At Weaveworks we take security very seriously, and value our close relationship with members of the security community.
In recognition of the valuable contributions of security researchers Weaveworks maintains a Vulnerability Reward Program (aka Bug Bounty) and rewards bounties of up to $1000 for serious security issues.
All of our source code is available on Github.
We will also accept bug bounty submissions relating to the Weave Cloud service, its hosting and configuration.
To qualify for a bounty, bugs must meet the following criteria:
- The bug must be original, previously unreported and come with a reproducible test case
- The bug must be present in the latest released version of the software in question
- The security ratings given by Weaveworks to the bug must be critical or high
- The submitter must not be the author of the buggy code nor otherwise involved in its contribution to the Weave project (such as by providing check-in reviews).
- Previously reported vulnerabilities
- Vulnerabilities in the Go NaCL libraries
- Vulnerabilities in underlying software used for building and packaging Weave (such as Alpine Linux, Go or Docker)
- Vulnerabilities in the operating system on which Weave is run.
The scope of our bug bounty program is limited to technical vulnerabilities in software created by Weaveworks.
Submitting A Security Bug Report
To submit a security bug report please e-mail us at firstname.lastname@example.org. We ask that you follow our Responsible Disclosure guidelines when submitting an Issue.
Our ultimate focus is on protecting our end users, as such we ask submitters to allow a reasonable amount of time for a fix to be developed, or submit a fix to the issue.
We are guided by Google’s Responsible Disclosure philosophy and their recommendation that sixty days is an appropriate upper bound for a serious security issue to be fixed. In general we fix issues much faster than this.
If two or more people report the bug together, or working independently at approximately the same time, the reward will be divided between them.
Who reviews submissions?
The Weave committers.
How much are the bounties and how are they paid?
Bounties are up to $1000. The amount payable is at the discretion of the Weave Bounty Panel. Bounties are paid via PayPal.
If the author desires we shall publicly acknowledge their contribution.