Bug Bounty program coming soon! 🏁

[RoKrish14]

Stay tuned!
We will soon inform you about the bug bounty initiative

[mm73628486283]

Before we start with a bug bounty program it's necessary to prepare on the most important topics:

Scope

• Which repositories are in scope at start?
• How do we put repositories in scope and out of scope? (decision criteria, period)
• Which issue classes/types are in scope + which ones out of scope?

Payout

• What payout bandwidths do we set per severity?
• Do we set different payouts for different issue classes/types?

Workflow

• How to we process with reported issues in general?
• In case of controversial reports: How do we validate issues together with the affected repository team?

Transparency

• How/Where do we publish the bug bounty program policy?

[mm73628486283]

Some inputs after discussion with @RoKrish14 and @BANANAS1337.

Scope

* Which repositories are in scope at start?

Starting with a couple of repositories that crucial to the ecosystem, e.g. EDC and BDPM. Prioritization together with Tractus-X project leads.

* How do we put repositories in scope and out of scope? (decision criteria, period)

1. Pre-check of SAST results (CodeQL) per repository, according to upcoming TRG (no open critical, high and valid medium code scanning alerts) together with corresponding committer.
2. Alerts towards vulnerable dependencies, packages, libraries raised by container image, dependency and IAC scanners (Dependabot, Trivy, KICS, Snyk) will not be considered and excluded as bug classes from the bug bounty program.

We will monitor the bug bounty program results and tend to add additional repositories to the scope on a monthly basis after successful pre-check.

Workflow

* How to we process with reported issues in general?

Handle incoming reports on the bug bounty program provider platform first and after successful validation by sig-security member we put them into the regular workflow for reporting a vulnerability according to EF Vulnerability Reporting Policy in the affected repository.

* In case of controversial reports: How do we validate issues together with the affected repository team?

If it's not possible to evaluate on our own that it is a valid issue, we report them as well according the regular workflow for reporting a vulnerability according to EF Vulnerability Reporting Policy in the affected repository.