Bug Bounty Program


We run a bug bounty program covering our flagship Dead Man's Switch (DMS) service. If you think you have found a security vulnerability in Elpis, please report it to us straight away. Please include detailed steps to reproduce and a brief description of what the impact is.

We encourage responsible disclosure (as described below), and we promise to investigate all legitimate reports in a timely manner and fix any issues as soon as we can.


Hall of Fame


The security researchers that have identified vulnerabilities in Elpis and contributed to our security by duly reporting them to us responsibly can be found in our Hall of Fame.

Responsible Disclosure Policy


We ask that during your research you make every effort to maintain the integrity of our users’ data, avoiding violating privacy or degrading our service. You must give us reasonable time to fix any vulnerability you find before you make it public. In return we promise to investigate reports promptly and not to take any legal action against you.

Bug Bounty


As a measure of our appreciation for security researchers, we are happy to give full credit in any public postmortem after the bug has been fixed, and we offer a monetary bounty for certain qualifying bugs.

To qualify for the bounty, you must:

  • Follow our responsible disclosure policy (see above).
  • Report the bug to us first, and give us reasonable time to fix the issue before making it public.
  • Be the first person to report the issue to us.
  • Use only an account that you control. Never interact with other accounts without the owner’s consent.
  • Find a bug that could allow access to private user data, or enable access to a system running Elpis infrastructure.

Examples of valid vulnerability types include:

  • Authentication or session management issues
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF/XSRF)
  • Remote Code Execution
  • Privilege Escalation

The decision of whether a bug qualifies for a bounty is solely at the discretion of Elpis. Any qualifying bug will be eligible for a bounty of a minimum of £20 GBP and a maximum of £1,000 GBP. The exact value will be determined by Elpis after taking into account the severity of the vulnerability, the number of users potentially affected etc. All bounties will be paid via PayPal. Any taxes or fees are the sole liability of the recipient. We process bug bounty payments once a month.

Exclusions


Some security elements are excluded from the scope of our program.

These are subject but not limited to:

  • Non-technical attacks such as social engineering, phishing, or physical attacks against our staff, users, or infrastructure.
  • Attempts to brute force access to any areas requiring authentication.
  • Anything related to enumeration of usernames does not qualify.
  • Outdated software/library versions.
  • DMARC, DKIM and SPF related issues.
  • Insecure settings in non-sensitive cookies.
  • Missing HTTP headers, unless a vulnerability can be demonstrated.
  • Bugs related to unpatched, out of date or exceedingly rarely used browsers or other client software out of our control.
  • Clickjacking on pages with no sensitive actions.
  • Reports about “leakage” of the fact we run nginx, or the version number, or Perl module names or file paths.

PGP


If you have a particularly sensitive disclosure to make, we request you please encrypt the details of the vulnerability using our PGP public key and email us at:

Fingerprint: 44C9 9C7F D6B5 1C46 38D6 D9B7 E844 014D 30D5 8978
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.5.5
Comment: https://openpgpjs.org

xsFNBFyteLwBEADFuidNE7gNxJzvqRArKXezTBKq0eF0j1XoZS28PYoTc+lc
YKHERRUJsthPku7/rqnbeW1e0iflieJZm1gQRVmb8PC1vFQ5o1FKSsw+qU9H
27MNAF2X5BOje0YHoLnZXmN+nyAe07nXleF9nryo05cD7eqfgFPFqBf11NDB
7KpZilqOVEwuZeLLWKB7AZ/MpuHWNVNUsq2Fl45RavNqPseAZPQZVX15s4F6
z33pXceUiHQ5Bl3LedaXx6VhPoSl7zBr96wRoaj9X03aXqX1Hj+nLbwCH7qn
g030sx/cOKFz1HaEQ0SfD6N/EQu1qIe65Oi3WvVuc1WvNs7Dr1weNbqhxXjN
Mzjbq0I0+nAH8mZp+wvYh76yJdlfGXJRNmHb3cncnvr5ik2vIrfN5nIne/Mi
g/SCTp4esl9CXLRwux/dG8qyISD1dBLQPZW+qZJA9REKK9wLtu8QlP/5x1fh
OjVTFrT3beI3X+CHNnwaqc4r6rXb8qRJja41wZ5ADQvMQVFAeH76EiWxK1ah
DwnLoYlCxk048dKEusO9al9l7yVExVC48rby2p44luwQ7n9vXVAJx3OCL3bj
9ywV6ykNA7PgTleDZJjiJKT581IrWGpmg/XA+YY+uvhKwz75HSuqCg1X5uVl
szOxUyQecr+Jy97Ny7Tyi69mHmNwsJiU6yE3cwARAQABzS8ic2VjdXJpdHlA
ZWxwaXMub3JnLnVrIiA8c2VjdXJpdHlAZWxwaXMub3JnLnVrPsLBdQQQAQgA
HwUCXK14vAYLCQcIAwIEFQgKAgMWAgECGQECGwMCHgEACgkQ6EQBTTDViXhU
Kw//YbXcJusmyC5iw0o72zWRaeUxvvCxr01E+RPgRgP7wJ1UN0FPKNG3UCrl
ygpgtc8eHHKDWGmoc1fj2Uyhf9qVAx/XvkQU0iT88m6yHhn2yktSrnZ5tncQ
RBfMFNgywiiaccxnJAnPtChC8ZKmeaLdTN7wQ56Hbsx7do8sc+p/pPqVfhvw
fohGAnuqm2YZ9IlRj1AD75pAVq4vYOS0Sk2+wPvGL9uGl3JFi7IUTUBsPvFd
dZ1WC8FXyy9rerEJOsC0MSfXivn/jX2ubv1tiGctYGXwoOExwVQt7n/OL2fw
BNcCCw3uQo8+6qskLg0hSxtnUZsZ7UTdD0IvXPyQbROp3iu0G/pI/oRQy/7H
m+sxqCJmZ3/lLDQFJzZPAeyE7n71l0Yn9a9WQxUnNnImUpqs5Uut612MeLVU
2dPau1u4At/fYKF53ue8yNAKaPBilCFuYYnzDV8GAzhRvqrXjQV6RkzVQir0
DVH6Lggh0ywG6BZnXtb+doggBePKLYf7k7N20Cg6X597YQ1BIBIP78zhhYQK
XZi5E6dJXIAoecYxiWlMGReAuj5bMV96bmE5PSsrP5i5fKEn06kGMSiuNDQT
ujRA27dpc7aU/kGxRakLD02Fa7SeT1oAbSVr+5pgJ4TG81gsVN45rTQ+ByQ5
y5a9Z5PRhSkyY5wyr8BLAFhR687OwU0EXK14vAEQAKPEuE+QBvY1+faG/4rG
HR0dwXeWc7QONdWZhPgnNYtccS82nFaCzorVJNsV/LYldZqTLNSprZNNwld1
wa/ENBRRY35Uyfh8oXtM7dlgO/FHCvK2c8ih2qBQrgUXgnpGPP0wDryhJUmd
5dfJ/8I+jkMcFibDPL79izX6tgoM5KVF4PZmCMaLCASK/3mQYfSCqws7BM92
aYaKMO7eClX4jhzkl+5UqrzdZYHyXhCk8ZUSQf7pDaWYcZcOOCKgkKW3tUmp
0ZnKBgsXvtgHbuy7w5T5AowuGy6g61iygzmBcfvPdK1QBEjWhuxSRZ6wERjd
IeJJkJV8wNApPuMMybzMPfrQAlfKVjpTCvGwtkwd1lPnxTyWJwmV/wQzci1D
7SzIVmZEtuJGpeK7Osi+84RD1QFTKadvt01WKQkPiwiSiP0YQiWbQ48rTYaI
e6XgNLR7soNSq3kGcQX98RvM3xXaP0Jzg8VeuhdYIdX9uPU4/0FZP//EvQQN
2pl/ejMjZXO1cIUe1GrS+1m66tFVD3q8AHXhAZMRDXH6bwKMeI6qQ4Trnz0m
4IenDCQ1HX0nWEEEqDGoMDdvXCBp3OmjfApSIsvl+J4K/TE/gDKX1ZLd4NLs
E2za03LgmyrDQS0MCQUgAH+4Aw7yoBBwphr/cqJD68smPlSMGSDYhnXKWNC/
epotABEBAAHCwV8EGAEIAAkFAlyteLwCGwwACgkQ6EQBTTDViXhHBRAApTFE
/arsVzdxZRiewNgm4vg49vbecHHdJdQHxXuwGPzKfGNKgVoyYNIAZahlTylz
8W3pgDbXBC3mfjzJEYafYrR1bvdV9kerkdMMWV1UMIoN9d2tyJ3zqTvINmxk
ryO5BjobFP9kdi/KFaJ3jqn4DTM80HIV+KasjoQIHn+WNZoQsyuMBDyrqGoc
+yA1bBCT48SlR0or9UuNJnRtzQsGzhjFzu6EUlnYxSRn/eOwRR7xupxou+UT
eR6sFrddSLQ4XQyQWzZcBfaqEiFMJbBLjl+FXQyvvz/s9Hjroy05mE3lZGPb
kshtyIFJFy9NZi8jIYJ1vdwMdjnK1NMbaK02wvbjWzWHHsejxfaQXe9adT+s
m9S/zV0H4WcCWyvbsHfADWTmcAiwSVoNgp3Iw5kccb4wXzFGsDZaRigGaO7G
BXVOn5F8YWM73EA5GrJQGEl6TN0y5c1dUajF2OHtiRG07uO90qbTBpulIt9F
04rjlw56zSYgQpN/I/ym1LvVSNGGpQu3DpLdQrdty8CbbLMtJ5FpjVoPeE53
KzXIBX0K7a/fWIhbo0tYFvL/1Es0SlbEzPumv89lu928tae1OYmGAvpXTwwI
Fqi9Ki+aVYiPKnfuhBytXFJmwdR3FbhT6bvWMf8OezNrDva36tilMzNidTzD
0f0ZS9pmHT6vEPZ6HuU=
=tEEM
-----END PGP PUBLIC KEY BLOCK-----

Report a Vulnerability