Request Forgery (SSRF)

• Privilege Escalations

• Authentication Bypasses

• Data Leaks

Some examples of ineligible issues are:

• Rate Limiting

• Stack Traces

• Self-XSS

• Man in the Middle (MiTM) Attacks

• Denial of Service Attacks

• Cache Poisoning

• Clickjacking

• Missing DNS Records

• Brute Force Attacks

• Vulnerabilities in third party services or third party platforms

• Vulnerabilities in past versions of the software

• Vulnerabilities affecting outdated browsers or operating systems

Eligible Reports must contain enough information and a proof of concept code or screenshots. After a report is made and confirmed, efforts will be made to fix the issue. Researchers agree to assist in the testing of the fixes.

Vulnerability severity is judged by the OWASP model

Payouts will be awarded in ETH and converted from USD at the time of payout - please include your Ethereum address and Gitcoin username when submitting a report:

Critical: $600

High: $225

Medium: $125

Low: $30

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

This issue now has a funding of 4.0 ETH (751.71 USD @ $187.93/ETH) attached to it.

• If you would like to work on this issue you can 'start work' on the Gitcoin Issue Details page.
  • Want to chip in? Add your own contribution here.
  • Questions? Checkout Gitcoin Help or the Gitcoin Slack
  • $133,493.48 more funded OSS Work available on the Gitcoin Issue Explorer

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

Work has been started.

These users each claimed they can complete the work by 4 months, 2 weeks ago. Please review their action plans below:

1) ririen has started work.

Checking the platform for security cyclically, at least once a week. 2) viraja1 has started work.

Will try to find security related issues 3) yosepadi1 has started work.

I hope this project develops rapidly 4) kojotcwc has started work.

I need crypto ! :) please send me anyone 5) naggertooth has started work.

Hi guys I ve just tryed first form i see And there is no filter :) It was a popup in right down angle with question: What was the reason that you clicked on this issue?

I can continue work later, when i ll eat next time

And, u know, u promised me a t-shirt in a past and u didnt send it to me It was sad :)

POST https://in.hotjar.com/api/v1/client/sites/939263/polls/349738 HTTP/1.1 Host: in.hotjar.com Connection: keep-alive Content-Length: 725 Origin: https://gitcoin.co User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36 Content-Type: application/json; charset=UTF-8 Accept: / Sec-Fetch-Site: cross-site Sec-Fetch-Mode: cors Referer: https://gitcoin.co/issue/gitcoinco/web/5053/3351 Accept-Encoding: gzip, deflate, br Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7

{"utk":null,"response_content":"{\"version\":4,\"answers\":[{\"question\":\"What was the reason that you clicked on this issue?\",\"questionUuid\":\"c7e2071e\",\"questionSignature\":\"HkDAeupYZHIV51x8df8RUhYIu00\",\"answer\":\"Title of the Issue was appealing\",\"comment\":null},{\"question\":\"Do you plan to work on this issue?\",\"questionUuid\":\"c0a07e4f\",\"questionSignature\":\"S2qA_C4RXOXL7tM5W86Ldv5xP-0\",\"answer\":\"Yes\",\"comment\":\"><img src=\\"https://google.com\\\">\"}]}","action":"update_poll_response","poll_response_id":221159898,"window_width":1920,"window_height":937,"user_id":"d31ad229-38a5-5968-b288-bc20bade4653","url":"https://gitcoin.co/issue/gitcoinco/web/5053/3351"}

HTTP/1.1 200 OK Date: Tue, 28 Jan 2020 13:01:18 GMT Content-Type: application/json Content-Length: 17 Connection: keep-alive Server: openresty Cache-Control: no-cache, no-store X-Frame-Options: SAMEORIGIN Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Access-Control-Max-Age: 600

{"success": true} 6) palanes1978 has started work.

rovide an action plan and any initial questions you have for this ticket. (Your response will be reflected in a comment on the Github issu 7) walidmujahid has started work.

I hack on Gitcoin - currently contributing through on new features mainly proposes in Gitcoin-specific Hackathon prizes. I intend to expand to contributing to other areas such as fixing any bugs that may come up and generally just trying to help make Gitcoin better. With that said, I am apply for this bounty so I do not forget to keep an eye open for any security issues as I work on various aspects of Gitcoin.

I will also make a point to actively search for security flaws and issues periodically and as new Gitcoin versions are released. I understand the proper etiquette along with private and professional disclosure. I have also read and understood the guidelines. 8) walidmujahid has started work.

I hack on Gitcoin - currently contributing through on new features mainly proposes in Gitcoin-specific Hackathon prizes. I intend to expand to contributing to other areas such as fixing any bugs that may come up and generally just trying to help make Gitcoin better. With that said, I am apply for this bounty so I do not forget to keep an eye open for any security issues as I work on various aspects of Gitcoin.

I will also make a point to actively search for security flaws and issues periodically and as new Gitcoin versions are released. I understand the proper etiquette along with private and professional disclosure. I have also read and understood the guidelines. 9) bild96 has started work.

Glad to serve Gitcoin community, not only for the bounty. It's more than encourage open source platform to spread knowledge and enhance workflow. 10) oldas1 has started work.

How much can you earn?

• The value of BTC will be based on market value at the time of the payout.

** The price of the Stacks Tokens distributed under the App Mining program in exchange for non-cash consideration will be deemed to be $0.30 per token for at least three months from the first distribution of tokens pursuant to this offering circular, for purposes of determining whether over $40,000,000 of Stacks Tokens have been sold under this offering.

If at any time following that three-month period the Stacks Tokens are traded on one or more authorized exchanges or alternative trading systems, and there are trades for at least one million Stacks Tokens executed through or on exchanges or alternative trading systems during any calendar month (any such month, a calculationmonth), then we will value the tokens paid to developers in the following month and in all subsequent months until and including the end of the next calculation month at the average closing bid price for the tokens during the calculation month.

We will disclose both any changes to the price of the Stacks Tokens to be distributed pursuant to this offering circular, and whether the new calculation price will result in a curtailment of the number of Stacks Tokens being issued in the next month, using either an offering circular supplement filed under Rule 253(g)(2) or a post-qualification amendment, depending on the facts and circumstances at the time of such change. 11) federicosan has started work.

I already posted one topic that was liked! I can think about some other topics if I am allowed. Also I would like to know how to claim the bounty thank you. 12) doggykrycha has started work.

I checked the website code and found one problem. I'm a person who works as a cybersecurity specialist and I will be happy to help. 13) protolambda has started work.

Hey, found a possible bug in gitcoin grants, please contact me on proto@ethereum.org 14) jethanh has started work.

I already DM'ed this on twitter, didn't know this bug bounty was a thing. 15) debilionia has started work.

as a hacker i believe there is a-lot to unveil to gitcoin about the data leakage, i will also build a patch for the leakage. 16) orhan-code has started work.

I'll try; Cross-Site Request Forgery (CSRF)

Cross-Site Scripting (XSS)

Code Executions

SQL Injection

Server-Side Request Forgery (SSRF)

Privilege Escalations

Authentication Bypasses

Data Leaks 17) chandsingh has started work.

Hello Team,

I reported a security issue of your website. So, please response me.

For bounty this is my ETH address: 0xc6e5b4076B4d8fAEd18D0360F8C8079e05BA010C 18) gitcoindeveloper has started work.

Users can apply for work multiple times instead of one time..

i found this accidently..

checkout: https://gitcoin.co/issue/Badger-Finance/gitcoin/8/100025943

in above i have applied for 34 times, accidently and i am finding how this happend..

BTW this happened accidently, without any code just some random button on keyboard.. i think i am able to produce this issue again, i will update soon 19) graomelo has started work.

I have experience with information security and blockchain, I can carry out this project.

Learn more on the Gitcoin Issue Details page.

[L-KH]

After looking site https://gitcoin.co/ I get a low severity bug. Name : Absence of Anti-CSRF Tokens Impacts : integrity, confidentiality, availability, access_control, non_repudiation Serevity : Low Method : GET Sample : Request GET https://gitcoin.co/ HTTP/1.1 Content-Length : 0 User-Agent : Mozilla/5.0 (Windows NT 6.3; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0 Host : gitcoin.co Referer : http://gitcoin.co/ Pragma : no-cache Cache-Control : no-cache

Response 200 OK Content-Length : 59560 X-XSS-Protection : 1; mode=block X-Content-Type-Options : nosniff Content-Language : en Strict-Transport-Security : max-age=3600; includeSubDomains; preload Vary : Accept-Language, Cookie, Origin Server : nginx Connection : keep-alive Date : Tue, 27 Aug 2019 13:54:48 GMT X-Frame-Options : DENY Content-Type : text/html; charset=utf-8

Description No Anti-CSRF tokens were found in a HTML submission form. A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.

CSRF attacks are effective in a number of situations, including:

• The victim has an active session on the target site.
• The victim is authenticated via HTTP auth on the target site.
• The victim is on the same local network as the target site.

Other information No known Anti-CSRF token [anticsrf, CSRFToken, __RequestVerificationToken, csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token, _csrf, _csrfSecret] was found in the following HTML form: [Form 1: "newsletter-input" ]. References http://projects.webappsec.org/Cross-Site-Request-Forgery http://cwe.mitre.org/data/definitions/352.html Common Weakness Enumeration https://cwe.mitre.org/data/definitions/352.html

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

Work for 4.0 ETH (981.66 USD @ $245.41/ETH) has been submitted by:

1. @l-kh
2. @ririen
3. @viraja1
4. @agbilotia1998
5. @yosepadi1
6. @sergejmueller
7. @palanes1978
8. @palanes1978

@owocki please take a look at the submitted work:

• (Link Not Provided) by @Palanes1978
• (Link Not Provided) by @Palanes1978
• PR by @yosepadi1
• PR by @agbilotia1998
• (Link Not Provided) by @viraja1
• (Link Not Provided) by @ririen
• (Link Not Provided) by @sergejmueller
• PR by @L-KH

---

• Learn more on the Gitcoin Issue Details page
• Want to chip in? Add your own contribution here.
• Questions? Checkout Gitcoin Help or the Gitcoin Slack
• $87,521.31 more funded OSS Work available on the Gitcoin Issue Explorer

[danlipert]

@L-KH Thanks for submitting your report - can you share with us a screenshot of the affected form? Thanks!

[oritwoen]

I submitted the report to: engineering@gitcoin.co

[sergejmueller]

The Gitcoin reminder says, i should enter my reported issues here ;)

• TSL issues [LOW] communicated to @danlipert
• ENS issue [LOW] communicated to @danlipert

[oritwoen]

Another reports submitted on: engineering@gitcoin.co

ping @danlipert

[federicosan]

@owocki I never heard back from engineering for the things I found. should I submit my work? @danlipert Should I send again the details of what I find? Preventive measures have already been taken by @owocki, but maybe there is more to it.

[owocki]

hey federico; i defer to @danlipert on this one.

[oritwoen]

I sent a few days ago a report to email engineering@gitcoin.co :)

ping @danlipert @owocki

[GITCOINDEVELOPER]

@Kweiss sir please look at my report https://github.com/GITCOINDEVELOPER/security/tree/main

[owocki]

moved to https://github.com/gitcoinco/web/issues/9659