We’ve run a personal safety bug bounty program since 2014. Invited testers reported quite a few safety vulnerabilities to us, lots of them crucial. We investigated and glued the vulnerabilities they reported and thanked them with money rewards. Earlier than 2014, and concurrently with the personal bounty program, we ran a public “Corridor of Fame” program the place we accepted vulnerability reviews through e-mail and thanked reporters with credit score on our website.
Because the day we launched it, we’ve aimed to take the safety bug bounty program public—to permit anybody, not just some invited hackers, to report vulnerabilities to us for a money reward. We wish to discover and repair as many vulnerabilities in our merchandise as attainable, to guard our clients and the info they entrust to us. We additionally wish to study from and help the broader safety neighborhood.
We’re pleased to announce that we’re doing that as we speak. The Basecamp safety bug bounty program is now open to the general public on HackerOne. Our safety group is able to take vulnerability reviews for Basecamp 3 and HEY. Bounties vary from $100 to $10,000. We pay extra for extra extreme vulnerabilities, extra artistic exploits, and extra insightful reviews.
Listed here are a few of the high-criticality reviews we’ve fielded through the safety bug bounty:
- Jouko Pynnönen reported a saved cross-site scripting (XSS) vulnerability in HEY that result in account takeover through e-mail. We awarded $5,000 for this report.
- Hazim Aslam reported HTTP desynchronization vulnerabilities in our on-premises functions that allowed an attacker to intercept buyer requests. We awarded $11,437 in whole for these reviews.
- hudmi reported that the AppCache net API (since deprecated and faraway from net browsers) could possibly be used to seize direct add requests in Basecamp 3. We awarded $1,000.
- gammarex reported an ImageMagick misconfiguration that allowed distant code execution on Basecamp 3’s servers. We awarded $5,000.
Take a look at the total program coverage on HackerOne. For info on what to anticipate whenever you report a vulnerability, see our security response policy. If in case you have any questions, don’t hesitate to achieve out to [email protected]