« Xojo Meeting in Canad… | Home | MBS Xojo Plugins, ver… »

Bug Bounty Program

We are happy about any bug report we get, so we can fix it. But since we got asked if we pay bug bounty, let me explain:

In the past we paid bug bounties for valuable information about vulnerabilities on our products or website.
We haven't put up a website like CURL project here, but we may formalize it more in the future.

To give a few examples for the websites:
  • You can read a file you shouldn't see.
  • You circumvented the CMS login. Create a new article with your name as proof and contact us.
  • You can write a file to our web server, e.g. write a text file with your name and contact us.
  • You can execute code own our web server, e.g. run ls -al and show us the output.
  • You can run SQL on our database servers.
For our products:
  • Have you be able to crash an app with bad input data? Especially if that could lead to stack corruption and thus execute input data as code.
  • Have you found a way, where you can do a SQL injection?
  • Have you found a way to circumvent a login or security privilege checking?
  • Have you found a way to circumvent our license checks?
We may extend this list with new examples.

Please note that not all crashes are a vulnerabilities, some things got reported before, may be caused by code not from us (open source libraries) and not all vulnerabilities can be exploited.
If you have something, please contact us. The biggest plugin in space...
25 08 21 - 09:12

Start Chat