Difference between revisions of "Security Hall of Fame" - Gallery Codex
Personal tools

Difference between revisions of "Security Hall of Fame"

From Gallery Codex

(new person to thank)
 
(43 intermediate revisions by 2 users not shown)
Line 1: Line 1:
The Gallery team is very excited to announce a new bounty program, where '''we pay you''' for helping us out by finding security problems or contributing code. (Note: this only applies to the most recent version of our currently shipping software: Gallery 3) Additionally, you can pitch in to the fund to reward people that fix bugs or write features you want to see fixed or implemented! We're pledging '''$5000''' to get this started, and you can start contributing right now! Read on for the details of this program.
 
  
== Some things to Note ==
+
== Security Contributors ==
  
Gallery 3 has undergone several security reviews and as a result of each review, potential security issues have been resolved.  We are interested in all types of potential security issues in Gallery 3.
+
The following individuals responsibly submitted security vulnerabilities to the Gallery team, and were rewarded with cash bounties. This program is over, but we'd like to continue to recognize their contributions.
 
+
Since the initial release of Gallery 2, all releases of Gallery 2 undergo a paid professional security view before release.  They've caught things each time, but we're fairly confident in the security of Gallery 2, and Gallery 2 is no longer under active development. Realistically,  we are only likely to reward and fix 'Critical' security issues.
+
 
+
Gallery 1 has undergone a paid security review by a professional security firm, and has been effectively end-of-lifed. We will not reward or fix any issues with Gallery 1.
+
 
+
While we appreciate security reports about this site, our website, etc,  we will only pay out substantially reduced bounties for any issues reported about anything not related to issues in shipping versions of Gallery 3 or 2.
+
 
+
== Security Bounties ==
+
 
+
We're offering a substantial amount of money for responsibly reporting security issues in the current development version of our currently shipping software: Gallery 3. To get the bounty, the security issue must be reported to [mailto:security@gallery.menalto.com security@gallery.menalto.com] and must not be made public until a fix is available from us on the official Gallery website. Critical problems that require an immediate fix will be worth $1000 and smaller amounts will be paid out for moderate ($400), uncritical ($200), and trivial problems ($100). If we are already aware of an issue, you won't receive the full bounty but will still be credited with finding it independently (and may, at our discretion, receive some of the bounty amount). Understandably, known security issues aren't listed publicly until they are fixed and not all security issues are serious enough to require an immediate fix. We have a long history of collaborating with security researchers and are convinced that trust will not be an issue.
+
 
+
== Feature and Bug Bounties ==
+
 
+
You can also make money fixing bugs or writing code! This one is a little more complicated, but the outcome is similar. We'll pay you to write features or fix bugs that have been voted into the "top feature requests" list. The #1 open item is worth $500, #2 $400, #3 $300, and the rest of the top 10 are worth $250. However, this isn't as easy as it sounds, there are a few requirements:
+
 
+
* You must get approval from us before starting on your work. This is both to claim the item (we won't let other developers sign up for the bounty until you give up or disappear) and make sure that the goals are well defined. Some of the RFEs aren't very specific and we'll mutually agree on a set of deliverables before you get started. To get the bounty, your code must meet the spirit of the request (with the majority of the core team approving).
+
* You should work in the open. We'll need to see progress for you to keep the bounty assigned to you, and code developed without feedback from the team will be sent back without detailed review if it doesn't look or feel right. This sounds subjective and is! We'll help you out if you work in the open, and you'll get the money as long as you do a significant amount of the work.
+
* Your work must meet our coding standards and include unit tests. This isn't hard, but working in the open and getting continual feedback from us will likely be important! It must be accepted into Gallery SVN trunk (or gallery-contrib if the code is for Gallery 2 and the majority of the core team approves), the copyright must be assigned to us (as with all of our contributed code), and the code must be licensed with the GPL.
+
 
+
== Getting Money ==
+
 
+
E-mail [mailto:bounties@gallery.menalto.com bounties@gallery.menalto.com] to sign up for a bounty. Let us know which one you're interested in and we'll work with you to get things started. Recipients of a bounty don't have to accept any or all of it! You are welcome to privately (only known to the person on our team that manages our finances) or publicly (news announcement!) accept or refuse all or part of the bounty. Once our initial $5000 commitment is gone, we will likely put more money into the program and make an announcement indicating this. (Before emailing us, you should check this page to make sure someone hasn't signed up to work on that item yet. See the list below.)
+
 
+
NOTE: This means that once we have spent over our initial $5000 commitment, we may not be able to pay out further bounties.  Gallery is not a commercial entity and is entirely funded by donations, so our pockets are not as deep as larger organizations. As of the Gallery 3.0.4 release on 2012-06-12, we have officially spent $6800 on bounties, and are investigating how much more money we can put forward for this program. Please contact us before you submit a security issue if you're counting on a particular payout!
+
 
+
== Giving Money ==
+
 
+
Donating money towards a specific cause is easy! Initially, 50% of your donation will go to the winner of the bounty and 50% will be treated as a regular donation. Once the total amount of donations received matches our initial contribution to that particular item, 25% of your donation will go to the winner of the bounty and 75% will go to the general fund. But you don't need to worry about figuring that out, just follow the steps below:
+
 
+
* Pick something you want fixed or implemented on the [http://gallery.menalto.com/sfvote Feature Vote page] (Sorry, we can't take donations for things not on this list, but you're welcome to make an RFE in our [http://sourceforge.net/tracker/?group_id=7130&atid=357130 feature request tracker] and then donate towards it!)
+
* Make a donation using one of our standard [http://gallery.menalto.com/donate?donate_tag=bounties Donation methods]
+
* E-mail [mailto:bounties@gallery.menalto.com bounties@gallery.menalto.com] with:
+
** the total amount of your donation
+
** a way we can find your donation (method, transaction id, email, name, etc)
+
** the id and name of what you are donating to (from the feature vote page)
+
 
+
= Open Items =
+
 
+
Below are lists of donations made and people signed up to work on things.  
+
 
+
== Donations ==
+
 
+
These are donations that have been applied to open RFEs and bugs. Feel free to donate more towards them!
+
 
+
* $12.50 - 1767763 Dupe Detect
+
* $10.00 - 1078228 Invitation Only Feature
+
 
+
== Active Bounty Items ==
+
 
+
You can't sign up for these because someone is already working on them!
+
 
+
* 1078963 [G2] statistical information module (statistics) - aidan (1st place)
+
* 1265885 [G2] Mass-edits of "general" properties for images - aidan (8th place)
+
 
+
= Paid Bounties =
+
 
+
People that have cashed in on bounties so far:
+
  
 
* Nick Roberts - $200 (security issue)
 
* Nick Roberts - $200 (security issue)
Line 76: Line 18:
 
* Emanuel Bronshtein - $1000 (collection of security issues)
 
* Emanuel Bronshtein - $1000 (collection of security issues)
 
* Sergey Markov - $1000 (collection of security issues)
 
* Sergey Markov - $1000 (collection of security issues)
 +
* Dhiraj Ranka - $400 (security issue)
 +
* Dhaval Chauhan / @ 17haval - $400 (security issue)
 +
* ma.la - $400 (security issue)
  
 
= Thanks! =
 
= Thanks! =
  
Several people have reported issues to us with our website which include Drupal, Mediawiki, and a few other things. We don't pay out bounties for these but appreciate responsible disclosure on these.
+
Several people have reported issues where Gallery administrators can include malicious content. We don't pay out bounties for these because we assume that Gallery Administrators have full control over their site and could add malicious content without using an un-sanitized input field in an administrator only view.
 +
 
 +
* Atulkumar Hariba Shedage and Ritesh Arunkumar Sarvaiya of Defencely
 +
* Paweł Hałdrzyński
 +
 
 +
Several people have reported issues to us with our website which include Drupal, Mediawiki, and a few other things. We don't pay out bounties for these but appreciate responsible disclosure on these. Note: We are aware that our login forms are sent over HTTP and are ok with this. Additionally, any vulnerabilities reported that were found with an automated scanning tool must include a description and a proof-of-concept other than the one generated by the tool.
  
* Ashar Javed - XSS on gallery.menalto.com
+
* Ashar Javed - XSS on galleryproject.org
* Shashank Kumar - File contents disclosure and XSS on codex.gallery2.org
+
* Shashank Kumar - File contents disclosure and XSS on codex.galleryproject.org
* Kamal - Server Platform Leak on codex.gallery2.org
+
* Kamal - Server Platform Leak on codex.galleryproject.org
* Ajay Singh Negi - Account security issue on gallery.menalto.com
+
* Ajay Singh Negi - Account security issue on galleryproject.org
 
* Emanuel Bronshtein - Server Platform Leak on menalto.com (codex, home, gallery)
 
* Emanuel Bronshtein - Server Platform Leak on menalto.com (codex, home, gallery)
* Rafay Baloch - XSS on codex.gallery2.org
+
* Rafay Baloch - XSS on codex.galleryproject.org
 
* Kamil Sevi - XSS on menalto.com
 
* Kamil Sevi - XSS on menalto.com
 
* SimranJeet Singh - XSS on reviews.gallery2.org (now decommissioned)
 
* SimranJeet Singh - XSS on reviews.gallery2.org (now decommissioned)
 
* Harsha Vardhan Boppana - cipher strength issue on menalto.com SSL
 
* Harsha Vardhan Boppana - cipher strength issue on menalto.com SSL
 
* Thamatam Deepak - path disclosure on galleryproject.org test sites
 
* Thamatam Deepak - path disclosure on galleryproject.org test sites
* Ladronul Ladronu - File Inclusion issue on galleryproject.org
+
* Jimmy_RST - File Inclusion issue on galleryproject.org
 +
* Hip of Insight-Labs - XSS on menalto.com
 +
* Andrew Edwards - various issues with menalto.com and codex.galleryproject.org
 +
* Nihal Mistry - Full Path Disclosure on codex.galleryproject.org
 +
* Vinesh Redkar - XSS on galleryproject.org
 +
* Tejash Patel - CSRF on codex.galleryproject.org
 +
* Nikhalesh Singh Bhadoria - XSS on menalto.com
 +
* John Carroll - malicious URL inclusion on galleryproject.org
 +
* Jay Turla - Apache Range Exploit on galleryproject.org
 +
* Bo0oM / @ i_bo0om - Remote shell access to galleryproject.org
 +
* Brij Kishore Mishra - Full Path Disclosure on galleryproject.org
 +
* Missoum SAID / @missoum1307 - Full Path Disclosure on galleryproject.org
 +
* Rodolfo Godalle, Jr. - Full Path Disclosure on gallery project.org
 +
* Mennouchi Islam Azeddine - Content Injection on codex.galleryproject.org
 +
* Ali Hasan Ghauri - Clickjacking on menalto.com
 +
* Jerold Camacho - CRSF on menalto.com
 +
* Dinesh Kumar P  - Brute Force Login on galleryproject.org
 +
* Jamie Niemasik / @jniemasik - Missing SPF record on galleryproject.org
 +
* Nehal Hussain - phpinfo disclosure on galleryproject.org
 +
* Allan Jay Tomol - SPF issue with galleryproject.org
 +
* Wassim Batta - file disclosure on galleryproject.org
 +
* N B Sri harsha - SPF issues with galleryproject.org and menalto.com
 +
* Marc Rivero López / @seifreed - SSL vulnerability on galleryproject.org
 +
* Sarath Kumar - OpenSSL CCS Injection Vulnerability
 +
* Faisal Ahmed - Path Disclosure on galleryproject.org
 +
* Ismail Tasdelen - XSS vulnerability in galleryproject.org
  
 
[[Category:Project]]
 
[[Category:Project]]
[[Category:Gallery 2]]
+
[[Category:Gallery 3]]

Latest revision as of 12:08, 18 February 2018

Security Contributors

The following individuals responsibly submitted security vulnerabilities to the Gallery team, and were rewarded with cash bounties. This program is over, but we'd like to continue to recognize their contributions.

  • Nick Roberts - $200 (security issue)
  • Meric Manalastas - $500 (security issue)
  • Russell Lee - $75, Tim Almdal - $175 (notifications module RFE)
  • Hanno Boeck - $100 (security issue)
  • Alex Ustinov - $500 (security issue)
  • John Hisdock - $250 (security issue)
  • Kriss Andsten - $400 (security issue: permission bypass)
  • George Argyros
  • Aggelos Kiayias
  • Chalk - $1000 (collection of security issues)
  • Mateusz Goik - $1000 (collection of security issues)
  • James 'albino' Kettle - $1000 (collection of security issues)
  • Emanuel Bronshtein - $1000 (collection of security issues)
  • Sergey Markov - $1000 (collection of security issues)
  • Dhiraj Ranka - $400 (security issue)
  • Dhaval Chauhan / @ 17haval - $400 (security issue)
  • ma.la - $400 (security issue)

Thanks!

Several people have reported issues where Gallery administrators can include malicious content. We don't pay out bounties for these because we assume that Gallery Administrators have full control over their site and could add malicious content without using an un-sanitized input field in an administrator only view.

  • Atulkumar Hariba Shedage and Ritesh Arunkumar Sarvaiya of Defencely
  • Paweł Hałdrzyński

Several people have reported issues to us with our website which include Drupal, Mediawiki, and a few other things. We don't pay out bounties for these but appreciate responsible disclosure on these. Note: We are aware that our login forms are sent over HTTP and are ok with this. Additionally, any vulnerabilities reported that were found with an automated scanning tool must include a description and a proof-of-concept other than the one generated by the tool.

  • Ashar Javed - XSS on galleryproject.org
  • Shashank Kumar - File contents disclosure and XSS on codex.galleryproject.org
  • Kamal - Server Platform Leak on codex.galleryproject.org
  • Ajay Singh Negi - Account security issue on galleryproject.org
  • Emanuel Bronshtein - Server Platform Leak on menalto.com (codex, home, gallery)
  • Rafay Baloch - XSS on codex.galleryproject.org
  • Kamil Sevi - XSS on menalto.com
  • SimranJeet Singh - XSS on reviews.gallery2.org (now decommissioned)
  • Harsha Vardhan Boppana - cipher strength issue on menalto.com SSL
  • Thamatam Deepak - path disclosure on galleryproject.org test sites
  • Jimmy_RST - File Inclusion issue on galleryproject.org
  • Hip of Insight-Labs - XSS on menalto.com
  • Andrew Edwards - various issues with menalto.com and codex.galleryproject.org
  • Nihal Mistry - Full Path Disclosure on codex.galleryproject.org
  • Vinesh Redkar - XSS on galleryproject.org
  • Tejash Patel - CSRF on codex.galleryproject.org
  • Nikhalesh Singh Bhadoria - XSS on menalto.com
  • John Carroll - malicious URL inclusion on galleryproject.org
  • Jay Turla - Apache Range Exploit on galleryproject.org
  • Bo0oM / @ i_bo0om - Remote shell access to galleryproject.org
  • Brij Kishore Mishra - Full Path Disclosure on galleryproject.org
  • Missoum SAID / @missoum1307 - Full Path Disclosure on galleryproject.org
  • Rodolfo Godalle, Jr. - Full Path Disclosure on gallery project.org
  • Mennouchi Islam Azeddine - Content Injection on codex.galleryproject.org
  • Ali Hasan Ghauri - Clickjacking on menalto.com
  • Jerold Camacho - CRSF on menalto.com
  • Dinesh Kumar P - Brute Force Login on galleryproject.org
  • Jamie Niemasik / @jniemasik - Missing SPF record on galleryproject.org
  • Nehal Hussain - phpinfo disclosure on galleryproject.org
  • Allan Jay Tomol - SPF issue with galleryproject.org
  • Wassim Batta - file disclosure on galleryproject.org
  • N B Sri harsha - SPF issues with galleryproject.org and menalto.com
  • Marc Rivero López / @seifreed - SSL vulnerability on galleryproject.org
  • Sarath Kumar - OpenSSL CCS Injection Vulnerability
  • Faisal Ahmed - Path Disclosure on galleryproject.org
  • Ismail Tasdelen - XSS vulnerability in galleryproject.org
advertisements