OpenSSL has become the de facto standard for enabling cryptographically secure communication, and its integrity is of critical importance to preserving the privacy of all Internet users. The project's exceptional security track record has made the discovery of potential security vulnerabilities an increasingly difficult task. The security researchers who succeed in this challenge deserve our gratitude.
Only critical vulnerabilities that demonstrate complete compromise of the system's integrity or confidentiality are eligible for a bounty - typically Arbitrary Code Execution, plaintext recovery, or equivalent impact. Lower severity issues are not in scope at this time and should be handled through the normal OpenSSL bug reporting process.
The project maintainers have final decision on which issues constitute security vulnerabilities. The Panel will respect their decision, and we ask that you do as well.
Only versions currently supported by the upstream project are eligible. Please verify your issue is present in a current release before submission.
It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.
- Disclose a previously unknown security vulnerability directly to the project maintainers.
- Follow the disclosure process established by the project maintainers.
- Clearly demonstrate the security vulnerability. Respect the time of the project volunteers as they cannot invest significant effort into incomplete reports. Low-quality reports may be disqualified.
- Finding the vulnerability is only half the battle, so we'll award a matching bounty for an accepted patch. We encourage you to fully investigate the issue, adhere to the project's code quality standards, and submit a patch. Otherwise, we'll donate the additional bounty to the OpenSSL Software Foundation or a non-profit chosen by the project maintainers.
- Once a public security advisory has been issued, please contact us at email@example.com. You must not send us the details of the vulnerability until it has been validated, accepted, and publicly disclosed by the project maintainers.