Bug Bounty

I cannot at this time afford to pay for bugs if they ever come up (not that I expect any). The bounty program is therefore suspended.

Find bugs, get thanks (used to be money). If there is any bug left.

If you think you found a bug, contact me via email. Or file an issue on GitHub if this is not a vulnerability.

Scope

This is about bugs in the Monocypher library. The web site, the manual, and external resources are out of scope. So are "bugs" that come from incorrect uses of Monocypher.

Bugs are divided in tiers.

Tier 1: catastrophic failures

An attacker could decrypt data, recover keys, or forge messages, without the help of side channels.

Some undefined behaviour allows an attacker to mount an arbitrary code execution exploit, or read secrets from memory. (The feasibility of such an exploit must be shown.)

Monocypher gives the wrong results on a platform that passes the test suite.

Tier 2: serious vulnerabilities & bugs:

The attacker could mount a timing attack to decrypt data, recover keys, or forge messages.

Monocypher accidentally loses or corrupts data.

Tier 3: minor vulnerabilities & bugs:

Presence of a timing leak, exploitable or not.

Undefined behaviour not covered by the above tiers.

Failure to wipe an internal buffer or context that contains secrets. Local scalars are excluded.

Not eligible

Side channels other than timings. For instance, energy consumption and fault injections. Monocypher only guarantees timings, and does its best to wipe secrets after use. If you plug a smart card in an untrusted terminal, you must investigate fancy side channels yourself.

Timing leaks from arithmetic operations. Multiplication in particular is not constant time on all platforms. The manual already warns the user about that. (In practice, all modern 64-bit platforms, and most modern 32-bit platforms, are safe.)

Timing leaks from compiler optimisations. Compilers may introduce conditional branches even when the source code didn't have those, as part of their optimisation process. Compilers are perfectly allowed by the standard to replace bit twiddling by a branch because timings aren't specified by the C standard. Thus, timing leaks that are not visible from the source code are not part of the bounty.

Failure to wipe secrets despite correct use of "volatile". Monocypher does its best to erase such secrets, but there is no portable way to actually guarantee it. Compilers may erase the corresponding code in some circumstances anyway.

Rewards

The rewards currently are:

Tier 1: my eternal thanks (used to be 1000€)

my eternal thanks (used to be 1000€) Tier 2: my eternal thanks (used to be 500€)

my eternal thanks (used to be 500€) Tier 3: my eternal thanks (used to be 100€)

Not so fine print