SECURITY.md

We believe that no technology is perfect and that working with skilled security researchersis crucial in identifying weaknesses.

If you believe you've found a security bug in our service, we'll be happy to work with youto resolve the issue promptly and ensure you are fairly rewarded for your discovery.

We will investigate legitimate reports and make every effort to quickly resolve any vulnerability.To encourage responsible reporting, we will not take legal action against you nor ask law enforcementto investigate you providing you comply with the current policy and more generally with the following guideline: Make a good faith effort toavoid privacy violations, destruction of data, and interruption or degradation of our services.

Only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability.
• Any vulnerability found must be reported no later than 72 hours after discovery.
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second).
• You must not leak, manipulate, or destroy any user data.
• You must not be a former or current employee of Open Collective or one of its contractor.
• You must wait for the issue to be fully fixed before exposing it publicly.
• There must be proof that, given realistic processing power and time, an exploit is possible.

Wewon't accept reports made by testing on our production servers (https://opencollective.com).

You must ideally do all the testing locally. See the following links:

• API:https://github.com/opencollective/opencollective-api
• Frontend:https://github.com/opencollective/opencollective-frontend
• PDF:https://github.com/opencollective/opencollective-pdf
• Rest:https://github.com/opencollective/opencollective-rest
• Images:https://github.com/opencollective/opencollective-images

In case you really need to test on a live environment, we provide staging servers on the following URLs:

• API:https://api-staging.opencollective.com
• Frontend:https://staging.opencollective.com
• PDF:https://pdf-staging.opencollective.com
• Rest:https://rest-staging.opencollective.com
• Images:https://images-staging.opencollective.com

• Mail:security@opencollective.com
• Preferred languages: English
• If your issue is critical, you can use the PGP key below to encrypt your message

-----BEGIN PGP PUBLIC KEY BLOCK-----mQGNBF1uYTMBDACtKuBUOuyeZ98L9F4C3TQRyOhW2AeeFGiu5ViXP0zWUiJPz5DUBV1b2XFcJpjtZxXjXy1LamkXbuRKu++5qSz9zGWdB+QHgUh6LFxF5hBAsBRksxRAqHq8XqNQzwkruFD03nGeSy/9Czyia69rjJQ+beyZrlA7INEEDn7zhgLraTrGTzAdcqi10Eo1i8Buv0ktQIZKM3s/FWGqaB2QPFYz45UeusOLVqLWBNHM3f4nVWZGlpslpzo3iynXHefjix2Enlc1IA3BlYMbQP9FfH/6EXwaXEXL66iyMqS9mVO9XOAWmFPcQS9efIw77S9hE1c9+3y9TxlX//oo+A7SphLiTAUq/pzyXZa8O0BJPrubHa7HsbsDMZ+aOz0eVUftWuI9Wd86QZ3DS50sHto82TpTxR5xyzmGK1LEkouarv0X21hP2SPxo8TxOCBcIm+ST1KHsXFdQIbj/70ijDFknYdyTyHeoJJD3z2sAmIiZaa+yjyo9lo2Hb35MTA5lmmgNqMAEQEAAbQ4T3BlbiBDb2xsZWN0aXZlIC0gU2VjdXJpdHkgPHNlY3VyaXR5QG9wZW5jb2xsZWN0aXZlLmNvbT6JAc4EEwEKADgWIQTX8kIeU27JpY8jjH0egUmegEn4jQUCXW5hMwIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAegUmegEn4jdceC/9dvoT2NGODVPdy2zXEXu6nhuCLMHteHlgPsp1HSjJh9qHxoXa/Hv0QPYy4aWMjH5ZGeQSj08rhAvQCUZCMBwJFkYp8YZLF6KclOroAsj1xx2kS3Zqnd2YcQ+rb5gpAzAgM+3D7RruQEVNDaRG+w/EAmDC3okY/Ow1qK4s9Tl846nnLbj9/FrmaYwHWAir50OKGWnC9QJVcJZLE3BDTMfupVK9l3ci9ZF6jNiZvYUYGF1PfPgYEdjbxQgc1Myc9lG6yI3BdjmgRONfRlJl16+t+5A4Jp8KX+ZhLei7YWjbFe3loKNV4iCOi63aQGA+BQN/e2rN5nH2mcDBU6Ss4Qq1OSasNfdswO/t7FkW8+1nUxEWYUlZvJDSboybb01g9S4C6Ot5pDmpOyU2Hv98x4TshRnPlPQof5+nX1OqyDE4JiuKqGOBKP1zts31QUSndPVCC9NrZr2f2I6W5hva/N2iIAQwJ25V58c/PXP5Qt9YJ6LdmDtIqzho0cQrsQinyxVS5AY0EXW5hMwEMANJeCKUrtyKy2ohFUfDx5IW3HaSUCCY3rRhBUGcUrNVRUbJRfqdq1+/OMaMw8X/xVKyD1SryHa8/WZB82MpOqZsRMB7Jl2gusXgAMoYe5XFCewa4CMELfTT9egNZT7Q8QCSN2XQqk5ldl2xu3zPaC3lvT2aCRth0rdRbsiQ6uI+kHNIZaHDy65rHBlq7hZPVv9bDq0aP8VdpxMgZT+YLxsuLp8LMKPR0bjM+IDdRyixQteAM5siwRVW9lyKPo1+KUnxM1JaghavlNxivilqgMwNK8jcM9sl49AVzR147rf9dx0mtiTjcufXXCi4bAmhdAW7uE48Bcm1sIwuTDq21sCo0zppFXb4h4cWJC1zJTJGMU5lsGUShS4oeXF7nDlypRT+dQJ+jzvlTkTAZTjaAt9bwHzD2FnHZ4kqjKTC+0ky/hFO1siOCJ+wvhkfk1ZyBMXLtDRje1gKTRAOuAxZYEM8tvC911nDusUaGRpmMbEtiaJaawknU9qrvsX9UCaNfzwARAQABiQG2BBgBCgAgFiEE1/JCHlNuyaWPI4x9HoFJnoBJ+I0FAl1uYTMCGwwACgkQHoFJnoBJ+I2CjQwAoN7PfaFMPnAT/NefMu7q0BkbvXUpt9c2jBv5HWzEBxRg00ATxpPJy661CJwOscUjzHyxj0M+azCqtJmLXKYGqbMfFQypxxwPEcbknRYoNKaUZZi9c968h1sFjFJoH5gGhWDF/WkoYA4KmtaJ/oQH+XpFrguThLqQePW0d5Hd3nLO79YbU1u+eKPQyiG1Vfgkl7PV/6o+RNFpAFJPsD5RmY+6f68zEHGsWoGcyjzdikYgM6B9HvMryu5F7nt6QH6JGoB0EyX7ZlGjIzRs6wRg6p7gbg/8wEeYOGTOdGk4F+DWgWrvXPoZwIQdz4tLumcOx7rhEX2nMgMJyYgsj9aY0m/i1PoAYpLiR85NIRbCLA2DnvrOG1aYelnyLxniiwKKV8sii8Y7Un6pja70K32uv9CHmqfCMSF2tJotZj+ZhGN0eI6VKys1OrqPbAqYcroasytncq7BBe0AI+mQwf+ESlENix2p4LJ8BZLU/D/eaEugQL8LXW+KZVDXyCMwlCA4=2kSo-----END PGP PUBLIC KEY BLOCK-----

Note: we are not able to pay bounties to people based in countries sanctioned by the United States, or countries where US sanctions are so widespread that our payment processors no longer serve them.

• Remote code execution (RCE)
• Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
• Code injections (JS, SQL, PHP, ...)
• Cross-Site Scripting (XSS)
• Cross-Site Requests Forgery (CSRF) with real security impact
• Open redirect
• Broken authentication & session management
• Insecure direct object references
• CORS with real security impact
• Horizontal and vertical privilege escalation
• SQL injections

• "Self" XSS
• Rate Limiting
• Text/HTML Injection
• Social engineering
• Homograph Attack
• Missing cookie flags
• Information disclosure
• SSL/TLS best practices
• Mixed content warnings
• Denial of Service attacks
• Missing security headers
• Clickjacking/UI redressing
• Software version disclosure
• Stack traces or path disclosure
• Missing autocomplete attributes
• Physical or social engineering attempts
• Recently disclosed 0-day vulnerabilities
• Presence of autocomplete attribute on web forms
• Vulnerabilities affecting outdated browsers or platforms
• Our policies on presence/absence of SPF/DMARC records
• Any hypothetical flaw or best practices without exploitable POC
• Issues that require physical access to a victim’s computer/device
• Logout and other instances of low-severity Cross-Site Request Forgery
• Extension manipulation without any evidence of vulnerability (Attachments)
• Missing security-related HTTP headers which do not lead directly to a vulnerability
• Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
• Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC)
• Any issues regarding single session features/management
• RTLO and related issues

• Reporter submit a report. To make sure that you don't loose too much time preparing a nice report if the issue is already known from us, you can submit just a small summary without technical details and proofs of concepts.
• Open Collective Team...
  • Confirms that the report has been received. If it's an unknown issue, we may ask you for more details.
  • Tries to confirm/reproduce the issue.
  • Discuss results and possible impact to determine the score (low/medium/high/critical) and bounty amount.
• Reporter is rewarded with a bounty at this stage (if applicable).
• Team works on a fix, verifies it an pushes it.
• Team confirms that the issue has been patched and may ask reporter to check the fix.
• We write a postmortem to document the issue. From this point it is safe for reporter to go public about the issue.

Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay. We will rely on CVSS3 as well as internal criteria to score the vulnerabilities.

Things that we take into account to adjust the score for vulnerabilities:

• Everything related to authentication
• Allow to take control or leak information about payment methods or connected accounts
• Compromise the integrity or historicity of our transactions ledger
• Compromise the permission system