maiowired.blogg.se

What will be asked from the reporters: a proper and legal picture identification and bank account information within 30 days of the bug acknowledgement.We reserve the right to close the program at any moment. The duration of the bounty program: undetermined.We reserve the right to refuse a bounty payment if we believe the actions of the reporter have endangered the security of Hex-Rays' end users.How to apply: send your report to The report should include the POC code and a small description of the bug and its impact.

Simple crashes and denial-of-service bugs, although we'll still be interested to get the reports of these :).

Bugs which occur when the user explicitly starts a debugging session, executes a script, or any other action which may lead to execution of external code as part of its normal functionality.

Bugs which are NOT eligible for the bounty:.

Security bugs have to be triggered without user's interaction, or with interaction which happens naturally during user's work.

In some cases we may accept bugs which require modification of the default settings of IDA (but not any binary patching, registry editing etc.).

Security bugs must work on a clean, unmodified installation of IDA/Decompiler with all publicly released patches applied.

Security bugs must be present in the latest public release of IDA/Decompiler.

Security bugs with high or critical impact are eligible (remote code execution, privilege escalation, etc).

Security bugs must be original and previously unreported and not fixed yet.

In some cases we may take responsibility for third-party code as well.

Security bugs must be in Hex-Rays code (not in third party/contributed code).

Only bugs in Hex-Rays products ( IDA and the Decompiler) are eligible.

All IDA or Decompiler license holders can participate (with or without active support plan), except Hex-Rays employees and their families.

Hex-Rays will pay a 3000 USD bounty for certain security bugs.

You may see the already reported vulnerabilities below. The purpose of our Security Bug Bounty Program to make our tools more secure and reward those who help us in this endeavor. If you find a security bug in IDA or the Decompiler and report it to us, you may receive a cash award.