Squirrel Security Bug Bounty

At Squirrel we value security of our service and our users a lot, especially as we try to target companies and the last thing we want to happen is a breach within Squirrel that would severely affect users and businesses.

The Internet is full of software security researchers, and we encourage all of them to help us in our journey of making Squirrel more and more secure for everyone.

To keep this hacking game fun for everyone, we established basic guidelines to make sure researchers don't go too far on our stuff and crushes it into pieces. We're sure everyone can adopt a responsible behavior for finding and disclosing security vulnerabilities. Happy hacking!

The Rules

  • Do not affect other users with your testing. Only use accounts and servers you own.
  • Please provide a clear, written step-by-step instruction set for reproducing the vulnerability.
  • Do not perform actions that could affect the reliability of our services. If you're tracking down potential denial of service issues it's fine and eligible for rewards, but please stop immediately if you believe availability of our services has been affected.
  • Do not attempt to get users' private data. If you suspect a vulnerability that'd lead to private data disclosure, only test with your own data.
  • If you found private data that doesn't belong to you, you must delete it as soon as possible.
  • Please keep your findings private until we're done with our investigation and resolution, unless a team member explicitly allowed you to disclose the vulnerability.

If you disagree with those rules or feel like we've missed something, reach out at [email protected].

The Scope

In general, a valid vulnerability should be reproducible on our own instance at squirrel.chat, or at least reproducible on a vanilla instance (Fresh build from GitHub, no plugins, config of your choice).

Valid targets

  • Squirrel Core: API and WebSocket used by Squirrel
  • Leaf: Our website metadata scraper and media proxy
  • Wind: Voice and video nodes used for communication between users

Valid domains

Squirrel as of now only owns and operates the squirrel.chat domain. All of its subdomains are in scope of this program.

Legal safe harbor

Squirrel is open-source and therefore it's extremely easy to setup a local, private instance to do all the testing you want. This makes you non-dependent on our public instance and protected against legal issues.

However, Squirrel's complete infrastructure might be painful to configure and might not be a good enough test subject for some scenarios. If you happen to do testing on our public instance in the scope of this program, we waive any potential legal procedure against you. We'll not discriminate against you in any way, shape or form.

Reaching out

You found a security vulnerability? Great! Send us an email at [email protected], and we'll do our best to get back to you as fast as we can.

Language

We can speak both English and French without any troubles, so please use one of those two languages to reach out.

PGP Encryption

If you wish, you can encrypt your message using our public key available here: https://squirrel.chat/pgp-key.txt. We'll do our best to get back to you using PGP as well.

Please note that encrypted reports might take slightly longer to process as not everyone at the team might have the key on hand.

Bounty Rewards

Squirrel is a small project made by enthusiasts students and therefore our budget is quite low and unpredictable. We can't guarantee a cash reward but we'll do our best to reward researchers with what we have on hand!

However, what we can guarantee is a reserved sweet spot in the acknowledgements section below for every confirmed security report, with links to other platforms if you wish.

Notes

  • In case of duplicates, we'll only reward the first report we received.

Acknowledgements

Nobody has reported security vulnerabilities to the team yet. As soon as someone does, we'll make sure to list them here!