The ESP32 Security Bug Bounty Program (US$500!)

Moderator: ESP_flying_raijin

ESP_Faye
Posts: 25
Joined: Thu Dec 10, 2015 6:47 am

The ESP32 Security Bug Bounty Program (US$500!)

Postby ESP_Faye » Fri Mar 31, 2017 2:00 am

The ESP32 Security Bug Bounty Program

PROGRAM DESCRIPTION
Espressif is pleased to launch the ESP32 Security Bug Bounty Program with immediate effect from Mar. 30th, 2017 onwards.
We will offer US$500 to any developer reporting a previously unknown security-related bug in our latest ESP-IDF. $1729 more for proof of concept!

WHAT CONSTITUTES AN ELIGIBLE BUG REPORT?
In the following links you can find more details about our ESP-IDF Programming Guide, particularly about Security Function, Flash Encryption and Secure Boot. Bugs irrelevant to security are not included in the Bug Bounty Program.
Also, developers should focus only on the latest version of our ESP-IDF.

If multiple developers happen to report the same bug, the award will be given to the first one who files a bug report.

HOW DO I REPORT A BUG?
Fill in the attached form and send it to bugbounty@espressif.com. Full details about the bug are required, including bug name, bug description, the ESP-IDF version in which it was found, relevant hardware information, test steps, reference codes, log output, and any other information deemed necessary for identifying and verifying the reported bug.
ESP32 BUG REPORT TEMPLATE.docx
(9.71 KiB) Downloaded 1887 times
We cannot accept responsibility for reports not properly sent. Incomplete or false reports will not be accepted. We may ask for clarifications if needed. 

I’VE REPORTED A BUG, NOW WHAT?
  1. You will receive an email acknowledging the receipt of your bug report.
  2. Then, our engineers will review your report and validate its eligibility. The duration of reviewing may vary, depending on the complexity and completeness of your report, as well as number of bug reports we receive. In any case, you will get an update on the bug, as we shall respond to you personally and fix any confirmed vulnerability before going public.
  3. Upon bug verification, we shall contact you, asking to provide us with all necessary information that will facilitate your payment for eligible bug reports.
  4. For eligibility, bugs must not be disclosed publicly until after Espressif engineers have responded and produced fixes for any issues if necessary.
BOUNTY PAYMENTS
In general, we shall make payments via bank transfer. Award recipients are responsible for dealing with any tax implications or local laws, rules and regulations applicable to their country/ state/ province.

RIGHTS RESERVED
Espressif reserves the right to decide whether the bug report is valid. Decisions made by Espressif are final and binding.

We look forward to your participation!
bug_bounty.jpg
bug_bounty.jpg (55.91 KiB) Viewed 77885 times
ESP32 Security Bug 赏金计划

计划简介:

乐鑫很高兴宣布启动 ESP32 Security Bug 赏金计划,于 2017 年 3 月 30 日正式生效。
我们将针对 ESP-IDF 为每个判定有效的 Security Bug 支付 500 美金,如果能提供验证测试 (POC) 则奖金高达1729 美金,以鼓励开发者使用并反馈乐鑫官方发布的 ESP-IDF 中存在的未知 Security 相关问题。

ESP32 Security Bug 赏金计划细则如下:

什么是有效的 Security Bug?

它首先是一个 Security 功能相关的 Bug。Security 功能详解,请参考 ESP-IDF 的 Flash EncryptionSecure Boot 说明。
与 Security 功能无关的 Bug 目前并不在赏金计划内。
它来自乐鑫最新发布的 ESP-IDF
它是未知的。这意味着这个 Bug 在官方 ESP-IDF 发布时没有被公开,或者在您上报之前没有其他开发者反馈过这个 Bug。

我要如何上报 Bug?

请填写附件表格,并将其反馈至 bugbounty@espressif.com 。您需要提供问题相关的详细信息,包括 Bug 名称、ESP-IDF 版本号、硬件模块信息、Bug 描述、详细的测试流程、参考代码、log 输出及其它必要信息。
ESP32 BUG REPORT TEMPLATE.docx
(9.71 KiB) Downloaded 1887 times
如因意外情况未能收到您的邮件,或您反馈的 Bug 不完整以致无法准确识别的,我们将不予采纳。如有需要,我们会跟您联系,希望您能对问题作出清晰的说明。

我已经上报了发现的 Bug,然后呢?
  1. 您将会收到我们的邮件,告诉您我们已经收到了您的问题反馈。
  2. 我们工程师将对您反馈的 Bug 进行测试,并验证其有效性,请允许我们与您取得联系以获取更多信息。
  3. 审核时间因上报问题的复杂性和信息完整性,以及我们收到的反馈数量会有所差异,但我们始终会及时向您更新我们的进展。
  4. 为了保障 BBP 的有效性,烦请您不要提前公开问题内容,我们将对您反馈的问题进行验证并及时解决。
赏金支付
我们会通过银行转账来支付您的赏金。
您需要按您所在国家的法律法规支付相关的税费。

保留权利
乐鑫保留判定反馈的 Bug 是否有效的权利。乐鑫对此的判定是最终且具有约束力的。

乐鑫 ESP32 Security Bug 赏金计划,我们真诚期待您的参与!

Who is online

Users browsing this forum: No registered users and 64 guests