Gitcoin Passport Bug Bounty

overview

The Gitcoin Passport is an identity verification application. We have written software enabling people to grow personal ledgers of verifiable credentials about themselves and organizations to assess their identities to coordinate rights and responsibilities. The institutions define, verify, and utilize identity as functions of the networked records of the individuals. While we build the Passport agnostic to specific applications, we are actively exploring its benefits for personhood proofs and plurality in organizational designs.

Many social organizations, online particularly, have difficulty ensuring that every participant is a unique human and does not have multiple participating accounts. Most existing digital identity solutions are either centralized (e.g., national identity cards) or individualistic (e.g., most “self-sovereign” identity models). However, identity is naturally intersectional and social; everybody shares different data and relationships with a unique set of others. The Gitcoin Passport aims to provide a more collaborative and secure infrastructure for digital identity by capturing the richness of our diversely shared lives.

The integrity of our identity verification application is one of our highest priorities. Therefore, our bug bounty program for the Gitcoin Passport rewards up to $600 (paid in DAI).

We guide decisions on the eligibility and size of a reward by the rules above. Nevertheless, any determination is at the sole discretion of Gitcoin.

• Critical: $600
• High: $225
• Medium: $125
• Low: $30

problem to solve

What we want you to investigate - all code in the repository is eligible for the bounty.

The Gitcoin product ecosystem, in general, is not part of this bug bounty program.

We, of course, want to know every vulnerability, but what vulnerabilities to look for: in particular:

• Safety bugs
• Denial of service vectors
• Inconsistencies in assumptions, like situations where somebody could create fake credentials
• Calculation or parameter inconsistencies
• Data leaks that might make an individual passport personally identifiable

project judging

We follow many of the bug bounty rules that the Ethereum Foundation does:

• Decisions on the eligibility and size of a reward are the sole discretion of Gitcoin.
• Any disclosure of a vulnerability to the public or other third parties (such as the media) before Gitcoin makes it public will disqualify the bounty.

You must privately submit issues to securitybounty@gitcoin.co.

• Issues must be new to the team. Another builder or an audit can’t have already identified them.
• No employees, contractors, or others with current or prior commercial relationships with Gitcoin are eligible for rewards - this includes auditors used by Gitcoin.
• Provide the steps required to demonstrate an issue. If we cannot reproduce a problem, we will not be able to reward it.

In addition to severity, we may also consider factors like:

• Quality of description.

We pay higher rewards for clear, well-written submissions.

• Quality of reproducibility.

Please include test code, scripts, and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.

• Quality of fix, if included.

We pay higher rewards for submissions with a clear description of how to fix the issue.

Give us time to investigate anything you report before sharing it publicly or with others, (and hopefully, this goes without saying) don't exploit an issue if you find one. Try wherever possible to avoid privacy violations, destruction of data, and interruption or degradation of our service

Submission process

Please email securitybounty@gitcoin.co.