Security Researchers, welcome onboard! I am excited to announce bug bounty program for reNgine in collaboration with huntr.dev, this means you'll be rewarded for any security vulnerabilities discovered in reNgine.
Thank you for your interest in reporting vulnerabilities to reNgine! If you are aware of potential security vulnerabilities within reNgine, we encourage you to report immediately via huntr.dev
Please do not disclose any vulnerabilities via Github Issues/Blogs/Tweets after/before reporting on huntr.dev as it is explicitly against huntr.dev and reNgine disclosure policy and will not be eligible for monetary rewards.
Please note that the maintainer of reNgine does not determine the bounty amount. The bounty reward is determined by industry-first equation from huntr.dev to understand the popularity, impact and value of repositories to the open source community.
What do we expect from security researchers?
- Patience: Please note that currently I am the only maintainer in reNgine and will take sometime to validate your report. I request your patience throughout the process.
- Respect Privacy and Security Reports: Please do not disclose any vulnerabilities in public (this also includes github issues) before or after reporting on huntr.dev! That is against the disclosure policy and will not be eligible for monetary rewards.
- Respect the rules
What do I get in return?
- Much thanks from Maintainer
- Monetary Rewards
- CVE ID(s)
Please find the FAQ and Responsible disclosure policy from huntr.dev.
Thanks to these individuals for reporting Security Issues in reNgine.
-
[HIGH] Blind command injection in CMS Detector, Reported by Abdulrahman Abdullah
-
[HIGH] Command Injection in via Proxy, Reported by Koen Molenaar
-
[HIGH] Command Injection in via YAML Engine, Reported by Koen Molenaar and zongdeiqianxing
-
[LOW] Stored XSS on Import Targets via filename, Reported by Veshraj Ghimire
-
[LOW] Stored XSS on HackerOne Markdown template, Reported by Smaran Chand and Ayoub Elaich
-
[LOW] Stored XSS via Scan Engine Name, Reported by nerrorsec
-
[LOW] HTML Injection in Subscan, Reported by nerrorsec
-
[LOW] Stored XSS on Detail Scan Page via Page Title Parameter, Reported by omemishra
-
[LOW] Stored XSS on Vulnerability Scan page via URL Parameter, Reported by Arif Khan, payloadartist
-
[LOW] Several Instances of XSS in reNgine 1.0 (#460, #459, #458, #457, #456, #455), Reported by Binit Ghimire
-
[LOW] Stored XSS on GF Pattern via filename, Reported by nerrorsec
-
[LOW] Stored XSS on Delete Scheduled Task via Scan Engine Name, Reported by nerrorsec
-
[LOW] Stored XSS on Target Summary via Todo, Reported by TheLabda
-
[LOW] Stored XSS on Nuclei Template Summary via maliclous Nuclei Template, Reported by Walleson Moura
-
[MEDIUM] Path Traversal/LFI, reported by Koen Molenaar
reNgine thanks the following people for making a responsible disclosure and helping the community make reNgine safer!