Difference between revisions of "Security Hall of Fame" - Gallery Codex
Personal tools

Difference between revisions of "Security Hall of Fame"

From Gallery Codex

m (Text replacement - "codex.gallery2.org" to "codex.galleryproject.org")
Line 65: Line 65:
* Nikhalesh Singh Bhadoria - XSS on menalto.com
* Nikhalesh Singh Bhadoria - XSS on menalto.com
* John Carroll - malicious URL inclusion on galleryproject.org
* John Carroll - malicious URL inclusion on galleryproject.org
* Jay Turla - Apache Range Exploit on galleryproject.org
[[Category:Gallery 3]]
[[Category:Gallery 3]]

Revision as of 16:40, 8 July 2013


Yes, we pay cash to security experts who find vulnerabilities in our products. However, we are not interested in hearing about vulnerabilities that you find by running automated tools on our sites, etc. We have those same tools (W3AF, Subgraph Vega, Netsparker, etc) and can push the buttons ourselves. Please do not run one of those tools on our sites and then cut and paste the results into an email - you'll just get a canned response, no cash and will not get your name on our hall of fame below. If you spend the time find a real vulnerability and report it confidentially to us with an appropriate level of detail you may be eligible for a bounty.

Cash Bounties for Security Vulnerability disclosures

The Gallery team is very excited to announce a new bounty program, where we pay you for helping us out by finding security problems or contributing code. (Note: this only applies to the most recent version of our currently shipping software: Gallery 3) Additionally, you can pitch in to the fund to reward people that fix bugs or write features you want to see fixed or implemented! We're pledging $5000 to get this started, and you can start contributing right now! Read on for the details of this program.

Some things to Note

Gallery 3 has undergone several security reviews and as a result of each review, potential security issues have been resolved. We are interested in all types of potential security issues in Gallery 3.

While we appreciate security reports about this site, our website, etc, we will only pay out substantially reduced bounties for any issues reported about anything not related to issues in shipping versions of Gallery 3.

Security Bounties

We're offering a substantial amount of money for responsibly reporting security issues in the current development version of our currently shipping software: Gallery 3. To get the bounty, the security issue must be reported to security@galleryproject.org and must not be made public until a fix is available from us on the official Gallery website. Critical problems that require an immediate fix will be worth $1000 and smaller amounts will be paid out for moderate ($400), uncritical ($200), and trivial problems ($100). If we are already aware of an issue, you won't receive the full bounty but will still be credited with finding it independently (and may, at our discretion, receive some of the bounty amount). Understandably, known security issues aren't listed publicly until they are fixed and not all security issues are serious enough to require an immediate fix. We have a long history of collaborating with security researchers and are convinced that trust will not be an issue.

NOTE: This means that once we have spent over our initial $5000 commitment, we may not be able to pay out further bounties. Gallery is not a commercial entity and is entirely funded by donations, so our pockets are not as deep as larger organizations. As of the Gallery 3.0.4 release on 2012-06-12, we have officially spent $6800 on bounties, and are investigating how much more money we can put forward for this program. Please contact us before you submit a security issue if you're counting on a particular payout!

People that have cashed in on bounties so far:

  • Nick Roberts - $200 (security issue)
  • Meric Manalastas - $500 (security issue)
  • Russell Lee - $75, Tim Almdal - $175 (notifications module RFE)
  • Hanno Boeck - $100 (security issue)
  • Alex Ustinov - $500 (security issue)
  • John Hisdock - $250 (security issue)
  • Kriss Andsten - $400 (security issue: permission bypass)
  • George Argyros
  • Aggelos Kiayias
  • Chalk - $1000 (collection of security issues)
  • Mateusz Goik - $1000 (collection of security issues)
  • James 'albino' Kettle - $1000 (collection of security issues)
  • Emanuel Bronshtein - $1000 (collection of security issues)
  • Sergey Markov - $1000 (collection of security issues)
  • Dhiraj Ranka - $400 (security issue)
  • Dhaval Chauhan / @ 17haval - $400 (security issue)
  • ma.la - $400 (security issue)


Several people have reported issues where Gallery administrators can include malicious content. We don't pay out bounties for these because we assume that Gallery Administrators have full control over their site and could add malicious content without using an un-sanitized input field in an administrator only view.

  • Atulkumar Hariba Shedage and Ritesh Arunkumar Sarvaiya of Defencely

Several people have reported issues to us with our website which include Drupal, Mediawiki, and a few other things. We don't pay out bounties for these but appreciate responsible disclosure on these. Note: We are aware that our login forms are sent over HTTP and are ok with this. Additionally, any vulnerabilities reported that were found with an automated scanning tool must include a description and a proof-of-concept other than the one generated by the tool.

  • Ashar Javed - XSS on galleryproject.org
  • Shashank Kumar - File contents disclosure and XSS on codex.galleryproject.org
  • Kamal - Server Platform Leak on codex.galleryproject.org
  • Ajay Singh Negi - Account security issue on galleryproject.org
  • Emanuel Bronshtein - Server Platform Leak on menalto.com (codex, home, gallery)
  • Rafay Baloch - XSS on codex.galleryproject.org
  • Kamil Sevi - XSS on menalto.com
  • SimranJeet Singh - XSS on reviews.gallery2.org (now decommissioned)
  • Harsha Vardhan Boppana - cipher strength issue on menalto.com SSL
  • Thamatam Deepak - path disclosure on galleryproject.org test sites
  • Jimmy_RST - File Inclusion issue on galleryproject.org
  • Hip of Insight-Labs - XSS on menalto.com
  • Andrew Edwards - various issues with menalto.com and codex.galleryproject.org
  • Nihal Mistry - Full Path Disclosure on codex.galleryproject.org
  • Vinesh Redkar - XSS on galleryproject.org
  • Tejash Patel - CSRF on codex.galleryproject.org
  • Nikhalesh Singh Bhadoria - XSS on menalto.com
  • John Carroll - malicious URL inclusion on galleryproject.org
  • Jay Turla - Apache Range Exploit on galleryproject.org