At Weaveworks we take security very seriously, and value our close relationship with members of the security community.

In recognition of the valuable contributions of security researchers Weaveworks maintains a Vulnerability Reward Program (aka Bug Bounty) and rewards bounties of up to $1000 for serious security issues.

Qualifying Software

All of our source code is available on Github.

We will also accept bug bounty submissions relating to the Weave Cloud service, its hosting and configuration.

Qualifying Vulnerabilities

To qualify for a bounty, bugs must meet the following criteria:

  • The bug must be original, previously unreported and come with a reproducible test case
  • The bug must be present in the latest released version of the software in question
  • The security ratings given by Weaveworks to the bug must be critical or high
  • The submitter must not be the author of the buggy code nor otherwise involved in its contribution to the Weave project (such as by providing check-in reviews).

Non-Qualifying Vulnerabilities

  • Previously reported vulnerabilities
  • Vulnerabilities in the Go NaCL libraries
  • Vulnerabilities in underlying software used for building and packaging Weave (such as Alpine Linux, Go or Docker)
  • Vulnerabilities in the operating system on which Weave is run.

The scope of our bug bounty program is limited to technical vulnerabilities in software created by Weaveworks.

Submitting A Security Bug Report

To submit a security bug report please e-mail us at security@weave.works. We ask that you follow our Responsible Disclosure guidelines when submitting an Issue.

Responsible Disclosure

Our ultimate focus is on protecting our end users, as such we ask submitters to allow a reasonable amount of time for a fix to be developed, or submit a fix to the issue.

We are guided by Google’s Responsible Disclosure philosophy and their recommendation that sixty days is an appropriate upper bound for a serious security issue to be fixed. In general we fix issues much faster than this.

Multiple Submitters

If two or more people report the bug together, or working independently at approximately the same time, the reward will be divided between them.

Who reviews submissions?

The Weave committers.

How much are the bounties and how are they paid?

Bounties are up to $1000. The amount payable is at the discretion of the Weave Bounty Panel. Bounties are paid via PayPal.

Acknowlegement

If the author desires we shall publicly acknowledge their contribution.