Scope

We are happy to announce the X-Road® bug bounty program! We've done our best to clean most of our known issues and now would like to request your help to spot the ones we missed! The following components available in the X-Road GitHub repository are in-scope for this bug bounty program:

• X-Road Central Server

• X-Road Security Server and its addons

• X-Road Configuration Proxy

As an example:
We are very interested in maintaining a high level of trust and security in the communication that takes place between two Security Servers. If you find any way of breaking that trust by using a man in the middle attack or any other means, please let us know!

Out of Scope

The following vulnerabilities are out of scope:

• Vulnerabilities related to https://www.niis.org/, https://x-road.global/, or any other webpage relating to X-Road. Only the X-Road core software itself is in scope for this program.

• Vulnerabilities related to the X-Road autologin utility.

• Reports from static analysis of source code without accompanying proof of concept and steps to reproduce against a live instance of X-Road.

• Reports from automated tools or scans without accompanying proof of concept and steps to reproduce.

• Vulnerabilities relating to host configuration, such as open ports or TLS configuration issues. Host hardening is up to the server administrator in the X-Road architecture, so only vulnerabilities in the X- Road software itself will be considered in-scope.

• Vulnerabilities related to the Test CA provided with X-Road. This CA is for testing purposes only, and is not used in production environments.

• Spam, social engineering and physical intrusion.

• DoS/DDoS attacks or brute force attacks.

• Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted.

• Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts.

• Reports without a proof-of-concept.