Astricks bug bounty program

fygaledov · December 1, 2017, 10:43am

I want to participate in the Asterisk Bug Bounties program.
I do not know a number of things:
1 What kind of bugs are acceptable in the program? (DOS is considered? Or just RCE?)
2 How do I submit and prove what I found? (Enough to point to a code snippet and show here and here is the vulnerability or that I must show the entire flow to weakness + an example of a crash or something in this style (and maybe even I should add a code fix)?
3 To whom do I present what I found and who exactly pays me?

Thanks in advance.
DK

jcolp · December 1, 2017, 11:17am

The project does not have a financial bug bounties program. From a security vulnerability perspective there is documentation on the wiki[1] of how to report such things.

[1] https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Vulnerabilities

johnkiniston · December 1, 2017, 3:12pm

There are a couple of Bounties on the asterisk-dev mailing list right now.

https://wiki.asterisk.org/wiki/display/AST/Asterisk+Bug+Bounties

https://www.mail-archive.com/asterisk-dev@lists.digium.com/msg43398.html

https://www.mail-archive.com/asterisk-dev@lists.digium.com/msg43650.html

https://www.mail-archive.com/asterisk-dev@lists.digium.com/msg43491.html

jcolp · December 1, 2017, 3:14pm

Thank you, I should have clarified that companies or individuals are free to post bug bounties themselves. I was strictly looking at it from a security bounty perspective.

Topic		Replies	Views
Asterisk Voicmail Vulnerability - Fixed in 1.2-beta2 Asterisk Support	2	196	November 17, 2005
Securing asterisk - help for a master student Asterisk Support	4	260	February 9, 2006
Q: entry strategy for becoming a more serious contributor? Asterisk Support	4	210	June 17, 2006
How to provide bug information for asterisk Asterisk Support	4	289	September 5, 2008
Student requires final semester project on Asterisk Asterisk Support	7	285	March 12, 2006

Astricks bug bounty program

Related topics