From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <salahbughunter@gmail.com>
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com
 [IPv6:2a00:1450:4864:20::133])
 by sourceware.org (Postfix) with ESMTPS id 3506138708CB;
 Mon,  4 Jan 2021 17:40:56 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 3506138708CB
Received: by mail-lf1-x133.google.com with SMTP id h205so66270980lfd.5;
 Mon, 04 Jan 2021 09:40:56 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=uyt6RSK4cDUhBEhHIMG/BtfdZgLm9J8Me0bUbtNT+7o=;
 b=MJN/+lt7SQgvLtx5WwGSlqhZxSFeOd1+eix84VMKOct4Eh92BF4OjBmVcC/oBAhHIB
 PtROqbyJhW3wx1f/t/OUOxtQzu93hBKsH61FgQGvcwqB77GJLjz0+X8OKZCSZx8HICDi
 n4U61IX57M0nuQhdzMV/Z+4KtOpo7WKoHD2Sh9KEOe9ztd/CrBp8ehQzZU2TZhV/SHVD
 BNaXdgQVNgrjTi3cdvlT+StrmdDR8KXgbyqiOhyjiWDbjEkReDg5zfdQ7APu4ALgRt+Z
 V1/WdBwggncYoNmSbv4DX6/IeTKK+zANAlWxXdVyK1X9fRQdkE53XudbfjoT1oY7axNe
 sGZQ==
X-Gm-Message-State: AOAM533RLL83iFdjuOAhWfSvcMysV049o6k9GLGMWo40S6Dlc4N6VkHM
 YnaZJoRRV/5GHyKH+T6vJVivylHHcrXYy+xQLBs=
X-Google-Smtp-Source: ABdhPJxuggRxKKkc1hSLO6v+a3VzzBuqXIWrpQxZE68Prz9KY38DoPbNoVy8mIBUkhAgj+PJ6J/RBi9IENySIIsgFB4=
X-Received: by 2002:a19:e007:: with SMTP id x7mr35577836lfg.280.1609782054899; 
 Mon, 04 Jan 2021 09:40:54 -0800 (PST)
MIME-Version: 1.0
References: <CAFEc1FcNApb65M6D6aVi=qZ6OiQ64QPGfTA558POYvS55uV=dA@mail.gmail.com>
 <ac9ccc21-c01a-a503-a598-e009e30bf4e7@redhat.com>
In-Reply-To: <ac9ccc21-c01a-a503-a598-e009e30bf4e7@redhat.com>
From: Salah Mosbah <salahbughunter@gmail.com>
Date: Mon, 4 Jan 2021 19:40:41 +0200
Message-ID: <CAFEc1Fc4XUn7udO3024NNSxqU+VA1sXVFjxui9Y2s-0rhY1KBw@mail.gmail.com>
Subject: Re: Security vulnerabilities affects core API authorization of gnu.org
To: Jeff Law <law@redhat.com>
Cc: janus@gcc.gnu.org, gcc@gcc.gnu.org, jself@gnu.org, overseers@gcc.gnu.org
X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, HTML_IMAGE_ONLY_20,
 HTML_MESSAGE, KAM_SHORT, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP,
 T_REMOTE_IMAGE autolearn=no autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: overseers@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Overseers mailing list <overseers.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/overseers>,
 <mailto:overseers-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/overseers/>
List-Post: <mailto:overseers@sourceware.org>
List-Help: <mailto:overseers-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/overseers>,
 <mailto:overseers-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jan 2021 17:40:58 -0000

Hi Jeff,

Does gnu.org has a bug bounty program or reporting bugs reward policy?

On Mon, Jan 4, 2021 at 6:06 PM Jeff Law <law@redhat.com> wrote:

>
>
> On 1/4/21 3:23 AM, Salah Mosbah via Gcc wrote:
> > Hi Janus,
> >
> > How can I report some high impact security vulnerabilities that I have
> > found on gnu.org
> > web app?
> >
> > Also, does gnu.org has a bug bounty program or reporting bugs reward
> policy?
> >
> > The vulnerabilities that I have found affects the core API of gnu.org
> which
> > allows unauthorized users to get access to other user's data that they
> > don't have access to it.
> For gnu.org you'd need to contact the administrators of that domain,
> which presumably you find contact information for on www.gnu.org.
>
> If it's a problem with gcc.gnu.org, then the details should be sent to
> overseers@gcc.gnu.org
>
> Jeff
>
>