Los Angeles: The release of Drupal 8 is nearing and the people are expecting that the Drupal 8 maintains the same standard of security as its previous releases. So in order to meet up to the expectations of the people, Drupal security team has come up with a new idea to make use of D8 Accelerate funds to pay for the valid issues found in Drupal 8. Anybody can participate in this bug bounty program and try to find the issues in Drupal 8 within 31st August 2015.
How does the program work?
If you wish to participate in the bug bounty program, all that you need to do is to install a local copy of Drupal 8 from Git. Try to find out the issues like SQL Injection, XSS, Access Bypass, CSRF, etc. if you find any issue or a bug, just go to www.bugcrowd.com/drupal and submit it there. In order to submit, you will have to sign up for an account on bugcrowd.com. Bugcrowd is actually a security bug finding platform being used by Pinterest, LastPass, and CARD.com.
How will you be paid for this?
Drupal will be paying about $50-$1000 per issue. More serious the issue is, more you will be paid. But the issues will be first confirmed by a security team member before you receive your payment. You also have to provide a detailed explanation of the issue and the steps to reproduce the issue. The quality of your issue report and the severity of the issue will be considered while assigning a value to it.
What if you find some issues in other versions of Drupal?
If you find any issues in other versions of Drupal, you can report them through the Drupal’s issue reporting process. Just like the normal reporting policy, you will be credited as long as you don’t disclose it, if the issue is suitable for a public discussion, Drupal itself will disclose it and give you the credit. But if the task needs an attacker to manage any roles like Administer users, Administer filters, Administer site configuration, Administer permissions, then it would not count.
Here are some issues which are excluded from the bug bounty program:
- Descriptive error messages like application errors, server errors or stack traces.
- HTTP non-200 codes/pages or HTTP 404 codes and pages.
- Disclosure of banner/ fingerprinting on public services.
- Disclosure of directories or public files.
- Cross-site request forgery on forms (like contact forms).
- Logout CSRF.
- Autocomplete or save password functionality.
- Lack of secure flags on non-sensitive cookies.
- Lack of Security Speedbump while leaving the site.
- Username enumeration.
- Missing HTTP security headers.
- X-Frame-Options, X-XSS-Protection and X-Content-Type-Options.
- Content-Security-Policy, X-WebKit-CSP and X-Content-Security-Policy.
- SSL Issues like BEAST, Renegotiation attack, BREACH, SSL Forward secrecy not enabled and SSL weak / insecure cipher suites.
However, Drupal is still not sure that whether it will give you the credit for it but you will not be receiving any payment.
At Fortune Innovations Los Angeles, we have highly knowledgeable Drupal web developers who stay updated with the latest development trends. Our vast experience has made us what we are today. We are mainly concerned about clients’ contentment as it has been the main reason for our success. Do let us know if you have any requirements on web development.