I cannot not afford at this time to pay for bugs if they ever come up (not that I expect any). The bounty program is therefore suspended. It may be reinstated somewhere in 2019, if possible.
Find bugs, get thanks (used to be money). If there is any bug left.
If you think you found a bug, contact me via email. Or file an issue on GitHub if this is not a vulnerability.
This is about bugs in the Monocypher library. The web site, the manual, and external resources are out of scope. So are "bugs" that come from incorrect uses of Monocypher.
Bugs are divided in tiers.
Tier 1: catastrophic failures
- An attacker could decrypt data, recover keys, or forge messages, without the help of side channels.
- Some undefined behaviour allows an attacker to mount an arbitrary code execution exploit, or read secrets from memory. (The feasibility of such an exploit must be shown.)
- Monocypher gives the wrong results on a platform that passes the test suite.
Tier 2: serious vulnerabilities & bugs:
- The attacker could mount a timing attack to decrypt data, recover keys, or forge messages.
- Monocypher accidentally loses or corrupts data.
Tier 3: minor vulnerabilities & bugs:
- Presence of a timing leak, exploitable or not.
- Undefined behaviour not covered by the above tiers.
- Failure to wipe an internal buffer or context that contains secrets. Local scalars are excluded.
- Side channels other than timings. For instance, energy consumption and fault injections. Monocypher only guarantees timings, and does its best to wipe secrets after use. If you plug a smart card in an untrusted terminal, you must investigate fancy side channels yourself.
- Timing leaks from arithmetic operations. Multiplication in particular is not constant time on all platforms. The manual already warns the user about that. (In practice, all modern 64-bit platforms, and most modern 32-bit platforms, are safe.)
- Timing leaks from compiler optimisations. Compilers may introduce conditional branches even when the source code didn't have those, as part of their optimisation process. Compilers are perfectly allowed by the standard to replace bit twiddling by a branch because timings aren't specified by the C standard. Thus, timing leaks that are not visible from the source code are not part of the bounty.
- Failure to wipe secrets despite correct use of "volatile". Monocypher does its best to erase such secrets, but there is no portable way to actually guarantee it. Compilers may erase the corresponding code in some circumstances anyway.
The rewards currently are:
- Tier 1: my eternal thanks (used to be 1000€)
- Tier 2: my eternal thanks (used to be 500€)
- Tier 3: my eternal thanks (used to be 100€)
Not so fine print
- I can pay you with a European euro cheque. Other means of payment may be possible on a case by case basis.
- Only one reward per bug. If several people find the same bug simultaneously, the reward may be split.
- Only one reward per bug (again). If the same bug manifests in several places (like header and source file), it is still only one bug.
- Vulnerabilities are not eligible for bounties if they are disclosed prematurely.
- I will not award bounties if I cannot legally do so. (I may not be allowed to send money to some countries.)
- The classification of bugs and reward amounts may change without notice.
- I, Loup Vaillant, have the final say. I ultimately determine which bugs are eligible, and for which bounty. I'll try my best to be fair, but I won't lose money to a technicality.