diff --git a/.github/ISSUE_TEMPLATE/all-for-one.md b/.github/ISSUE_TEMPLATE/all-for-one.md index e6b8580..dc6e914 100644 --- a/.github/ISSUE_TEMPLATE/all-for-one.md +++ b/.github/ISSUE_TEMPLATE/all-for-one.md @@ -1,32 +1,87 @@ --- name: All for One, One For All bounty submission about: Submit a CodeQL query for the All For One, One For All bounty (https://securitylab.github.com/bounties) -title: "[USERNAME]: [SUMMARY]" +title: "[TARGET-LANGUAGE]: [SUMMARY]" labels: All For One assignees: '' --- -## Query +## 1. Query -*Link to pull request with your CodeQL query:* +### Instructions ❓ + +Link to pull request with your CodeQL query: + +### Your answer 👇 Relevant PR: https://github.com/github/codeql/pull/nnnn -## CVE ID(s) +## 2. Report + +### Instructions ❓ + +Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community. + +### Your answer 👇 (you can ignore the suggested format) + +1. What is the vulnerability? + - Answer: ... +1. How does the vulnerability work? + - Answer: ... +1. What strategy do you use in your query to find the vulnerability? + - Answer: ... +1. How have you reduced the number of **false positives**? + - Answer: ... +1. Etc. + - Answer: ... + +## 3. Social + +### Instructions ❓ + +Are you planning to discuss your query publicly? (Blog Post, social networks, etc). + +**We would love to [help you] spread the word about the good work you are doing.** + +### Your answer 👇 + +- [ ] Yes +- [ ] No +- [ ] Yes, I already have: [link](link) + +## 4. Result(s) + +### Instructions ❓ + +- Provide at least one useful result found by your query, on some revision of a real project. +- If the result(s) is **fixed and disclosed**, then you can link it in this PR. +- If the result(s) is **NOT** fixed **nor disclosed**, then you can privately share your result via email to [security@github.com](mailto:security@github.com?subject=[BugBounty]%20Issue%20#000%20useful%20result) or on the [Security Lab slack](https://ghsecuritylab.slack.com/) sending it to `@TODO`. +- Even though your query is **out in the wild** (and it's quite trivial to run it against a sizable batch of projects), let's **not make things easy** for anyone wanting to exploit vulnerable projects. +- We understand that contacting maintainers of all the vulnerable repositories found by your query is a hard and lenghty process, and that's why we will add a bonus if you will do that **for at least X repositories** and get a [CVE assigned for them]. +- Anyway, we're here for **automating things away** and if you want to leave the heavy lifting of finding and notifying vulnerable repositories' owners to GitHub security bots, that's fine with us. +- But in any case, we need proof that you **did your own reaserch** on [real projects], and succeeded in finding at least one **true positive result [through your query]**, proving that is it a **real vulnerability** that happens in real apps (and not a baseless assumption). + +### Your answer 👇 (select one) + +- [ ] I will provide the result(s) **privately** to the Security Lab. + +**OR** -*List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the [GitHub Advisory Database](https://github.com/advisories).* +- [ ] The vulnerability is already **fixed and disclosed**. + - Description: URL to vulnerable code -- CVE-20nn-nnnnn +## 5. CVE ID(s) -## Report +### Instructions ❓ -*Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.* +List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the [GitHub Advisory Database](https://github.com/advisories). -- [ ] Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). *We would love to have you spread the word about the good work you are doing* -## Result(s) +### Your answer 👇 -*Provide at least one useful result found by your query, on some revision of a real project.* +- Existing CVEs that my query would have been able to find if they weren't already fixed: + 1. CVE-20nn-nnnnn -- [description](url) +- Vulnerabilities that my query found and then resulted in a CVE: + 1. CVE-20nn-nnnnn