At Protect AI, we understand the importance of open source software, and the benefits it has for organisations and individuals around the world. We support an open source vulnerability disclosure program, where any member of the public can report vulnerabilities found in repositories on GitHub.com.
With our responsible disclosure policy, we follow a co-ordinated security process by default. We disclose all vulnerabilities directly to the maintainer. To this effect, participants can rectify any potential vulnerability in the repository privately, before sharing it with the public.
As part of our program, it is important that all contributors receive the recognition they deserve. Once a vulnerability has been fully disclosed, acknowledged by the maintainer, and subsequently patched, we credit all contributors involved for their crucial work in the process.
This policy covers all targets on our Bounties page, with the following exclusions:
- Non-code level (e.g. network or physical) vulnerabilities
- Vulnerabilities in target dependencies
- Vulnerabilities in test/demonstration code
- Vulnerabilities that effect live systems such as websites
- Secrets and private keys
- Vulnerabilities in any service, product or repository owned or maintained by Protect AI, or any of its subsidiaries
To view our Protect AI's vulnerability disclosure policies, please visit https://protectai.com/vulnerability-disclosure-policy
We take the security of maintainers, developers and organizations that use open source very seriously. In this light, we encourage all of our security researchers to:
- Follow all relevant laws when exploiting a vulnerability
- Respect a project's policies (e.g. Terms & Conditions, Security Policy), as defined on their GitHub/Website
- Perform thorough research and submit in-scope reports
- Use the identified methods of disclosure as defined in our policy
- Support disclosures with clear and simple details, including a proof-of-concept
If these guidelines are followed, we commit to:
- Recognise and credit the work of all contributors involved
- Support our security researchers in working with the maintainer to validate and remediate legitimate vulnerabilities
Failure to abide by this can lead to further actions being taken such as the loss of bounties and account suspension.
All vulnerability disclosures must go through our form. To be eligible for a bounty, your disclosure must go through our process, unless explicitly stated by one of the site admins.
When the security researcher submits their vulnerability report, we will acknowledge receipt of this disclosure by sending them an e-mail. The e-mail will be sent to the address linked to their registered account. This report is private by default, and only the reporter, contacted maintainers and site admins can view the advisory.
Once a disclosure is submitted, the maintainer of the vulnerable codebase will be invited to validate or invalidate the vulnerability with the security researcher. If validated, the disclosing researcher will be rewarded a bounty and a CVE (if applicable) will be assigned to the advisory.
If the maintainer doesn't respond within 45 days and the CVSS score is >7.0, it will go into our manual review. For CVSS <7.0 and no response or reasonable timeframe from the maintainer, we may opt to disclose vulnerabilities as early as 45 days following our initial contact attempt, regardless of the availability of a patch or update.
By default, maintainers are encouraged to patch the vulnerability themselves, and notify us of the relevant patch commit SHA. A bounty will then be rewarded to the maintainer that has patched the vulnerability. If needed, the reporting researcher is welcome to submit a patch through our platform as well.
To submit a fix, the researcher or maintainer will provide us with a repository and branch name, indicating where the patch exists. This will immediately notify the maintainer, where they can review the submitted fix and ultimately, decide if it patches the vulnerability. Once the maintainer confirms the upstream commit SHA for the patch, the related fixer will be rewarded a bounty.
We look to have a CVE (Common Vulnerability Enumeration) assigned to every (applicable) validated vulnerability. A validated vulnerability is defined by explicit verification from either a maintainer or from a member of triage team, where the vulnerability in question affects the security of the given project.
To find a list of our previous advisories, please visit our hacktivity page.
We pay bounties each month, typically on the 25th, via Stripe Connect. For the first month that you are due a payment, you will receive an email requesting you to create a Stripe Connect account. There you will need to provide your identity and payment information so that your account can be verified. Once you're account is verified, you will receive an email confirming the details of your payout. In subsequent months, you will only receive an email confirming the details of your payout.
Stripe Connect supports payouts to most countries. You can see the full list of supported countries here. If your country is not in this list, we will not be able to process a payout to you, but instead can offer to donate your payout to charity.
By accessing and using our Website, you acknowledge and agree that you are subject to the following conditions:
Eligibility: By participating in our Bug Bounty Platform, you confirm that you are not a citizen or resident of any country where such participation is prohibited by applicable laws, decrees, regulations, treaties, or administrative acts.
Sanctions and Embargoes: You further confirm that you are not a citizen or resident of, or located in, a country or region that is subject to U.S. or other sovereign country sanctions or embargoes.
Restricted Entities: Additionally, you acknowledge that you are not an individual employed by or associated with an entity identified on the U.S. Department of Commerce's Denied Persons or Entity List, the U.S. Department of Treasury's Specially Designated Nationals or Blocked Persons Lists, or the Department of State's Debarred Parties List. You must also be eligible to receive items subject to U.S. export control laws and regulations or comply with other economic sanction rules of any sovereign nation.
Age Requirement: Our Website is not intended for use by children under the age of 13. If you have not reached the age of majority in your jurisdiction of primary residence and citizenship, you must obtain your parents' permission to use this Website.
Pricing: Protect AI, in compliance with legal requirements, will provide users with a three-day notice of any price change when an algorithmic modification occurs.
By accessing and using our Bug Bounty Platform, you agree to abide by these eligibility requirements. Failure to meet any of the specified criteria may result in disqualification from participation in the program. We appreciate your commitment to ensuring compliance with all relevant laws and regulations to promote a safe and responsible bug hunting environment.
We appreciate your understanding and compliance with these additional terms.
We do not accept vulnerability disclosures over e-mail, but we encourage security researchers to contact us if they require any support or help in the process. Our team can be contacted at firstname.lastname@example.org. We look to respond to support queries as soon as possible.