• POLICY •
VeraCrypt is an open-source utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file or encrypt a partition or the entire storage device with pre-boot authentication.
PLEASE NOTE: Accepted reports must follow VeraCrypt's Security Model (see attached PDF)
• QUALIFICATION •
Only CRITICAL vulnerabilities that demonstrate complete compromise of the system's integrity or confidentiality are eligible for payment - typically Arbitrary Code Execution or equivalent impact. Lower severity issues are not in scope at this time and will not be paid.
YOU MUST DEMONSTRATE THAT REMOTE EXPLOITATION OF THIS BUG CAN BE EASILY, ACTIVELY, AND RELIABLY ACHIEVED.
Awards are increased for fixes that include giving the developers any custom tools that you developed to locate the bugs, as it provides a longevity boost to your work and eliminates the chances for regressions or reintroducing similar bugs of the same class. Make sure your tools have documentation and proper commenting in the code so that the developers can utilize / enhance / improve upon your work in the future to receive increased awards.
Only versions currently supported by the upstream project are eligible. Please verify your issue is present in a current release before submission. Note that other forks of TrueCrypt and any fork of VeraCrypt code are not eligible.
It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.
• IN SCOPE •
Note: Severity shown here only indicates the maximum severity possible for reports submitted to the Asset.
Source code: [login to view URL]
Eligible versions: Current release of VeraCrypt only.
Ineligible versions: other forks of TrueCrypt, any fork of VeraCrypt code.
Targets: Any flaw that weakens the cryptography or leads to information disclosure, or flaws within VeraCrypt that may impact the security of the operating system. Excludes virtual servers / Cloud instances for Full Disk Encryption.
• OUT OF SCOPE •
Domain: [login to view URL]
Reports concerning [login to view URL] are not in-scope.