.svg)
Show table of content
Hide table of content
.svg)
Last Updated: August 08, 2024
Vulnerability Disclosure Program
P2P.org deeply values the contributions of ethical and responsible security researchers towards enhancing the security and integrity of our products. We openly invite members of the security community to assess the security of our systems for potential vulnerabilities, ensuring that our services remain secure for our customers. Should you discover a security vulnerability within any of our applications or services, we urge you to inform us. However, we ask that you first familiarize yourself with the guidelines on this page and adhere to the outlined rules and recommendations. It's important to note that our review process is limited to technical vulnerability reports. For issues not related to security, such as non-security bugs or account-related problems, please contact our Customer Support team.
Services in Scope
We consider any P2P.org-owned application or service that processes reasonably sensitive user information as within scope. This encompasses nearly all web services hosted under the specified subdomains:
a.
*.p2p.org
b.
*.dev-p2p.org
c.
*.p2p.world
General Rules
To ensure a productive, secure, and respectful partnership, we advise you to:
a.
Use only your own P2P.org accounts for bug hunting, avoiding any interaction with third-party accounts (including data modification, copying, viewing, transmitting, or data retrieval) without the explicit written consent of the account owner, which should be provided to P2P.org upon request.
b.
Refrain from actions that could violate privacy, diminish user experience, disrupt production systems, or result in data destruction or manipulation.
c.
Limit the exploitation of discovered security vulnerabilities to the minimum necessary for verifying the vulnerability.
d.
Submit detailed reports to P2P.org with steps that can be reproduced.
e.
Note that we are currently unable to offer monetary rewards, but we extend our sincerest appreciation to researchers dedicated to investigating and reporting security vulnerabilities under this program.
Qualifying vulnerabilities
Any design or implementation issue that affects the confidentiality or integrity of user data is likely to be considered significant. We are particularly interested in security bugs within the following categories:
a.
Server-side code execution
b.
SQL injection
c.
Unrestricted file system access
d.
Authentication/Authorization bypass
e.
Server-side request forgery to internal service
f.
Cross-site scripting
g.
Cross-site request forgery on sensitive actions
h.
Sensitive information leakage
i.
Business logic flaws with high security impact
Please be advised that we only accept technical vulnerabilities. Attempts to bypass physical security measures at any P2P.org offices, engage in spamming or social engineering attacks against P2P.org customers, partners, vendors, or employees, or undertake other dubious activities are not permitted.
Non-qualifying vulnerabilities
Submissions of the following types are unlikely to be reviewed or receive a response:
a.
"Scanner output" or reports generated by scanners
b.
Denial of Service attacks
c.
Brute Force attacks
d.
CSV Injection
e.
Security issues in applications or services not operated by P2P.org (including third-party services and websites on P2P.org’s subdomains)
f.
Vulnerabilities requiring physical access to an unlocked device of the victim
g.
Spam or Social Engineering techniques
h.
Issues related to Password Policy
i.
Disclosure of non-sensitive information (e.g., product version, path)
j.
CSRF on non-significant actions (e.g., logout) or actions that do not require authentication (or a session) for exploitation
k.
Framing and clickjacking vulnerabilities without a documented series of clicks leading to a tangible security impact
l.
Self-XSS without a demonstrated impact on users
m.
Lack of security mechanism or inconsistency with best practices without a demonstrated tangible security impact (e.g., missing security headers)
n.
SSL/TLS misconfigurations (e.g., weak cipher-suites)
o.
Vulnerabilities affecting only users of outdated or unpatched browsers
p.
Insecure cookie settings for non-sensitive cookies
q.
Bugs that do not pose a security risk
Reporting a vulnerability
If you have found a vulnerability, please contact us at security@p2p.org.
In order to make the review process smooth and effective, please include all the technical details required to identify and reproduce the issue, as long as your estimation of the impact. The report should normally include:
a.
Vulnerable host or application name
b.
Brief description of the issue
c.
Brief description of the impact (e.g. unauthorized access to user account, privilege escalation, etc.)
d.
Link to the calculated CVSS v3.0 rating
e.
Steps to reproduce
f.
Attack scenario
Public Disclosure
a.
Be patient and give us reasonable time to review and fix the issue you have reported. We are committed to fix valid submissions within 90 days
b.
Do not disclose any vulnerability information in a web service publicly or privately before the fix is confirmed or the report is rejected.
c.
Do not disclose any vulnerability information in a mobile or desktop application publicly or privately before it is fixed and within 30 days after the fix is confirmed or the report is rejected.
d.
Do not disclose any sensitive information or personal data that may have been accidentally obtained during vulnerability research.
Join the community
Join a fast-growing community of developers and innovators connected all over the world, building the new era of the internet.
