We would like to take security very seriously, while we don't have a huge budget we'd like to reward honest work, so I'm willing to give £5 for each reported issue that fits within our guidelines
- Remote code execution (includes SQL injections)
- Denial of service exploits (not including basic high traffic attacks)
- Failures in encryption (passwords, SSL, etc)
- Remote retrieval of secrets (any data clients shouldn't have their hands on, e.g. passwords, system info, etc)
- Web request forgery
Because now there's money involved (albeit fairly low) there are some restrictions we'd like to put in place
- Must be the first time reporting issue
- Must not be a bug you caused yourself
- The PoC exploit needs to work against the master branch at the time of claim
- Max 5 rewards per person
- Bugs must be exploitable with a base install of Hirasawa, rouge plugins will not count
- Only do security testing against your own local instance of Hirasawa
In order to report a security issues please either contact me (Connor) on our official Discord or emailing security@hirasawa.io, do not report this issue on the public issue tracker
Please give us a full calendar month to both solve the issue and pay the reward.
We will respond as soon as possible with a confirmation of the issue report, don't be afraid to poke again if we don't respond.
We are happy to pay the reward money using the following services:
- PayPal transfer
- Charity donations
- osu! supporter