The Peerio Bug Bounty encourages peer review and rewards the contributions of security researchers who volunteer their time and effort to help make Peerio as secure as possible.
General Bounty Guidelines
Peerio will pay up to a $5000 CAD bounty for certain client and service security bugs, as detailed below. All security bugs must follow certain general criteria to be eligible:
- Security bug must be original and previously unreported.
- Security bug must be a remote exploit.
- Security bug must be of "critical" or "high" severity.
- Security bug must be present in one or more of the most recent versions of Peerio, for Chrome, Windows, Mac, Android, or iOS.
In some cases, a bounty may be paid for "moderate" level bugs. All bounties will be awarded at the discretion of Peerio's Bounty Committee.
- Submitter must not be the author of the buggy code nor otherwise involved in its contribution to Peerio (such as by providing check-in reviews).
- Submitter must not be an employee of Peerio or affiliate groups.
- Bugs found in unofficial third-party extensions or modifications are not eligible (Peerio does not endorse any such extensions).
If you identified the security bug through paid work, we would appreciate your not applying for the Peerio bug bounty. Peerio's bug bounty program is designed to encourage those who are volunteering their time and effort and not otherwise paid to work on Peerio.
All bug reports should be e-mailed to firstname.lastname@example.org or sent to "peerio" on Peerio with the subject "Bug Report". Our security team will review your report and evaluate its eligibility for the bounty reward.
Please include the following in your report:
- Your name and contact information.
- A detailed description of the bug
- If possible, a proof of concept testcase that demonstrates the vulnerability.
- If you have any debug outputs or logs, please include these as well.
When investigating a possible vulnerability, please only target accounts you own. Never attempt to access, disrupt, or damage the data of other users. Do not attempt to execute DoS attacks, spam users, or anything else that is detrimental to Peerio’s use and service. Peerio reserves the right to not reward legitimate applications if the actions of the reporter have in some way endangered the security of Peerio and its users.
To qualify for the bounty, your reporting must operate in accordance with our responsible disclosure policy.
You must not publicly disclose the identified security vulnerability before allowing a reasonable amount of time to address the bug. This policy also holds us responsible for fixing serious security vulnerabilities swiftly and disclosing bugs and fixes within a reasonable amount of time.
If your report is approved, we ask that you be available via your preferred contact method to work with the Peerio team to address the bug. Unless you choose to remain anonymous, you will publicly be given credit for your contributions to Peerio.
If your report was not approved for the bounty, you will be contacted explaining why your report did not meet the necessary criteria.
If two or more individuals have collaborated on a legitimate report, the bounty will be dispersed equally to the individuals listed in a report, unless specified otherwise.