Bug Bounty
Strong security out-of-box is one of the main design goals of MonkOS. Like any respectable piece of software, MonkOS is constantly patched and improved to make sure that it cannot be exploited. Our team is happy to work with anyone who discovers a new way to make MonkOS go bzzzzt.
If you have discovered a security vulnerability in MonkOS let us know!
Eligibility
In order to be eligible for a Bug Bounty reward:
- Your report must be original, describing a previously undiscovered vulnerability,
- Report must contain a working proof of concept demonstrating the vulnerability,
- Reported vulnerability was not disclosed publicly,
- Do no harm:
- Do not attack accounts and clusters that do not belong to you,
- Do not access data that does not belong to you,
- Your vulnerability report must pertain to one of the following scopes:
- Any endpoint on
monk.ioand*.monk.io, or any public system ran by MonkOS that you can find, - MonkOS authentication and account lifecycle,
- Remote and local exploitation of
monkd, - Remote exploitation of MonkOS clusters running on different cloud environments.
- Any endpoint on
Moreover, we reserve the right to reject reports that are purely theoretical, plainly obvious or rely on attack vectors outside our control.
Submit Your Report
Contact us via:
- MonkOS Discord Server, channel: #bugs-and-fixes
- Email: [email protected]
We will get back to you with next steps.
Rewards
Our team will review your report and put into one of three tiers at their discretion. The exact reward amount depends on the vulnerability severity. You can get only rewarded once for a single vulnerability.
| Tier | Reward | Severity |
|---|---|---|
| 🥇 gold | $1500 - $3000 | High, medium-high probablility |
| 🥈 silver | $500 - $1500 | Medium, medium-high probabliity |
| 🥉 bronze | $100 - $500 | Low or low probability |
Issues without security impact are most welcome but they do not qualify for a reward.
MonkOS Contributor Program rules apply. Read more →