[{"id":3773531,"new_policy":"The Tor Project is committed to working with security experts across the world to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you. \n\nThe Tor Project is only offering bug bounties for supported versions of two of its core products, Tor (the network daemon) and Tor Browser. Supported versions for Tor can be found at https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases. For Tor Browser it's a good start to look at the latest stable, alpha, and nightly builds. The former can be found at https://www.torproject.org/download/ and nightlies can be obtained via https://nightlies.tbb.torproject.org/nightly-builds/tor-browser-builds/.\n\nOther services (like the website, bug tracker, and server infrastructure) or products (like OONI or Orbot) are out of scope. Both Tor and Tor Browser bounties come with different tiers accompanied by a price range and some restrictions.\n\nNo Unverified LLM Output\n--------------------------\nAI-generated findings without thorough manual verification and a working PoC will be closed as \"informational\". Additionally,  HackerOne's [Submission Standards on AI Research and Submissions standards](https://www.hackerone.com/policies/code-of-conduct#:~:text=AI-assisted) must be met before before submitting.\n\nPlease disclose what tooling you used, if you used a LLM and which model used.\n\nInternet Bug Bounty\n--------------------\nThe [Internet Bug Bounty](https://internetbugbounty.org) is providing the funding for rewards offered by this program.\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The [Internet Bug Bounty Panel](https://internetbugbounty.org/#the-panel) will respect their decision, and we ask that you do as well. It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n\nSafe Harbor\n------------\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nQuestions\n----------\nIf you have questions about our bug bounty program or if there are security bug reports you want to send directly to us (disqualifying them from any potential bounty), feel free to contact us via security@torproject.org. If you want to encrypt your mail, you can get the OpenPGP public key for this address from keys.openpgp.org. Here is the fingerprint:\n\n`835B 4E04 F6F7 4211 04C4 751A 3EF9 EF99 6604 DE41`\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-05-02T17:13:21.859Z"},{"id":3773017,"new_policy":"The Tor Project is committed to working with security experts across the world to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you. \n\nThe Tor Project is only offering bug bounties for supported versions of two of its core products, Tor (the network daemon) and Tor Browser. Supported versions for Tor can be found at https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases. For Tor Browser it's a good start to look at the latest stable, alpha, and nightly builds. The former can be found at https://www.torproject.org/download/ and nightlies can be obtained via https://nightlies.tbb.torproject.org/nightly-builds/tor-browser-builds/.\n\nOther services (like the website, bug tracker, and server infrastructure) or products (like OONI or Orbot) are out of scope. Both Tor and Tor Browser bounties come with different tiers accompanied by a price range and some restrictions.\n\nNo Unverified LLM Output\n--------------------------\nAI-generated findings without thorough manual verification and a working PoC will be closed as \"informational\". Additionally,  HackerOne's [Submission Standards on AI Research and Submissions standards](https://www.hackerone.com/policies/code-of-conduct#:~:text=AI-assisted) must be met before before submitting.\n\nInternet Bug Bounty\n--------------------\nThe [Internet Bug Bounty](https://internetbugbounty.org) is providing the funding for rewards offered by this program.\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The [Internet Bug Bounty Panel](https://internetbugbounty.org/#the-panel) will respect their decision, and we ask that you do as well. It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n\nSafe Harbor\n------------\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nQuestions\n----------\nIf you have questions about our bug bounty program or if there are security bug reports you want to send directly to us (disqualifying them from any potential bounty), feel free to contact us via security@torproject.org. If you want to encrypt your mail, you can get the OpenPGP public key for this address from keys.openpgp.org. Here is the fingerprint:\n\n`835B 4E04 F6F7 4211 04C4 751A 3EF9 EF99 6604 DE41`\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-04-22T14:39:15.838Z"},{"id":3713301,"new_policy":"The Tor Project is committed to working with security experts across the world to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you. \n\nThe Tor Project is only offering bug bounties for supported versions of two of its core products, Tor (the network daemon) and Tor Browser. Supported versions for Tor can be found at https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases. For Tor Browser it's a good start to look at the latest stable, alpha, and nightly builds. The former can be found at https://www.torproject.org/download/ and nightlies can be obtained via https://nightlies.tbb.torproject.org/nightly-builds/tor-browser-builds/.\n\nOther services (like the website, bug tracker, and server infrastructure) or products (like OONI or Orbot) are out of scope. Both Tor and Tor Browser bounties come with different tiers accompanied by a price range and some restrictions.\n\nInternet Bug Bounty\n--------------------\nThe [Internet Bug Bounty](https://internetbugbounty.org) is providing the funding for rewards offered by this program.\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The [Internet Bug Bounty Panel](https://internetbugbounty.org/#the-panel) will respect their decision, and we ask that you do as well. It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n\nSafe Harbor\n------------\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nQuestions\n----------\nIf you have questions about our bug bounty program or if there are security bug reports you want to send directly to us (disqualifying them from any potential bounty), feel free to contact us via security@torproject.org. If you want to encrypt your mail, you can get the OpenPGP public key for this address from keys.openpgp.org. Here is the fingerprint:\n\n`835B 4E04 F6F7 4211 04C4 751A 3EF9 EF99 6604 DE41`\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-27T14:50:33.920Z"},{"id":3650968,"new_policy":"The Tor Project is committed to working with security experts across the world to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you. \n\nThe Tor Project is only offering bug bounties for supported versions of two of its core products, Tor (the network daemon) and Tor Browser. Supported versions for Tor can be found at https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases. For Tor Browser it's a good start to look at the latest stable, alpha, and nightly builds. The former can be found at https://www.torproject.org/download/ and nightlies can be obtained via https://nightlies.tbb.torproject.org/nightly-builds/tor-browser-builds/.\n\nOther services (like the website, bug tracker, and server infrastructure) or products (like OONI or Orbot) are out of scope. Both Tor and Tor Browser bounties come with different tiers accompanied by a price range and some restrictions.\n\nInternet Bug Bounty\n--------------------\nThe [Internet Bug Bounty](https://internetbugbounty.org) is providing the funding for rewards offered by this program.\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The [Internet Bug Bounty Panel](https://internetbugbounty.org/#the-panel) will respect their decision, and we ask that you do as well. It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n\nSafe Harbor\n------------\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nQuestions\n----------\nIf you have questions about our bug bounty program or if there are security bug reports you want to send directly to us (disqualifying them from any potential bounty), feel free to contact us via tor-security@lists.torproject.org.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-09T08:21:29.948Z"},{"id":3650950,"new_policy":"The Tor Project is committed to working with security experts across the world to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you. \n\nThe Tor Project is only offering bug bounties for supported versions of two of its core products, Tor (the network daemon) and Tor Browser. Supported versions for Tor can be found at https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases. For Tor Browser it's a good start to look at the latest stable, alpha, and nightly builds. The former can be found at https://www.torproject.org/download/ and nightlies can be obtained via http://f4amtbsowhix7rrf.onion/tor-browser-builds/.\n\nOther services (like the website, bug tracker, and server infrastructure) or products (like OONI, Orbot, and Tor Messenger) are out of scope. Both Tor and Tor Browser bounties come with different tiers accompanied by a price range and some restrictions.\n\nInternet Bug Bounty\n--------------------\nThe [Internet Bug Bounty](https://internetbugbounty.org) is providing the funding for rewards offered by this program.\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The [Internet Bug Bounty Panel](https://internetbugbounty.org/#the-panel) will respect their decision, and we ask that you do as well. It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n\nSafe Harbor\n------------\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nQuestions\n----------\nIf you have questions about our bug bounty program or if there are security bug reports you want to send directly to us (disqualifying them from any potential bounty), feel free to contact us via tor-security@lists.torproject.org.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-08T20:35:21.355Z"},{"id":3650946,"new_policy":"The Tor Project is committed to working with security experts across the world to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you. \n\nThe Tor Project is only offering bug bounties for supported versions of two of its core products, Tor (the network daemon) and Tor Browser. Supported versions for Tor can be found at https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases. For Tor Browser it's a good start to look at the latest stable, alpha, and nightly builds. The former can be found at https://www.torproject.org/download/ and nightlies can be obtained via http://f4amtbsowhix7rrf.onion/tor-browser-builds/.\n\nOther services (like the website, bug tracker, and server infrastructure) or products (like OONI, Orbot, and Tor Messenger) are out of scope. Both Tor and Tor Browser bounties come with different tiers accompanied by a price range and some restrictions. \n\nTor\n----\n\nFor Tor the tiers, price ranges and restrictions look like this:\n\n### Low severity ($100 - $500):\n    \nThis tier is for low severity bugs that force Tor to misbehave in a way that might be security related, but does not put our core users in danger.  If we receive a bug that is too low severity for this tier, we can still send the submitters some stickers or a t-shirt, and also mention them in our greetz list.\n\nBug examples:\n\n* Triggerable undefined behavior (https://bugs.torproject.org/6827)\n* Out-Of-Bounds reads (https://bugs.torproject.org/6530, https://bugs.torproject.org/15823)\n* Security bugs that only affect highly-unused platforms (not Linux/Windows/Mac/FreeBSD)\n* Security bugs affecting configurations which almost nobody uses.\n\n### Medium severity ($500 - $2000):\n\nThis tier is for medium severity bugs that cannot be used to exploit or deanonymize our users, but can be used as part of a greater attack that aims to do so.\n\nBug examples:\n    \n* Remote crash bugs that affect clients, hidden services, relays or dirauths (https://bugs.torproject.org/14129, https://bugs.torproject.org/15083)\n* Attacks that allow relays to link a user over different sessions (e.g CVE-2011-2768)\n* Security bugs that require local (non privileged) access to the host to exploit (e.g. local privilege escalation to root)\n* Triggerable memory leaks on hidden services/relays/dirauths (https://bugs.torproject.org/11649)\n\n### High severity ($2000 - $4000):\n\nThis tier is for serious security bugs that result in users getting deanonymized or compromised.\n\nBug examples:\n\n* Attacks that allow remote code-execution (e.g. CVE-2011-0427, CVE-2011-2778)\n* Attacks that cause the leakage of crypto material of relays or clients (e.g. Heartbleed-like bugs)\n* Attacks that remotely cause clients to de-anonymize themselves.\n* Any means to bypass hidden service authorization.\n* Any means to impersonate a relay.\n* Any way for non-exit relays to read user's plaintext.\n\n### Vulnerabilities in third party libraries used by standard Tor ($500 - $2000):\n\nMedium or High severity vulnerabilities in any third party libraries that cause an issue as defined above are in-scope for this bug bounty program. This does not include third party libraries covered by other bug bounty programs, such as IBB. For the avoidance of doubt, this does exclude OpenSSL, but libevent is still in scope.\n\n### Excluded vulnerabilities\n\nThis section specifies an incomplete list of vulnerabilities that are *NOT* in scope for this bug bounty program.\n\nThat's because these attacks or issues arise from unanswered research questions and not because of bugs in the Tor software. While Tor may attempt to defend against some of these attacks, any defense is a mitigation and should not be considered indicative of a strong security boundary. Other excluded attacks depend on users doing obviously unsafe tasks which we also consider as out of scope to this program and try to address by educating users.\n\nHere is an incomplete list of excluded vulnerabilities:\n\n* Tagging attacks or other types of end-to-end traffic confirmation using  packet modification or timing, such as https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/ or https://blog.torproject.org/blog/one-cell-enough\n* Website and Traffic Fingerprinting Attacks, a good round-up is https://blog.torproject.org/blog/critique-website-traffic-fingerprinting-attacks\n* Using Tor against recommendations. There are several ways to configure Tor or use it insecurely including insecurely configuring it (e.g. setting  alternate Directory Authorities), leaking your IP address through  torrents, or opening downloaded files in external applications such as  document writers.\n* Attacks that are possible by an attacker outside the software's threat model.  (For example, Tor assumes that the attacker does not have administrator access to your computer; has not installed a keylogger; does not control a majority of directory authorities; cannot make an authenticated connection to the control port; and so on.)\n* When users go to the wrong hidden service address, they get the wrong hidden service.\n* Timing side-channel attacks that can only be exploited at great difficulty, and only by local users.\n\nFor more information see as well: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/SecurityPolicy.\n\nTor Browser\n------------------\nFor Tor Browser the tiers, price ranges and restrictions are the following:\n\nGenerally there is no reward for anything already in our public bugtracker. This holds for Mozilla's bugtracker as well, with exceptions (see below). If you claim an additional bounty to the one from Mozilla we need to have notice about this specific issue before the bug gets public.\n\n### Low ($100 - $1000)\n\nThis tier is for third-party/supercookie tracking issues:\n \na. Non-fingerprinting (identifiers/cookies/etc): $1000\n  - Can be claimed either for supercookies that survive \"New Identity\" or for other mechanisms to track users across sites.\n\nb. Fingerprinting (Reward depends on accuracy and/or entropy. However, \"fingerprinting\" for this bounty program is defined pretty loosely. E.g. any bugs that help an attacker to find out something about a user's habit is in scope for this item):  $100-1000\n  - No reward for browser version differentiation\n  - No reward for OS differentiation\n\n### Medium ($1000 -$2000)\n\nThis tier is for unexploitable crashes caused by Tor Browser patches and NoScript bypasses to get arbitrary scripts to run:\n \na. Unexploitable Tor Browser crashes caused by Tor Browser patches: $1000-$2000\n  - remotely triggerable ones\n  - indirectly triggerable ones by a remote attacker (an attacker succeeds in convincing a user to do certain things that crash the browser)\n\nb. NoScript bypass to get any script to run $1000-$2000\n\n### High ($2000 - $3000+)\n\nThis tier is for serious security bugs that may result in users getting deanonymized or compromised.\n\na. \"Uncontrolled\" Partial Proxy Bypass: $2000\n  - E.g.: DNS resolution via non-Tor (https://bugs.torproject.org/5741)\n  - Other non-Tor connection to an IP address that is not under an attacker's control (For instance STUN server, Mozilla.org server, etc etc)\n\nb. Full Proxy bypass: $3000\n  - Direct non-Tor connection to an IP address of the attacker's choice\n  - Full code execution vulnerabilities not eligible for this bounty (i.e. c. and d.)\n\nc. Tor Browser-Specific Code Exec Base Bounty: $3000\n  - Applies to code exec vulnerabilities against our specific addons/paches/preference choices\n  - Can only be claimed in cases where Mozilla's bounty does not apply\n\nd. Bonus over Base Bounty for code execution exploits that work in:\n  1. Medium Security Slider Level on an HTTPS page: 50% Bonus\n  2. Medium Security Slider Level on a non-HTTPS page: 75% Bonus\n  3. High Security Slider Level: 100% Bonus\n\nInternet Bug Bounty\n--------------------\nThe [Internet Bug Bounty](https://internetbugbounty.org) is providing the funding for rewards offered by this program.\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The [Internet Bug Bounty Panel](https://internetbugbounty.org/#the-panel) will respect their decision, and we ask that you do as well. It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n\nSafe Harbor\n------------\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nQuestions\n----------\nIf you have questions about our bug bounty program or if there are security bug reports you want to send directly to us (disqualifying them from any potential bounty), feel free to contact us via tor-security@lists.torproject.org.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-08T16:43:23.951Z"},{"id":3646114,"new_policy":"The Tor Project is committed to working with security experts across the world to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you. \n\nThe Tor Project is only offering bug bounties for supported versions of two of its core products, Tor (the network daemon) and Tor Browser. Supported versions for Tor can be found at https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases. For Tor Browser it's a good start to look at the latest stable, alpha, and nightly builds. The former can be found at https://www.torproject.org/download/ and nightlies can be obtained via http://f4amtbsowhix7rrf.onion/tor-browser-builds/.\n\nOther services (like the website, bug tracker, and server infrastructure) or products (like OONI, Orbot, and Tor Messenger) are out of scope. Both Tor and Tor Browser bounties come with different tiers accompanied by a price range and some restrictions. \n\nTor\n----\n\nFor Tor the tiers, price ranges and restrictions look like this:\n\n### Low severity ($100 - $500):\n    \nThis tier is for low severity bugs that force Tor to misbehave in a way that might be security related, but does not put our core users in danger.  If we receive a bug that is too low severity for this tier, we can still send the submitters some stickers or a t-shirt, and also mention them in our greetz list.\n\nBug examples:\n\n* Triggerable undefined behavior (https://bugs.torproject.org/6827)\n* Out-Of-Bounds reads (https://bugs.torproject.org/6530, https://bugs.torproject.org/15823)\n* Security bugs that only affect highly-unused platforms (not Linux/Windows/Mac/FreeBSD)\n* Security bugs affecting configurations which almost nobody uses.\n\n### Medium severity ($500 - $2000):\n\nThis tier is for medium severity bugs that cannot be used to exploit or deanonymize our users, but can be used as part of a greater attack that aims to do so.\n\nBug examples:\n    \n* Remote crash bugs that affect clients, hidden services, relays or dirauths (https://bugs.torproject.org/14129, https://bugs.torproject.org/15083)\n* Attacks that allow relays to link a user over different sessions (e.g CVE-2011-2768)\n* Security bugs that require local (non privileged) access to the host to exploit (e.g. local privilege escalation to root)\n* Triggerable memory leaks on hidden services/relays/dirauths (https://bugs.torproject.org/11649)\n\n### High severity ($2000 - $4000):\n\nThis tier is for serious security bugs that result in users getting deanonymized or compromised.\n\nBug examples:\n\n* Attacks that allow remote code-execution (e.g. CVE-2011-0427, CVE-2011-2778)\n* Attacks that cause the leakage of crypto material of relays or clients (e.g. Heartbleed-like bugs)\n* Attacks that remotely cause clients to de-anonymize themselves.\n* Any means to bypass hidden service authorization.\n* Any means to impersonate a relay.\n* Any way for non-exit relays to read user's plaintext.\n\n### Vulnerabilities in third party libraries used by standard Tor ($500 - $2000):\n\nMedium or High severity vulnerabilities in any third party libraries that cause an issue as defined above are in-scope for this bug bounty program. This does not include third party libraries covered by other bug bounty programs, such as IBB. For the avoidance of doubt, this does exclude OpenSSL, but libevent is still in scope.\n\n### Excluded vulnerabilities\n\nThis section specifies an incomplete list of vulnerabilities that are *NOT* in scope for this bug bounty program.\n\nThat's because these attacks or issues arise from unanswered research questions and not because of bugs in the Tor software. While Tor may attempt to defend against some of these attacks, any defense is a mitigation and should not be considered indicative of a strong security boundary. Other excluded attacks depend on users doing obviously unsafe tasks which we also consider as out of scope to this program and try to address by educating users.\n\nHere is an incomplete list of excluded vulnerabilities:\n\n* Tagging attacks or other types of end-to-end traffic confirmation using  packet modification or timing, such as https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/ or https://blog.torproject.org/blog/one-cell-enough\n* Website and Traffic Fingerprinting Attacks, a good round-up is https://blog.torproject.org/blog/critique-website-traffic-fingerprinting-attacks\n* Using Tor against recommendations. There are several ways to configure Tor or use it insecurely including insecurely configuring it (e.g. setting  alternate Directory Authorities), leaking your IP address through  torrents, or opening downloaded files in external applications such as  document writers.\n* Attacks that are possible by an attacker outside the software's threat model.  (For example, Tor assumes that the attacker does not have administrator access to your computer; has not installed a keylogger; does not control a majority of directory authorities; cannot make an authenticated connection to the control port; and so on.)\n* When users go to the wrong hidden service address, they get the wrong hidden service.\n* Timing side-channel attacks that can only be exploited at great difficulty, and only by local users.\n\nFor more information see as well: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/SecurityPolicy.\n\nTor Browser\n------------------\nFor Tor Browser the tiers, price ranges and restrictions are the following:\n\nGenerally there is no reward for anything already in our public bugtracker. This holds for Mozilla's bugtracker as well, with exceptions (see below). If you claim an additional bounty to the one from Mozilla we need to have notice about this specific issue before the bug gets public.\n\n### Low ($100 - $1000)\n\nThis tier is for third-party/supercookie tracking issues:\n \na. Non-fingerprinting (identifiers/cookies/etc): $1000\n  - Can be claimed either for supercookies that survive \"New Identity\" or for other mechanisms to track users across sites.\n\nb. Fingerprinting (Reward depends on accuracy and/or entropy. However, \"fingerprinting\" for this bounty program is defined pretty loosely. E.g. any bugs that help an attacker to find out something about a user's habit is in scope for this item):  $100-1000\n  - No reward for browser version differentiation\n  - No reward for OS differentiation\n\n### Medium ($1000 -$2000)\n\nThis tier is for unexploitable crashes caused by Tor Browser patches and NoScript bypasses to get arbitrary scripts to run:\n \na. Unexploitable Tor Browser crashes caused by Tor Browser patches: $1000-$2000\n  - remotely triggerable ones\n  - indirectly triggerable ones by a remote attacker (an attacker succeeds in convincing a user to do certain things that crash the browser)\n\nb. NoScript bypass to get any script to run $1000-$2000\n\n### High ($2000 - $3000+)\n\nThis tier is for serious security bugs that may result in users getting deanonymized or compromised.\n\na. \"Uncontrolled\" Partial Proxy Bypass: $2000\n  - E.g.: DNS resolution via non-Tor (https://bugs.torproject.org/5741)\n  - Other non-Tor connection to an IP address that is not under an attacker's control (For instance STUN server, Mozilla.org server, etc etc)\n\nb. Full Proxy bypass: $3000\n  - Direct non-Tor connection to an IP address of the attacker's choice\n  - Full code execution vulnerabilities not eligible for this bounty (i.e. c. and d.)\n\nc. Tor Browser-Specific Code Exec Base Bounty: $3000\n  - Applies to code exec vulnerabilities against our specific addons/paches/preference choices\n  - Can only be claimed in cases where Mozilla's bounty does not apply\n\nd. Bonus over Base Bounty for code execution exploits that work in:\n  1. Medium Security Slider Level on an HTTPS page: 50% Bonus\n  2. Medium Security Slider Level on a non-HTTPS page: 75% Bonus\n  3. High Security Slider Level: 100% Bonus\n\nIf there are security bug reports you want to send directly to us, feel free to contact us via tor-security@lists.torproject.org.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-11-24T12:50:10.865Z"},{"id":3610143,"new_policy":"The Tor Project is committed to working with security experts across the world to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you. \n\nThe Tor Project is only offering bug bounties for supported versions of two of its core products, Tor (the network daemon) and Tor Browser. Supported versions for Tor can be found at https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases. For Tor Browser it's a good start to look at the latest stable, alpha, and nightly builds. The former can be found at https://www.torproject.org/download/ and nightlies can be obtained via http://f4amtbsowhix7rrf.onion/tor-browser-builds/.\n\nOther services (like the website, bug tracker, and server infrastructure) or products (like OONI, Orbot, and Tor Messenger) are out of scope. Both Tor and Tor Browser bounties come with different tiers accompanied by a price range and some restrictions. \n\nTor\n----\n\nFor Tor the tiers, price ranges and restrictions look like this:\n\n### Low severity ($100 - $500):\n    \nThis tier is for low severity bugs that force Tor to misbehave in a way that might be security related, but does not put our core users in danger.  If we receive a bug that is too low severity for this tier, we can still send the submitters some stickers or a t-shirt, and also mention them in our greetz list.\n\nBug examples:\n\n* Triggerable undefined behavior (https://bugs.torproject.org/6827)\n* Out-Of-Bounds reads (https://bugs.torproject.org/6530, https://bugs.torproject.org/15823)\n* Security bugs that only affect highly-unused platforms (not Linux/Windows/Mac/FreeBSD)\n* Security bugs affecting configurations which almost nobody uses.\n\n### Medium severity ($500 - $2000):\n\nThis tier is for medium severity bugs that cannot be used to exploit or deanonymize our users, but can be used as part of a greater attack that aims to do so.\n\nBug examples:\n    \n* Remote crash bugs that affect clients, hidden services, relays or dirauths (https://bugs.torproject.org/14129, https://bugs.torproject.org/15083)\n* Attacks that allow relays to link a user over different sessions (e.g CVE-2011-2768)\n* Security bugs that require local (non privileged) access to the host to exploit (e.g. local privilege escalation to root)\n* Triggerable memory leaks on hidden services/relays/dirauths (https://bugs.torproject.org/11649)\n\n### High severity ($2000 - $4000):\n\nThis tier is for serious security bugs that result in users getting deanonymized or compromised.\n\nBug examples:\n\n* Attacks that allow remote code-execution (e.g. CVE-2011-0427, CVE-2011-2778)\n* Attacks that cause the leakage of crypto material of relays or clients (e.g. Heartbleed-like bugs)\n* Attacks that remotely cause clients to de-anonymize themselves.\n* Any means to bypass hidden service authorization.\n* Any means to impersonate a relay.\n* Any way for non-exit relays to read user's plaintext.\n\n### Vulnerabilities in third party libraries used by standard Tor ($500 - $2000):\n\nMedium or High severity vulnerabilities in any third party libraries that cause an issue as defined above are in-scope for this bug bounty program. This does not include third party libraries covered by other bug bounty programs, such as IBB. For the avoidance of doubt, this does exclude OpenSSL, but libevent is still in scope.\n\n### Excluded vulnerabilities\n\nThis section specifies an incomplete list of vulnerabilities that are *NOT* in scope for this bug bounty program.\n\nThat's because these attacks or issues arise from unanswered research questions and not because of bugs in the Tor software. While Tor may attempt to defend against some of these attacks, any defense is a mitigation and should not be considered indicative of a strong security boundary. Other excluded attacks depend on users doing obviously unsafe tasks which we also consider as out of scope to this program and try to address by educating users.\n\nHere is an incomplete list of excluded vulnerabilities:\n\n* Tagging attacks or other types of end-to-end traffic confirmation using  packet modification or timing, such as https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/ or https://blog.torproject.org/blog/one-cell-enough\n* Website and Traffic Fingerprinting Attacks, a good round-up is https://blog.torproject.org/blog/critique-website-traffic-fingerprinting-attacks\n* Using Tor against recommendations. There are several ways to configure Tor or use it insecurely including insecurely configuring it (e.g. setting  alternate Directory Authorities), leaking your IP address through  torrents, or opening downloaded files in external applications such as  document writers.\n* Attacks that are possible by an attacker outside the software's threat model.  (For example, Tor assumes that the attacker does not have administrator access to your computer; has not installed a keylogger; does not control a majority of directory authorities; cannot make an authenticated connection to the control port; and so on.)\n* When users go to the wrong hidden service address, they get the wrong hidden service.\n* Timing side-channel attacks that can only be exploited at great difficulty, and only by local users.\n\nFor more information see as well: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/SecurityPolicy.\n\nTor Browser\n------------------\nFor Tor Browser the tiers, price ranges and restrictions are the following:\n\nGenerally there is no reward for anything already in our public bugtracker. This holds for Mozilla's bugtracker as well, with exceptions (see below). If you claim an additional bounty to the one from Mozilla we need to have notice about this specific issue before the bug gets public.\n\n### Low ($100 - $1000)\n\nThis tier is for third-party/supercookie tracking issues:\n \na. Non-fingerprinting (identifiers/cookies/etc): $1000\n  - Can be claimed either for supercookies that survive \"New Identity\" or for other mechanisms to track users across sites.\n\nb. Fingerprinting (Reward depends on accuracy and/or entropy. However, \"fingerprinting\" for this bounty program is defined pretty loosely. E.g. any bugs that help an attacker to find out something about a user's habit is in scope for this item):  $100-1000\n  - No reward for browser version differentiation\n  - No reward for OS differentiation\n\n### Medium ($1000 -$2000)\n\nThis tier is for unexploitable crashes caused by Tor Browser patches and NoScript bypasses to get arbitrary scripts to run:\n \na. Unexploitable Tor Browser crashes caused by Tor Browser patches: $1000-$2000\n  - remotely triggerable ones\n  - indirectly triggerable ones by a remote attacker (an attacker succeeds in convincing a user to do certain things that crash the browser)\n\nb. NoScript bypass to get any script to run $1000-$2000\n\n### High ($2000 - $3000+)\n\nThis tier is for serious security bugs that may result in users getting deanonymized or compromised.\n\na. \"Uncontrolled\" Partial Proxy Bypass: $2000\n  - E.g.: DNS resolution via non-Tor (https://bugs.torproject.org/5741)\n  - Other non-Tor connection to an IP address that is not under an attacker's control (For instance STUN server, Mozilla.org server, etc etc)\n\nb. Full Proxy bypass: $3000\n  - Direct non-Tor connection to an IP address of the attacker's choice\n  - Full code execution vulnerabilities not eligible for this bounty (i.e. c. and d.)\n\nc. Tor Browser-Specific Code Exec Base Bounty: $3000\n  - Applies to code exec vulnerabilities against our specific addons/paches/preference choices\n  - Can only be claimed in cases where Mozilla's bounty does not apply\n\nd. Bonus over Base Bounty/Mozilla Bounty for code execution exploits that work in:\n  1. Medium Security Slider Level on an HTTPS page: 50% Bonus\n  2. Medium Security Slider Level on a non-HTTPS page: 75% Bonus\n  3. High Security Slider Level: 100% Bonus\n\nIf there are security bug reports you want to send directly to us, feel free to contact us via tor-security@lists.torproject.org.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-05-24T09:44:14.169Z"},{"id":3609497,"new_policy":"The Tor Project is committed to working with security experts across the world to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you. \n\nThe Tor Project is only offering bug bounties for supported versions of two of its core products, Tor (the network daemon) and Tor Browser. Supported versions for Tor can be found at https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases. For Tor Browser it's a good start to look at the latest stable, alpha, and nightly builds. The former can be found at https://www.torproject.org/download/ and nightlies can be obtained via http://f4amtbsowhix7rrf.onion/tor-browser-builds/.\n\nOther services (like the website, bug tracker, and server infrastructure) or products (like OONI, Orbot, and Tor Messenger) are out of scope. Both Tor and Tor Browser bounties come with different tiers accompanied by a price range and some restrictions. \n\nTor\n----\n\nFor Tor the tiers, price ranges and restrictions look like this:\n\n### Low severity ($100 - $500):\n    \nThis tier is for low severity bugs that force Tor to misbehave in a way that might be security related, but does not put our core users in danger.  If we receive a bug that is too low severity for this tier, we can still send the submitters some stickers or a t-shirt, and also mention them in our greetz list.\n\nBug examples:\n\n* Triggerable undefined behavior (https://bugs.torproject.org/6827)\n* Out-Of-Bounds reads (https://bugs.torproject.org/6530, https://bugs.torproject.org/15823)\n* Security bugs that only affect highly-unused platforms (not Linux/Windows/Mac/FreeBSD)\n* Security bugs affecting configurations which almost nobody uses.\n\n### Medium severity ($500 - $2000):\n\nThis tier is for medium severity bugs that cannot be used to exploit or deanonymize our users, but can be used as part of a greater attack that aims to do so.\n\nBug examples:\n    \n* Remote crash bugs that affect clients, hidden services, relays or dirauths (https://bugs.torproject.org/14129, https://bugs.torproject.org/15083)\n* Attacks that allow relays to link a user over different sessions (e.g CVE-2011-2768)\n* Security bugs that require local (non privileged) access to the host to exploit (e.g. local privilege escalation to root)\n* Triggerable memory leaks on hidden services/relays/dirauths (https://bugs.torproject.org/11649)\n\n### High severity ($2000 - $4000):\n\nThis tier is for serious security bugs that result in users getting deanonymized or compromised.\n\nBug examples:\n\n* Attacks that allow remote code-execution (e.g. CVE-2011-0427, CVE-2011-2778)\n* Attacks that cause the leakage of crypto material of relays or clients (e.g. Heartbleed-like bugs)\n* Attacks that remotely cause clients to de-anonymize themselves.\n* Any means to bypass hidden service authorization.\n* Any means to impersonate a relay.\n* Any way for non-exit relays to read user's plaintext.\n\n### Vulnerabilities in third party libraries used by standard Tor ($500 - $2000):\n\nMedium or High severity vulnerabilities in any third party libraries that cause an issue as defined above are in-scope for this bug bounty program. This does not include third party libraries covered by other bug bounty programs, such as IBB. For the avoidance of doubt, this does exclude OpenSSL, but libevent is still in scope.\n\n### Excluded vulnerabilities\n\nThis section specifies an incomplete list of vulnerabilities that are *NOT* in scope for this bug bounty program.\n\nThat's because these attacks or issues arise from unanswered research questions and not because of bugs in the Tor software. While Tor may attempt to defend against some of these attacks, any defense is a mitigation and should not be considered indicative of a strong security boundary. Other excluded attacks depend on users doing obviously unsafe tasks which we also consider as out of scope to this program and try to address by educating users.\n\nHere is an incomplete list of excluded vulnerabilities:\n\n* Tagging attacks or other types of end-to-end traffic confirmation using  packet modification or timing, such as https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/ or https://blog.torproject.org/blog/one-cell-enough\n* Website and Traffic Fingerprinting Attacks, a good round-up is https://blog.torproject.org/blog/critique-website-traffic-fingerprinting-attacks\n* Using Tor against recommendations. There are several ways to configure Tor or use it insecurely including insecurely configuring it (e.g. setting  alternate Directory Authorities), leaking your IP address through  torrents, or opening downloaded files in external applications such as  document writers.\n* Attacks that are possible by an attacker outside the software's threat model.  (For example, Tor assumes that the attacker does not have administrator access to your computer; has not installed a keylogger; does not control a majority of directory authorities; cannot make an authenticated connection to the control port; and so on.)\n* When users go to the wrong hidden service address, they get the wrong hidden service.\n* Timing side-channel attacks that can only be exploited at great difficulty, and only by local users.\n\nTor Browser\n------------------\nFor Tor Browser the tiers, price ranges and restrictions are the following:\n\nGenerally there is no reward for anything already in our public bugtracker. This holds for Mozilla's bugtracker as well, with exceptions (see below). If you claim an additional bounty to the one from Mozilla we need to have notice about this specific issue before the bug gets public.\n\n### Low ($100 - $1000)\n\nThis tier is for third-party/supercookie tracking issues:\n \na. Non-fingerprinting (identifiers/cookies/etc): $1000\n  - Can be claimed either for supercookies that survive \"New Identity\" or for other mechanisms to track users across sites.\n\nb. Fingerprinting (Reward depends on accuracy and/or entropy. However, \"fingerprinting\" for this bounty program is defined pretty loosely. E.g. any bugs that help an attacker to find out something about a user's habit is in scope for this item):  $100-1000\n  - No reward for browser version differentiation\n  - No reward for OS differentiation\n\n### Medium ($1000 -$2000)\n\nThis tier is for unexploitable crashes caused by Tor Browser patches and NoScript bypasses to get arbitrary scripts to run:\n \na. Unexploitable Tor Browser crashes caused by Tor Browser patches: $1000-$2000\n  - remotely triggerable ones\n  - indirectly triggerable ones by a remote attacker (an attacker succeeds in convincing a user to do certain things that crash the browser)\n\nb. NoScript bypass to get any script to run $1000-$2000\n\n### High ($2000 - $3000+)\n\nThis tier is for serious security bugs that may result in users getting deanonymized or compromised.\n\na. \"Uncontrolled\" Partial Proxy Bypass: $2000\n  - E.g.: DNS resolution via non-Tor (https://bugs.torproject.org/5741)\n  - Other non-Tor connection to an IP address that is not under an attacker's control (For instance STUN server, Mozilla.org server, etc etc)\n\nb. Full Proxy bypass: $3000\n  - Direct non-Tor connection to an IP address of the attacker's choice\n  - Full code execution vulnerabilities not eligible for this bounty (i.e. c. and d.)\n\nc. Tor Browser-Specific Code Exec Base Bounty: $3000\n  - Applies to code exec vulnerabilities against our specific addons/paches/preference choices\n  - Can only be claimed in cases where Mozilla's bounty does not apply\n\nd. Bonus over Base Bounty/Mozilla Bounty for code execution exploits that work in:\n  1. Medium Security Slider Level on an HTTPS page: 50% Bonus\n  2. Medium Security Slider Level on a non-HTTPS page: 75% Bonus\n  3. High Security Slider Level: 100% Bonus\n\nIf there are security bug reports you want to send directly to us, feel free to contact us via tor-security@lists.torproject.org.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-05-15T11:39:49.975Z"},{"id":3604141,"new_policy":"The Tor Project is committed to working with security experts across the world to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you. \n\nThe Tor Project is only offering bug bounties for two of its core products, Tor (the network daemon) and Tor Browser. Other services (like the website, bug tracker, and server infrastructure) or products (like OONI, Orbot, and Tor Messenger) are out of scope. Both Tor and Tor Browser bounties come with different tiers accompanied by a price range and some restrictions. \n\nTor\n----\n\nFor Tor the tiers, price ranges and restrictions look like this:\n\n### Low severity ($100 - $500):\n    \nThis tier is for low severity bugs that force Tor to misbehave in a way that might be security related, but does not put our core users in danger.  If we receive a bug that is too low severity for this tier, we can still send the submitters some stickers or a t-shirt, and also mention them in our greetz list.\n\nBug examples:\n\n* Triggerable undefined behavior (https://bugs.torproject.org/6827)\n* Out-Of-Bounds reads (https://bugs.torproject.org/6530, https://bugs.torproject.org/15823)\n* Security bugs that only affect highly-unused platforms (not Linux/Windows/Mac/FreeBSD)\n* Security bugs affecting configurations which almost nobody uses.\n\n### Medium severity ($500 - $2000):\n\nThis tier is for medium severity bugs that cannot be used to exploit or deanonymize our users, but can be used as part of a greater attack that aims to do so.\n\nBug examples:\n    \n* Remote crash bugs that affect clients, hidden services, relays or dirauths (https://bugs.torproject.org/14129, https://bugs.torproject.org/15083)\n* Attacks that allow relays to link a user over different sessions (e.g CVE-2011-2768)\n* Security bugs that require local (non privileged) access to the host to exploit (e.g. local privilege escalation to root)\n* Triggerable memory leaks on hidden services/relays/dirauths (https://bugs.torproject.org/11649)\n\n### High severity ($2000 - $4000):\n\nThis tier is for serious security bugs that result in users getting deanonymized or compromised.\n\nBug examples:\n\n* Attacks that allow remote code-execution (e.g. CVE-2011-0427, CVE-2011-2778)\n* Attacks that cause the leakage of crypto material of relays or clients (e.g. Heartbleed-like bugs)\n* Attacks that remotely cause clients to de-anonymize themselves.\n* Any means to bypass hidden service authorization.\n* Any means to impersonate a relay.\n* Any way for non-exit relays to read user's plaintext.\n\n### Vulnerabilities in third party libraries used by standard Tor ($500 - $2000):\n\nMedium or High severity vulnerabilities in any third party libraries that cause an issue as defined above are in-scope for this bug bounty program. This does not include third party libraries covered by other bug bounty programs, such as IBB. For the avoidance of doubt, this does exclude OpenSSL, but libevent is still in scope.\n\n### Excluded vulnerabilities\n\nThis section specifies an incomplete list of vulnerabilities that are *NOT* in scope for this bug bounty program.\n\nThat's because these attacks or issues arise from unanswered research questions and not because of bugs in the Tor software. While Tor may attempt to defend against some of these attacks, any defense is a mitigation and should not be considered indicative of a strong security boundary. Other excluded attacks depend on users doing obviously unsafe tasks which we also consider as out of scope to this program and try to address by educating users.\n\nHere is an incomplete list of excluded vulnerabilities:\n\n* Tagging attacks or other types of end-to-end traffic confirmation using  packet modification or timing, such as https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/ or https://blog.torproject.org/blog/one-cell-enough\n* Website and Traffic Fingerprinting Attacks, a good round-up is https://blog.torproject.org/blog/critique-website-traffic-fingerprinting-attacks\n* Using Tor against recommendations. There are several ways to configure Tor or use it insecurely including insecurely configuring it (e.g. setting  alternate Directory Authorities), leaking your IP address through  torrents, or opening downloaded files in external applications such as  document writers.\n* Attacks that are possible by an attacker outside the software's threat model.  (For example, Tor assumes that the attacker does not have administrator access to your computer; has not installed a keylogger; does not control a majority of directory authorities; cannot make an authenticated connection to the control port; and so on.)\n* When users go to the wrong hidden service address, they get the wrong hidden service.\n* Timing side-channel attacks that can only be exploited at great difficulty, and only by local users.\n\nTor Browser\n------------------\nFor Tor Browser the tiers, price ranges and restrictions are the following:\n\nGenerally there is no reward for anything already in our public bugtracker. This holds for Mozilla's bugtracker as well, with exceptions (see below). If you claim an additional bounty to the one from Mozilla we need to have notice about this specific issue before the bug gets public.\n\n### Low ($100 - $1000)\n\nThis tier is for third-party/supercookie tracking issues:\n \na. Non-fingerprinting (identifiers/cookies/etc): $1000\n  - Can be claimed either for supercookies that survive \"New Identity\" or for other mechanisms to track users across sites.\n\nb. Fingerprinting (Reward depends on accuracy and/or entropy. However, \"fingerprinting\" for this bounty program is defined pretty loosely. E.g. any bugs that help an attacker to find out something about a user's habit is in scope for this item):  $100-1000\n  - No reward for browser version differentiation\n  - No reward for OS differentiation\n\n### Medium ($1000 -$2000)\n\nThis tier is for unexploitable crashes caused by Tor Browser patches and NoScript bypasses to get arbitrary scripts to run:\n \na. Unexploitable Tor Browser crashes caused by Tor Browser patches: $1000-$2000\n  - remotely triggerable ones\n  - indirectly triggerable ones by a remote attacker (an attacker succeeds in convincing a user to do certain things that crash the browser)\n\nb. NoScript bypass to get any script to run $1000-$2000\n\n### High ($2000 - $3000+)\n\nThis tier is for serious security bugs that may result in users getting deanonymized or compromised.\n\na. \"Uncontrolled\" Partial Proxy Bypass: $2000\n  - E.g.: DNS resolution via non-Tor (https://bugs.torproject.org/5741)\n  - Other non-Tor connection to an IP address that is not under an attacker's control (For instance STUN server, Mozilla.org server, etc etc)\n\nb. Full Proxy bypass: $3000\n  - Direct non-Tor connection to an IP address of the attacker's choice\n  - Full code execution vulnerabilities not eligible for this bounty (i.e. c. and d.)\n\nc. Tor Browser-Specific Code Exec Base Bounty: $3000\n  - Applies to code exec vulnerabilities against our specific addons/paches/preference choices\n  - Can only be claimed in cases where Mozilla's bounty does not apply\n\nd. Bonus over Base Bounty/Mozilla Bounty for code execution exploits that work in:\n  1. Medium Security Slider Level on an HTTPS page: 50% Bonus\n  2. Medium Security Slider Level on a non-HTTPS page: 75% Bonus\n  3. High Security Slider Level: 100% Bonus\n\nIf there are security bug reports you want to send directly to us, feel free to contact us via tor-security@lists.torproject.org.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-03-04T21:01:02.747Z"},{"id":3560678,"new_policy":"The Tor Project is committed to working with security experts across the world to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you. \n\nThe Tor Project is only offering bug bounties for two of its core products, Tor (the network daemon) and Tor Browser. Other services (like the website, bug tracker, and server infrastructure) or products (like OONI, Orbot, and Tor Messenger) are out of scope. Both Tor and Tor Browser bounties come with different tiers accompanied by a price range and some restrictions. \n\nTor\n----\n\nFor Tor the tiers, price ranges and restrictions look like this:\n\n### Low severity ($100 - $500):\n    \nThis tier is for low severity bugs that force Tor to misbehave in a way that might be security related, but does not put our core users in danger.  If we receive a bug that is too low severity for this tier, we can still send the submitters some stickers or a t-shirt, and also mention them in our greetz list.\n\nBug examples:\n\n* Triggerable undefined behavior (https://bugs.torproject.org/6827)\n* Out-Of-Bounds reads (https://bugs.torproject.org/6530, https://bugs.torproject.org/15823)\n* Security bugs that only affect highly-unused platforms (not Linux/Windows/Mac/FreeBSD)\n* Security bugs affecting configurations which almost nobody uses.\n\n### Medium severity ($500 - $2000):\n\nThis tier is for medium severity bugs that cannot be used to exploit or deanonymize our users, but can be used as part of a greater attack that aims to do so.\n\nBug examples:\n    \n* Remote crash bugs that affect clients, hidden services, relays or dirauths (https://bugs.torproject.org/14129, https://bugs.torproject.org/15083)\n* Attacks that allow relays to link a user over different sessions (e.g CVE-2011-2768)\n* Security bugs that require local (non privileged) access to the host to exploit (e.g. local privilege escalation to root)\n* Triggerable memory leaks on hidden services/relays/dirauths (https://bugs.torproject.org/11649)\n\n### High severity ($2000 - $4000):\n\nThis tier is for serious security bugs that result in users getting deanonymized or compromised.\n\nBug examples:\n\n* Attacks that allow remote code-execution (e.g. CVE-2011-0427, CVE-2011-2778)\n* Attacks that cause the leakage of crypto material of relays or clients (e.g. Heartbleed-like bugs)\n* Attacks that remotely cause clients to de-anonymize themselves.\n* Any means to bypass hidden service authorization.\n* Any means to impersonate a relay.\n* Any way for non-exit relays to read user's plaintext.\n\n### Vulnerabilities in third party libraries used by standard Tor ($500 - $2000):\n\nMedium or High severity vulnerabilities in any third party libraries that cause an issue as defined above are in-scope for this bug bounty program. This does not include third party libraries covered by other bug bounty programs, such as IBB. For the avoidance of doubt, this does exclude OpenSSL, but libevent is still in scope.\n\n### Excluded vulnerabilities\n\nThis section specifies an incomplete list of vulnerabilities that are *NOT* in scope for this bug bounty program.\n\nThat's because these attacks or issues arise from unanswered research questions and not because of bugs in the Tor software. While Tor may attempt to defend against some of these attacks, any defense is a mitigation and should not be considered indicative of a strong security boundary. Other excluded attacks depend on users doing obviously unsafe tasks which we also consider as out of scope to this program and try to address by educating users.\n\nHere is an incomplete list of excluded vulnerabilities:\n\n* Tagging attacks or other types of end-to-end traffic confirmation using  packet modification or timing, such as https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/ or https://blog.torproject.org/blog/one-cell-enough\n* Website and Traffic Fingerprinting Attacks, a good round-up is https://blog.torproject.org/blog/critique-website-traffic-fingerprinting-attacks\n* Using Tor against recommendations. There are several ways to configure Tor or use it insecurely including insecurely configuring it (e.g. setting  alternate Directory Authorities), leaking your IP address through  torrents, or opening downloaded files in external applications such as  document writers.\n* Attacks that are possible by an attacker outside the software's threat model.  (For example, Tor assumes that the attacker does not have administrator access to your computer; has not installed a keylogger; does not control a majority of directory authorities; cannot make an authenticated connection to the control port; and so on.)\n* When users go to the wrong hidden service address, they get the wrong hidden service.\n* Timing side-channel attacks that can only be exploited at great difficulty, and only by local users.\n\nTor Browser\n------------------\nFor Tor Browser the tiers, price ranges and restrictions are the following:\n\nGenerally there is no reward for anything already in our public bugtracker. This holds for Mozilla's bugtracker as well, with exceptions (see below). If you claim an additional bounty to the one from Mozilla we need to have notice about this specific issue before the bug gets public.\n\n### Low ($100 - $1000)\n\nThis tier is for third-party/supercookie tracking issues:\n \na. Non-fingerprinting (identifiers/cookies/etc): $1000\n  - Can be claimed either for supercookies that survive \"New Identity\" or for other mechanisms to track users across sites.\n\nb. Fingerprinting (Reward depends on accuracy and/or entropy):  $100-1000\n  - No reward for browser version differentiation\n  - No reward for OS differentiation\n\n### Medium ($1000 -$2000)\n\nThis tier is for unexploitable crashes caused by Tor Browser patches and NoScript bypasses to get arbitrary scripts to run:\n \na. Unexploitable Tor Browser crashes caused by Tor Browser patches: $1000-$2000\n  - remotely triggerable ones\n  - indirectly triggerable ones by a remote attacker (an attacker succeeds in convincing a user to do certain things that crash the browser)\n\nb. NoScript bypass to get any script to run $1000-$2000\n\n### High ($2000 - $3000+)\n\nThis tier is for serious security bugs that may result in users getting deanonymized or compromised.\n\na. \"Uncontrolled\" Partial Proxy Bypass: $2000\n  - E.g.: DNS resolution via non-Tor (https://bugs.torproject.org/5741)\n  - Other non-Tor connection to an IP address that is not under an attacker's control (For instance STUN server, Mozilla.org server, etc etc)\n\nb. Full Proxy bypass: $3000\n  - Direct non-Tor connection to an IP address of the attacker's choice\n  - Full code execution vulnerabilities not eligible for this bounty (i.e. c. and d.)\n\nc. Tor Browser-Specific Code Exec Base Bounty: $3000\n  - Applies to code exec vulnerabilities against our specific addons/paches/preference choices\n  - Can only be claimed in cases where Mozilla's bounty does not apply\n\nd. Bonus over Base Bounty/Mozilla Bounty for code execution exploits that work in:\n  1. Medium Security Slider Level on an HTTPS page: 50% Bonus\n  2. Medium Security Slider Level on a non-HTTPS page: 75% Bonus\n  3. High Security Slider Level: 100% Bonus\n\nIf there are security bug reports you want to send directly to us, feel free to contact us via tor-security@lists.torproject.org.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-09-20T10:19:01.941Z"},{"id":3560675,"new_policy":"The Tor Project is committed to working with security experts across the world to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you. \n\nThe Tor Project is only offering bug bounties for two of its core products, Tor (the network daemon) and Tor Browser. Other services (like the website, bug tracker, and server infrastructure) or products (like OONI, Orbot, and Tor Messenger) are out of scope. Both come with different tiers accompanied by a price range and some restrictions. \n\nTor\n----\n\nFor Tor the tiers, price ranges and restrictions look like this:\n\n### Low severity ($100 - $500):\n    \nThis tier is for low severity bugs that force Tor to misbehave in a way that might be security related, but does not put our core users in danger.  If we receive a bug that is too low severity for this tier, we can still send the submitters some stickers or a t-shirt, and also mention them in our greetz list.\n\nBug examples:\n\n* Triggerable undefined behavior (https://bugs.torproject.org/6827)\n* Out-Of-Bounds reads (https://bugs.torproject.org/6530, https://bugs.torproject.org/15823)\n* Security bugs that only affect highly-unused platforms (not Linux/Windows/Mac/FreeBSD)\n* Security bugs affecting configurations which almost nobody uses.\n\n### Medium severity ($500 - $2000):\n\nThis tier is for medium severity bugs that cannot be used to exploit or deanonymize our users, but can be used as part of a greater attack that aims to do so.\n\nBug examples:\n    \n* Remote crash bugs that affect clients, hidden services, relays or dirauths (https://bugs.torproject.org/14129, https://bugs.torproject.org/15083)\n* Attacks that allow relays to link a user over different sessions (e.g CVE-2011-2768)\n* Security bugs that require local (non privileged) access to the host to exploit (e.g. local privilege escalation to root)\n* Triggerable memory leaks on hidden services/relays/dirauths (https://bugs.torproject.org/11649)\n\n### High severity ($2000 - $4000):\n\nThis tier is for serious security bugs that result in users getting deanonymized or compromised.\n\nBug examples:\n\n* Attacks that allow remote code-execution (e.g. CVE-2011-0427, CVE-2011-2778)\n* Attacks that cause the leakage of crypto material of relays or clients (e.g. Heartbleed-like bugs)\n* Attacks that remotely cause clients to de-anonymize themselves.\n* Any means to bypass hidden service authorization.\n* Any means to impersonate a relay.\n* Any way for non-exit relays to read user's plaintext.\n\n### Vulnerabilities in third party libraries used by standard Tor ($500 - $2000):\n\nMedium or High severity vulnerabilities in any third party libraries that cause an issue as defined above are in-scope for this bug bounty program. This does not include third party libraries covered by other bug bounty programs, such as IBB. For the avoidance of doubt, this does exclude OpenSSL, but libevent is still in scope.\n\n### Excluded vulnerabilities\n\nThis section specifies an incomplete list of vulnerabilities that are *NOT* in scope for this bug bounty program.\n\nThat's because these attacks or issues arise from unanswered research questions and not because of bugs in the Tor software. While Tor may attempt to defend against some of these attacks, any defense is a mitigation and should not be considered indicative of a strong security boundary. Other excluded attacks depend on users doing obviously unsafe tasks which we also consider as out of scope to this program and try to address by educating users.\n\nHere is an incomplete list of excluded vulnerabilities:\n\n* Tagging attacks or other types of end-to-end traffic confirmation using  packet modification or timing, such as https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/ or https://blog.torproject.org/blog/one-cell-enough\n* Website and Traffic Fingerprinting Attacks, a good round-up is https://blog.torproject.org/blog/critique-website-traffic-fingerprinting-attacks\n* Using Tor against recommendations. There are several ways to configure Tor or use it insecurely including insecurely configuring it (e.g. setting  alternate Directory Authorities), leaking your IP address through  torrents, or opening downloaded files in external applications such as  document writers.\n* Attacks that are possible by an attacker outside the software's threat model.  (For example, Tor assumes that the attacker does not have administrator access to your computer; has not installed a keylogger; does not control a majority of directory authorities; cannot make an authenticated connection to the control port; and so on.)\n* When users go to the wrong hidden service address, they get the wrong hidden service.\n* Timing side-channel attacks that can only be exploited at great difficulty, and only by local users.\n\nTor Browser\n------------------\nFor Tor Browser the tiers, price ranges and restrictions are the following:\n\nGenerally there is no reward for anything already in our public bugtracker. This holds for Mozilla's bugtracker as well, with exceptions (see below). If you claim an additional bounty to the one from Mozilla we need to have notice about this specific issue before the bug gets public.\n\n### Low ($100 - $1000)\n\nThis tier is for third-party/supercookie tracking issues:\n \na. Non-fingerprinting (identifiers/cookies/etc): $1000\n  - Can be claimed either for supercookies that survive \"New Identity\" or for other mechanisms to track users across sites.\n\nb. Fingerprinting (Reward depends on accuracy and/or entropy):  $100-1000\n  - No reward for browser version differentiation\n  - No reward for OS differentiation\n\n### Medium ($1000 -$2000)\n\nThis tier is for unexploitable crashes caused by Tor Browser patches and NoScript bypasses to get arbitrary scripts to run:\n \na. Unexploitable Tor Browser crashes caused by Tor Browser patches: $1000-$2000\n  - remotely triggerable ones\n  - indirectly triggerable ones by a remote attacker (an attacker succeeds in convincing a user to do certain things that crash the browser)\n\nb. NoScript bypass to get any script to run $1000-$2000\n\n### High ($2000 - $3000+)\n\nThis tier is for serious security bugs that may result in users getting deanonymized or compromised.\n\na. \"Uncontrolled\" Partial Proxy Bypass: $2000\n  - E.g.: DNS resolution via non-Tor (https://bugs.torproject.org/5741)\n  - Other non-Tor connection to an IP address that is not under an attacker's control (For instance STUN server, Mozilla.org server, etc etc)\n\nb. Full Proxy bypass: $3000\n  - Direct non-Tor connection to an IP address of the attacker's choice\n  - Full code execution vulnerabilities not eligible for this bounty (i.e. c. and d.)\n\nc. Tor Browser-Specific Code Exec Base Bounty: $3000\n  - Applies to code exec vulnerabilities against our specific addons/paches/preference choices\n  - Can only be claimed in cases where Mozilla's bounty does not apply\n\nd. Bonus over Base Bounty/Mozilla Bounty for code execution exploits that work in:\n  1. Medium Security Slider Level on an HTTPS page: 50% Bonus\n  2. Medium Security Slider Level on a non-HTTPS page: 75% Bonus\n  3. High Security Slider Level: 100% Bonus\n\nIf there are security bug reports you want to send directly to us, feel free to contact us via tor-security@lists.torproject.org.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-09-20T10:17:13.053Z"},{"id":3557998,"new_policy":"The Tor Project is committed to working with security experts across the world to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you. \n\nThe Tor Project is offering bug bounties for two of its core products, Tor (the network daemon) and Tor Browser. Both come with different tiers accompanied by a price range and some restrictions. \n\nTor\n----\n\nFor Tor the tiers, price ranges and restrictions look like this:\n\n### Low severity ($100 - $500):\n    \nThis tier is for low severity bugs that force Tor to misbehave in a way that might be security related, but does not put our core users in danger.  If we receive a bug that is too low severity for this tier, we can still send the submitters some stickers or a t-shirt, and also mention them in our greetz list.\n\nBug examples:\n\n* Triggerable undefined behavior (https://bugs.torproject.org/6827)\n* Out-Of-Bounds reads (https://bugs.torproject.org/6530, https://bugs.torproject.org/15823)\n* Security bugs that only affect highly-unused platforms (not Linux/Windows/Mac/FreeBSD)\n* Security bugs affecting configurations which almost nobody uses.\n\n### Medium severity ($500 - $2000):\n\nThis tier is for medium severity bugs that cannot be used to exploit or deanonymize our users, but can be used as part of a greater attack that aims to do so.\n\nBug examples:\n    \n* Remote crash bugs that affect clients, hidden services, relays or dirauths (https://bugs.torproject.org/14129, https://bugs.torproject.org/15083)\n* Attacks that allow relays to link a user over different sessions (e.g CVE-2011-2768)\n* Security bugs that require local (non privileged) access to the host to exploit (e.g. local privilege escalation to root)\n* Triggerable memory leaks on hidden services/relays/dirauths (https://bugs.torproject.org/11649)\n\n### High severity ($2000 - $4000):\n\nThis tier is for serious security bugs that result in users getting deanonymized or compromised.\n\nBug examples:\n\n* Attacks that allow remote code-execution (e.g. CVE-2011-0427, CVE-2011-2778)\n* Attacks that cause the leakage of crypto material of relays or clients (e.g. Heartbleed-like bugs)\n* Attacks that remotely cause clients to de-anonymize themselves.\n* Any means to bypass hidden service authorization.\n* Any means to impersonate a relay.\n* Any way for non-exit relays to read user's plaintext.\n\n### Vulnerabilities in third party libraries used by standard Tor ($500 - $2000):\n\nMedium or High severity vulnerabilities in any third party libraries that cause an issue as defined above are in-scope for this bug bounty program. This does not include third party libraries covered by other bug bounty programs, such as IBB. For the avoidance of doubt, this does exclude OpenSSL, but libevent is still in scope.\n\n### Excluded vulnerabilities\n\nThis section specifies an incomplete list of vulnerabilities that are *NOT* in scope for this bug bounty program.\n\nThat's because these attacks or issues arise from unanswered research questions and not because of bugs in the Tor software. While Tor may attempt to defend against some of these attacks, any defense is a mitigation and should not be considered indicative of a strong security boundary. Other excluded attacks depend on users doing obviously unsafe tasks which we also consider as out of scope to this program and try to address by educating users.\n\nHere is an incomplete list of excluded vulnerabilities:\n\n* Tagging attacks or other types of end-to-end traffic confirmation using  packet modification or timing, such as https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/ or https://blog.torproject.org/blog/one-cell-enough\n* Website and Traffic Fingerprinting Attacks, a good round-up is https://blog.torproject.org/blog/critique-website-traffic-fingerprinting-attacks\n* Using Tor against recommendations. There are several ways to configure Tor or use it insecurely including insecurely configuring it (e.g. setting  alternate Directory Authorities), leaking your IP address through  torrents, or opening downloaded files in external applications such as  document writers.\n* Attacks that are possible by an attacker outside the software's threat model.  (For example, Tor assumes that the attacker does not have administrator access to your computer; has not installed a keylogger; does not control a majority of directory authorities; cannot make an authenticated connection to the control port; and so on.)\n* When users go to the wrong hidden service address, they get the wrong hidden service.\n* Timing side-channel attacks that can only be exploited at great difficulty, and only by local users.\n\nTor Browser\n------------------\nFor Tor Browser the tiers, price ranges and restrictions are the following:\n\nGenerally there is no reward for anything already in our public bugtracker. This holds for Mozilla's bugtracker as well, with exceptions (see below). If you claim an additional bounty to the one from Mozilla we need to have notice about this specific issue before the bug gets public.\n\n### Low ($100 - $1000)\n\nThis tier is for third-party/supercookie tracking issues:\n \na. Non-fingerprinting (identifiers/cookies/etc): $1000\n  - Can be claimed either for supercookies that survive \"New Identity\" or for other mechanisms to track users across sites.\n\nb. Fingerprinting (Reward depends on accuracy and/or entropy):  $100-1000\n  - No reward for browser version differentiation\n  - No reward for OS differentiation\n\n### Medium ($1000 -$2000)\n\nThis tier is for unexploitable crashes caused by Tor Browser patches and NoScript bypasses to get arbitrary scripts to run:\n \na. Unexploitable Tor Browser crashes caused by Tor Browser patches: $1000-$2000\n  - remotely triggerable ones\n  - indirectly triggerable ones by a remote attacker (an attacker succeeds in convincing a user to do certain things that crash the browser)\n\nb. NoScript bypass to get any script to run $1000-$2000\n\n### High ($2000 - $3000+)\n\nThis tier is for serious security bugs that may result in users getting deanonymized or compromised.\n\na. \"Uncontrolled\" Partial Proxy Bypass: $2000\n  - E.g.: DNS resolution via non-Tor (https://bugs.torproject.org/5741)\n  - Other non-Tor connection to an IP address that is not under an attacker's control (For instance STUN server, Mozilla.org server, etc etc)\n\nb. Full Proxy bypass: $3000\n  - Direct non-Tor connection to an IP address of the attacker's choice\n  - Full code execution vulnerabilities not eligible for this bounty (i.e. c. and d.)\n\nc. Tor Browser-Specific Code Exec Base Bounty: $3000\n  - Applies to code exec vulnerabilities against our specific addons/paches/preference choices\n  - Can only be claimed in cases where Mozilla's bounty does not apply\n\nd. Bonus over Base Bounty/Mozilla Bounty for code execution exploits that work in:\n  1. Medium Security Slider Level on an HTTPS page: 50% Bonus\n  2. Medium Security Slider Level on a non-HTTPS page: 75% Bonus\n  3. High Security Slider Level: 100% Bonus\n\nIf there are security bug reports you want to send directly to us, feel free to contact us via tor-security@lists.torproject.org.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-07-20T16:12:58.155Z"},{"id":3557985,"new_policy":"The Tor Project is committed to working with security experts across the world to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we'd welcome working with you. \n\nThe Tor Project is offering bug bounties for two of its core products, Tor and Tor Browser. Both come with different tiers accompanied by a price range and some restrictions. \n\nTor\n----\n\nFor Tor the tiers, price ranges and restrictions look like this:\n\n### Low severity ($100 - $500):\n    \nThis tier is for low severity bugs that force Tor to misbehave in a way that might be security related, but does not put our core users in danger.  If we receive a bug that is too low severity for this tier, we can still send the submitters some stickers or a t-shirt, and also mention them in our greetz list.\n\nBug examples:\n\n* Triggerable undefined behavior (https://bugs.torproject.org/6827)\n* Out-Of-Bounds reads (https://bugs.torproject.org/6530, https://bugs.torproject.org/15823)\n* Security bugs that only affect highly-unused platforms (not Linux/Windows/Mac/FreeBSD)\n* Security bugs affecting configurations which almost nobody uses.\n\n### Medium severity ($500 - $2000):\n\nThis tier is for medium severity bugs that cannot be used to exploit or deanonymize our users, but can be used as part of a greater attack that aims to do so.\n\nBug examples:\n    \n* Remote crash bugs that affect clients, hidden services, relays or dirauths (https://bugs.torproject.org/14129, https://bugs.torproject.org/15083)\n* Attacks that allow relays to link a user over different sessions (e.g CVE-2011-2768)\n* Security bugs that require local (non privileged) access to the host to exploit (e.g. local privilege escalation to root)\n* Triggerable memory leaks on hidden services/relays/dirauths (https://bugs.torproject.org/11649)\n\n### High severity ($2000 - $4000):\n\nThis tier is for serious security bugs that result in users getting deanonymized or compromised.\n\nBug examples:\n\n* Attacks that allow remote code-execution (e.g. CVE-2011-0427, CVE-2011-2778)\n* Attacks that cause the leakage of crypto material of relays or clients (e.g. Heartbleed-like bugs)\n* Attacks that remotely cause clients to de-anonymize themselves.\n* Any means to bypass hidden service authorization.\n* Any means to impersonate a relay.\n* Any way for non-exit relays to read user's plaintext.\n\n### Vulnerabilities in third party libraries used by standard Tor ($500 - $2000):\n\nMedium or High severity vulnerabilities in any third party libraries that cause an issue as defined above are in-scope for this bug bounty program. This does not include third party libraries covered by other bug bounty programs, such as IBB. For the avoidance of doubt, this does exclude OpenSSL, but libevent is still in scope.\n\n### Excluded vulnerabilities\n\nThis section specifies an incomplete list of vulnerabilities that are *NOT* in scope for this bug bounty program.\n\nThat's because these attacks or issues arise from unanswered research questions and not because of bugs in the Tor software. While Tor may attempt to defend against some of these attacks, any defense is a mitigation and should not be considered indicative of a strong security boundary. Other excluded attacks depend on users doing obviously unsafe tasks which we also consider as out of scope to this program and try to address by educating users.\n\nHere is an incomplete list of excluded vulnerabilities:\n\n* Tagging attacks or other types of end-to-end traffic confirmation using  packet modification or timing, such as https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/ or https://blog.torproject.org/blog/one-cell-enough\n* Website and Traffic Fingerprinting Attacks, a good round-up is https://blog.torproject.org/blog/critique-website-traffic-fingerprinting-attacks\n* Using Tor against recommendations. There are several ways to configure Tor or use it insecurely including insecurely configuring it (e.g. setting  alternate Directory Authorities), leaking your IP address through  torrents, or opening downloaded files in external applications such as  document writers.\n* Attacks that are possible by an attacker outside the software's threat model.  (For example, Tor assumes that the attacker does not have administrator access to your computer; has not installed a keylogger; does not control a majority of directory authorities; cannot make an authenticated connection to the control port; and so on.)\n* When users go to the wrong hidden service address, they get the wrong hidden service.\n* Timing side-channel attacks that can only be exploited at great difficulty, and only by local users.\n\nTor Browser\n------------------\nFor Tor Browser the tiers, price ranges and restrictions are the following:\n\nGenerally there is no reward for anything already in our public bugtracker. This holds for Mozilla's bugtracker as well, with exceptions (see below). If you claim an additional bounty to the one from Mozilla we need to have notice about this specific issue before the bug gets public.\n\n### Low ($100 - $1000)\n\nThis tier is for third-party/supercookie tracking issues:\n \na. Non-fingerprinting (identifiers/cookies/etc): $1000\n  - Can be claimed either for supercookies that survive \"New Identity\" or for other mechanisms to track users across sites.\n\nb. Fingerprinting (Reward depends on accuracy and/or entropy):  $100-1000\n  - No reward for browser version differentiation\n  - No reward for OS differentiation\n\n### Medium ($1000 -$2000)\n\nThis tier is for unexploitable crashes caused by Tor Browser patches and NoScript bypasses to get arbitrary scripts to run:\n \na. Unexploitable Tor Browser crashes caused by Tor Browser patches: $1000-$2000\n  - remotely triggerable ones\n  - indirectly triggerable ones by a remote attacker (an attacker succeeds in convincing a user to do certain things that crash the browser)\n\nb. NoScript bypass to get any script to run $1000-$2000\n\n### High ($2000 - $3000+)\n\nThis tier is for serious security bugs that may result in users getting deanonymized or compromised.\n\na. \"Uncontrolled\" Partial Proxy Bypass: $2000\n  - E.g.: DNS resolution via non-Tor (https://bugs.torproject.org/5741)\n  - Other non-Tor connection to an IP address that is not under an attacker's control (For instance STUN server, Mozilla.org server, etc etc)\n\nb. Full Proxy bypass: $3000\n  - Direct non-Tor connection to an IP address of the attacker's choice\n  - Full code execution vulnerabilities not eligible for this bounty (i.e. c. and d.)\n\nc. Tor Browser-Specific Code Exec Base Bounty: $3000\n  - Applies to code exec vulnerabilities against our specific addons/paches/preference choices\n  - Can only be claimed in cases where Mozilla's bounty does not apply\n\nd. Bonus over Base Bounty/Mozilla Bounty for code execution exploits that work in:\n  1. Medium Security Slider Level on an HTTPS page: 50% Bonus\n  2. Medium Security Slider Level on a non-HTTPS page: 75% Bonus\n  3. High Security Slider Level: 100% Bonus\n\nIf there are security bug reports you want to send directly to us, feel free to contact us via tor-security@lists.torproject.org.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-07-20T12:55:07.770Z"}]