Gitcoin.co Security Bounty

[owocki]

Gitcoin Security Bounty Program

Gitcoin is an open-source marketplace with our code available for inspection and research. If you discover a severe bug affecting the privacy, data, or security of our users we ask that you disclose responsibly and privately. For security related vulnerabilities we reward researchers for private and professional disclosure.

Non-security issues (style issues, gas optimizations) are not eligible for this bounty.

Guidelines

Participating in our security bounty program requires you to follow our guidelines. Responsible investigation and reporting includes, but not limited to the following:

• Don't download, modify, or destroy other users' data.

• Don't cause a denial-of-service on our platform through exploits, vulnerabilities, traffic, or causing issues with our technology providers.

• Don't repeatedly request updates on your reports. Gitcoin is a small team and constant requests for updates can render your report ineligible. Allow us up to 21 days to respond to your emails.

• Do only use your own account to test issues in production. You can also download our open source code and run your own instance to research and test for vulnerabilities.

• Social engineering attacks, DDOS, physical access, spearfishing, etc. are not eligible.

• Payouts will be made to the first individuals who submit a report.

The Gitcoin team has the final say in all determinations of bounty payouts including severity, classification, amount, whether the report falls under our guidelines, etc.

Vulnerabilities should be disclosed directly to the Gitcoin team by emailing securitybounty@gitcoin.co - reports should not be made publically or to any third party. These communications must remain confidential to be eligible.

Threats, ransom demands, unprofessional language, etc. of any kind will automatically disqualify you from participating in the program.

The only domain eligible for the bounty program is https://gitcoin.co - no subdomains, related services, etc. are within the scope of the program. Vulnerabilities found in support services (ex: Slack, Wordpress, etc.) are not eligible.

Vulnerability Scope

Any significant vulnerability may be eligible for an award provided it follows the guidelines set in this document.

Some examples of eligible issues are:

• Cross-Site Request Forgery (CSRF)

• Cross-Site Scripting (XSS)

• Code Executions

• SQL Injection

• Server Side Request Forgery (SSRF)

• Privilege Escalations

• Authentication Bypasses

• Data Leaks

Some examples of ineligible issues are:

• Rate Limiting

• Stack Traces

• Self-XSS

• Man in the Middle (MiTM) Attacks

• Denial of Service Attacks

• Cache Poisoning

• Clickjacking

• Missing DNS Records

• Brute Force Attacks

• Vulnerabilities in third party services or third party platforms

• Vulnerabilities in past versions of the software

• Vulnerabilities affecting outdated browsers or operating systems

Eligible Reports must contain enough information and a proof of concept code or screenshots. After a report is made and confirmed, efforts will be made to fix the issue. Researchers agree to assist in the testing of the fixes.

Vulnerability severity is judged by the OWASP model

Payouts will be awarded in ETH and converted from USD at the time of payout - please include your Ethereum address and Gitcoin username when submitting a report:

Critical: $600

High: $225

Medium: $125

Low: $30

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

This issue now has a funding of 4.0 ETH (18249.2 USD @ $4562.3/ETH) attached to it.

• If you would like to work on this issue you can 'start work' on the Gitcoin Issue Details page.
  • Want to chip in? Add your own contribution here.
  • Questions? Checkout Gitcoin Help or the Gitcoin's Discord
  • $6,880,278.61 more funded OSS Work available on the Gitcoin Issue Explorer

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

Work has been started.

These users each claimed they can complete the work by 264 years, 3 months from now. Please review their action plans below:

1) febiagus has started work.

The Gitcoin team has the final say in all determinations of bounty payouts including severity, classification, amount, whether the report falls under our guidelines, etc. 2) paffur has started work.

scfdfsdfssdsadasdsadsadasdasdsadasdasdasdasdasdasdasdasdas 3) benzfc has started work.

เพื่อการพัฒนาและปรับใช้ รับรางวัล 4) himika841 has started work.

Ggjjnnxtyjnbcxgjkncswtukjbcxxsddg 5) hasssan04 has started work.

I will creat a good cod for you 6) toonza1150 has started work.

The Gitcoin team has the final say in all determinations of bounty payouts including severity, classification, amount, whether the report falls under our guidelines, etc. 7) allenliu1111 has started work.

Will cooperate to do all task for project 8) balakier620 has started work.

I am on it and will work hard everyday to ind a solution 9) codeforceone has started work.

I will begin by reviewing your open source code for any vulnerabilities. Then following your guidelines I will submit my findings to you. 10) 6ug has started work.

I am good with security stuff, let me try finding issues too :) 11) mrcali213 has started work.

I’ll do what it takes to get it fixed 12) rawdata1 has started work.

Do a recon to check for the low hanging fruit, then based on the results decide what to do 13) upendranallabolu has started work.

I will follow the guidelines mentioned in the bounty. 14) arslan-raza-143 has started work.

Check out this bounty that pays out 4.0 ETH https://gitcoin.co/issue/YXJzbGFuLXJhemEtMTQzWDk2Z1JBVnZ3eDUydVM2dzRRWUNVSFJmUjNPYW9CMjcwMTk= #security 15) asanso has started work.

javascript:alert()

[developerfred]

@owocki https://gitcoin.co/issue/6ug-test3/-svg-onload-prompt-0-/2/100027032

I can't estimate the problem level of this bug, but our client is accepting javascript inject in the creation of new bountys this is a problem when hunters start interacting with this bounty.

possible solution

Parse any html for markdown

[6ug]

@owocki @developerfred hey, that is my test user. I discovered that issue and sent email to kevin and engineering with bug report. The email mentions from where it is coming.

So sorry for creating chaos, but this is critical issue, you should fix it asap. :) [Edit: or maybe we can remove that issue all together, I can't find option to remove issue (only found cancel issue option) so please check if you can remove it from yourside]

[gdixon]

Thanks @6ug / @developerfred - the fix is going out now - we will get back to you on the email thread asap!

[developerfred]

Thanks @6ug / @developerfred - the fix is going out now - we will get back to you on the email thread asap!

I open a proposal to rewrite explorer in a decentralized way https://gov.gitcoin.co/t/proposal-dexplorer-bounty-fund-bounty/8960

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

Work for 4.0 ETH (18232.75 USD @ $4497.14/ETH) has been submitted by:

---

• Learn more on the Gitcoin Issue Details page
• Want to chip in? Add your own contribution here.
• Questions? Checkout Gitcoin Help or the Gitcoin's Discord
• $6,930,424.13 more funded OSS Work available on the Gitcoin Issue Explorer

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

Work for 4.0 ETH (6262.1 USD @ $1565.53/ETH) has been submitted by:

1. @mrcali213
2. @neo822
3. @asanso
4. @evilairborn
5. @lakki1
6. @dkcam
7. @toonza1150
8. @mikealonely
9. @himika841
10. @azullazullyah
11. @duongsky96
12. @ngenge111
13. @nqtacn
14. @benzfc
15. @satoshinakamoto007
16. @william3johnson
17. @thehated1

@owocki please take a look at the submitted work:

• PR by @thehated1
• PR by @william3johnson
• PR by @satoshinakamoto007
• PR by @benzfc
• PR by @nqtacn
• PR by @ngenge111
• PR by @duongsky96
• PR by @azullazullyah
• PR by @himika841
• PR by @mikealonely
• PR by @toonza1150
• PR by @dkcam
• [PR](vulnerability report sent to engineering@gitcoin.co) by @lakki1
• [PR](javascript:alert()

[GrooChu]

@owocki I'm not sure if this could be classified as bug. Please take a look at it. I was playing around with the funding url by hitting an invalid funded issue https://gitcoin.co/funding/details/?url=https://google.com It loads for 10 to 15 seconds and results in below error.

But then If I try to replace google.com with any other url(even urls that don't even exist), its properly returning the No issue found image like below

Not sure why it's taking so much time for google.com and crashing.

[developerfred]

Should not show bounty canceled in explorer:

https://gitcoin.co/issue/sifchain/sifnode/2181/100027131

[Nqtacn]

G

[William3Johnson]

A

[TheHated1]

It's always happen whenever trying to claim weekly and monthly kudos, due server side error.

• Error codes that fall into the 5XX range specify problems with the server.
• cleared my cookies, changed my the browser ( Firefox, Google chrome ) and The issue still the same.