Drupal Security Bug Bounty Program

Our bug bounty program for Drupal is intended to promote security research of Drupal and its module and to help with the continuing process of keeping Drupal and its Modules secure, as we use Drupal, support it for our clients, and clean up Drupal websites that have been hacked.

Requirements

  • The bug must not have been previously reported.
  • The bug must be in the most recently released version of 6.x and or 7.x.
  • You must not have created the buggy code or are in anyway involved in the creation of it.

Drupal Bounties

  • Remote execution of arbitrary PHP code: US$1000
  • Remote malicious file inclusion: US$1000
  • Remote SQL injection that allows reading or modifying the database: US$500
  • Persistent cross-site scripting (XSS): US$500
  • Authentication flaw that allow access to Administrator-level permissions: US$500
  • Privilege escalation for User from lesser permissions to Administrator-level permissions: US$500
  • Information disclosure that exposes settings.php file contents: US$500
  • Reflective cross-site scripting (XSS): US$200
  • DOM-based cross-site scripting (XSS): US$200
  • Cross-site request forgery (CSRF): US$200
  • Privilege escalation: US$100

Drupal Contributed Module Bounties

For contributed modules with over 50,000 users according to Drupal Project usage overview, compatible with the Drupal 6.x and or 7.x, and in a recommended release.

  • Remote execution of arbitrary PHP code: US$250
  • Remote malicious file inclusion: US$250
  • Remote SQL Injection that can modify the database: US$125
  • Persistent cross-site scripting (XSS): US$125
  • Authentication flaw that allow access to Administrator-level permissions: US$125
  • Privilege escalation for User from lesser permissions to Administrator-level permissions: US$125
  • Information disclosure that exposes settings.php file contents: US$125

Process

To receive the bounty you need to mention the bounty program when you first contact the Drupal developers about the bug and they need to acknowledge that. If you provide us details of the bug before the developer has had a chance to review the report then the bug will not be eligible for a bounty. Once that has been completed you will also need to provide enough information for us to recreate the exploitation of the bug. The bounty will be paid via PayPal. The bounty can also be donated to a charity of your choice.

Payouts

  • 1/28/2013 - Persistent cross-site scripting bug in [redacted until fix for vulnerability released]