SerenityOS bug bounty program
Like any respectable software project, SerenityOS also runs a bug bounty program.
I don't have a huge budget, but I want to reward good honest work.
I will pay $5 USD for exploitable bugs in these categories:
- Remote code execution.
- Local privilege escalation.
- Arbitrary code execution in the Browser when loading a remote web page.
- No rewards for bugs you caused yourself.
- The PoC exploit needs to work against the master branch at the time of claim.
- Max 5 bounties per person.
- No duplicates. If a bug is already reported, only the earliest reporter may claim the reward.
- Remote bugs must be exploitable with an unmodified "default setup" of SerenityOS. Bugs in programs that are not started by default don't qualify.
- The PoC exploit needs to work on a QEMU-emulated CPU that supports SMAP, SMEP, UMIP, NX, WP, and TSD natively.
- SerenityOS always runs with assertions enabled, so you'll need to find a way around them.
Rewarded bounties will be listed here, and I will also make a video dissecting each
exploit and showing what the bug was, and how I fix it.
To claim a reward, get in touch with me either on IRC (kling on Freenode) or via firstname.lastname@example.org