Skip to main content

The ESP32 Security Bug Bounty Program (US$500!)

https://esp32.com/viewtopic.php?f=10&t=1572
https://github.com/espressif/esp-idf
https://espressif.com/en/products/hardware/esp32/overview

The ESP32 Security Bug Bounty Program

PROGRAM DESCRIPTION
Espressif is pleased to launch the ESP32 Security Bug Bounty Program with immediate effect from Mar. 30th, 2017 onwards.
We will offer US$500 to any developer reporting a previously unknown security-related bug in our latest ESP-IDF. $1729 more for proof of concept!

WHAT CONSTITUTES AN ELIGIBLE BUG REPORT?
In the following links you can find more details about our ESP-IDF Programming Guide, particularly about Security Function, Flash Encryption and Secure Boot. Bugs irrelevant to security are not included in the Bug Bounty Program.
Also, developers should focus only on the latest version of our ESP-IDF.

If multiple developers happen to report the same bug, the award will be given to the first one who files a bug report.

HOW DO I REPORT A BUG?
Fill in the attached form and send it to bugbounty@espressif.com. Full details about the bug are required, including bug name, bug description, the ESP-IDF version in which it was found, relevant hardware information, test steps, reference codes, log output, and any other information deemed necessary for identifying and verifying the reported bug.

ESP32 BUG REPORT TEMPLATE.docx
(9.71 KiB) Downloaded 150 times

We cannot accept responsibility for reports not properly sent. Incomplete or false reports will not be accepted. We may ask for clarifications if needed.

I’VE REPORTED A BUG, NOW WHAT?
  1. You will receive an email acknowledging the receipt of your bug report.
  2. Then, our engineers will review your report and validate its eligibility. The duration of reviewing may vary, depending on the complexity and completeness of your report, as well as number of bug reports we receive. In any case, you will get an update on the bug, as we shall respond to you personally and fix any confirmed vulnerability before going public.
  3. Upon bug verification, we shall contact you, asking to provide us with all necessary information that will facilitate your payment for eligible bug reports.

BOUNTY PAYMENTS
In general, we shall make payments via bank transfer. Award recipients are responsible for dealing with any tax implications or local laws, rules and regulations applicable to their country/ state/ province.

RIGHTS RESERVED
Espressif reserves the right to decide whether the bug report is valid. Decisions made by Espressif are final and binding.

We look forward to your participation!

Comments

Popular posts from this blog

The Difference Between LEGO MINDSTORMS EV3 Home Edition (#31313) and LEGO MINDSTORMS Education EV3 (#45544)

http://robotsquare.com/2013/11/25/difference-between-ev3-home-edition-and-education-ev3/ This article covers the difference between the LEGO MINDSTORMS EV3 Home Edition and LEGO MINDSTORMS Education EV3 products. Other articles in the ‘difference between’ series: * The difference and compatibility between EV3 and NXT ( link ) * The difference between NXT Home Edition and NXT Education products ( link ) One robotics platform, two targets The LEGO MINDSTORMS EV3 robotics platform has been developed for two different target audiences. We have home users (children and hobbyists) and educational users (students and teachers). LEGO has designed a base set for each group, as well as several add on sets. There isn’t a clear line between home users and educational users, though. It’s fine to use the Education set at home, and it’s fine to use the Home Edition set at school. This article aims to clarify the differences between the two product lines so you can decide which...

Let’s ban PowerPoint in lectures – it makes students more stupid and professors more boring

https://theconversation.com/lets-ban-powerpoint-in-lectures-it-makes-students-more-stupid-and-professors-more-boring-36183 Reading bullet points off a screen doesn't teach anyone anything. Author Bent Meier Sørensen Professor in Philosophy and Business at Copenhagen Business School Disclosure Statement Bent Meier Sørensen does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations. The Conversation is funded by CSIRO, Melbourne, Monash, RMIT, UTS, UWA, ACU, ANU, ASB, Baker IDI, Canberra, CDU, Curtin, Deakin, ECU, Flinders, Griffith, the Harry Perkins Institute, JCU, La Trobe, Massey, Murdoch, Newcastle, UQ, QUT, SAHMRI, Swinburne, Sydney, UNDA, UNE, UniSA, UNSW, USC, USQ, UTAS, UWS, VU and Wollongong. ...

Logic Analyzer with STM32 Boards

https://sysprogs.com/w/how-we-turned-8-popular-stm32-boards-into-powerful-logic-analyzers/ How We Turned 8 Popular STM32 Boards into Powerful Logic Analyzers March 23, 2017 Ivan Shcherbakov The idea of making a “soft logic analyzer” that will run on top of popular prototyping boards has been crossing my mind since we first got acquainted with the STM32 Discovery and Nucleo boards. The STM32 GPIO is blazingly fast and the built-in DMA controller looks powerful enough to handle high bandwidths. So having that in mind, we spent several months perfecting both software and firmware side and here is what we got in the end. Capturing the signals The main challenge when using a microcontroller like STM32 as a core of a logic analyzer is dealing with sampling irregularities. Unlike FPGA-based analyzers, the microcontroller has to share the same resources to load instructions from memory, read/write th...