Astricks bug bounty program

I want to participate in the Asterisk Bug Bounties program.
I do not know a number of things:
1 What kind of bugs are acceptable in the program? (DOS is considered? Or just RCE?)
2 How do I submit and prove what I found? (Enough to point to a code snippet and show here and here is the vulnerability or that I must show the entire flow to weakness + an example of a crash or something in this style (and maybe even I should add a code fix)?
3 To whom do I present what I found and who exactly pays me?

Thanks in advance.
DK

The project does not have a financial bug bounties program. From a security vulnerability perspective there is documentation on the wiki[1] of how to report such things.

[1] https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Vulnerabilities

1 Like

There are a couple of Bounties on the asterisk-dev mailing list right now.

https://wiki.asterisk.org/wiki/display/AST/Asterisk+Bug+Bounties

https://www.mail-archive.com/asterisk-dev@lists.digium.com/msg43398.html

https://www.mail-archive.com/asterisk-dev@lists.digium.com/msg43650.html

https://www.mail-archive.com/asterisk-dev@lists.digium.com/msg43491.html

1 Like

Thank you, I should have clarified that companies or individuals are free to post bug bounties themselves. I was strictly looking at it from a security bounty perspective.

1 Like