Private Packagist Bug Bounty Program
Last modified: July 17, 2024
Private Packagist encourages users and independent security researchers to report detected security vulnerabilities. We appreciate the work of independent security researchers who review and test our service for security vulnerabilities because it makes Private Packagist more secure. We offer a bug bounty for the report of reproducible and unreported security vulnerabilities. The amount of the bounty depends on the severity of the vulnerability as determined by Private Packagist and there is no guaranteed right to payment of a bounty.
Guidelines
Over time we have collaborated with numerous security researchers. Here are some guidelines to ensure a smooth collaboration and speedy review of the reports:
- Report vulnerabilities to contact@packagist.com.
- Report one issue at a time. This makes it easy to discuss issues.
- We award bug bounties once for each issue. If the same vulnerability shows up in different contexts, we consider this as one issue and one report.
- Focus your vulnerability research on the domains packagist.com and repo.packagist.com, which run the Private Packagist application and Composer repository. Other domains like blog.packagist.com are excluded from the bug bounty program. Bounties are paid only for packagist.com and repo.packagist.com.
- Don’t perform tests that cause an interruption of the service. In particular, don’t perform tests that cause a high load on the hosting infrastructure.
Excluded From A Bug Bounty
The following issues are known and are excluded from a bug bounty, we reserve the right to add anything here that we do not consider relevant but did not predict at the time of editing this page:
- Any bug without security implications, e.g. a way to produce an error page. If the bug cannot be used to access or modify private information or to trick others into unintended actions, or otherwise impacts the security of packagist.com, then it is excluded from bounties.
- TLS versions: packagist.com and repo.packagist.com currently support several TLS versions that ssllabs.com considers weak. We are aware of that. For compatibility with older devices, we currently will not remove support for these versions. This is a common practice among many large web services.
- Linking of image files hosted on third-party sites to track users.
- Metadata in image files (EXIF, IPTC)
- Lack of enforcement of certain product feature usage limits, for example, limiting the number of password reset requests sent, rate-limiting requests, etc.
- Denial of service attacks.
- Issues relating to our DMARC/SPF setup. This is intentionally weak out of necessity for a third party mailing service we plan to remove at a later time.
- Anything relating to DNSSEC.
- Issues related to the disclosure of the server version in HTTP headers.
- Issues without a way to exploit them, in particular do not send us results of your automated analysis tools without verifying reported problems are actually exploitable in the context of our entire application.
- The Intercom chat widget and its configuration.
If you have questions about the bug bounty program, please contact us at contact@packagist.com.