Description

7-Zip is a free and open-source file archiver, a utility used to place groups of files within compressed containers known as archives. It is developed by Igor Pavlov and was first released in 1999.

Bounties
Low
Medium
High
Critical
Exceptional
Tier 2
€ 350
€ 600
€ 1,250
€ 2,500
€ 5,000
€ 350 - € 5,000
Domains

7-zip Application

Tier 2
Other
In scope

The European Commission is running a bug bounty program against several open source packages to assist the community in detecting vulnerabilities in commonly used software, and one of them is 7-zip.

We are looking for any security issue that is not known yet for the development team.

We can only issue bounties to the original finder of a security bug.

The latest official release is in scope of the bug bounty test.

All downloads can be found here. Only the latest version of each download is in scope.

Changelog

7-Zip 19.00 (2019-02-22)

What's new after 7-Zip 18.06:

  • Encryption strength for 7z archives was increased: the size of random initialization vector was increased from 64-bit to 128-bit,
    and the pseudo-random number generator was improved.
  • Some bugs were fixed.
Out scope
  • Older versions of 7-zip
  • Unofficial builds
  • The 7-Zip website and its online assets
  • Bugs in software that integrates with 7-zip
  • Known issues
  • Issues previously reported through other channels
  • Theoretical issues without a realistic attack scenario
  • Software bugs that have no security impact. You can report these bugs here.
Rules of engagement

Guidelines

  • In order to be eligible for a bounty, your report must be submitted through Intigriti.
  • Payouts will only take place after agreement on the criticality of the impact and only if the submission was the first of its kind and agreed to be valid.
  • We can not pay bounties to individuals or residents of countries subject to EU financial sanctions

Disclaimer

This program is part of the EU FOSSA 2 project managed by the European Commission's Directorate-General for Informatics (DIGIT). EU FOSSA 2 will offer a systematic approach for the EU institutions to ensure that widely used critical software can be trusted. The project will help reinforcing the contribution of EU institutions to ensure and maintain integrity and security of key open source software.

For more information on EU FOSSA 2 please refer to https://joinup.ec.europa.eu/collection/eu-fossa-2.

Safe harbour for researchers

7-zip considers ethical hacking activities conducted consistent with the Researcher Guidelines, the Program description and restrictions (the Terms) to constitute “authorized” conduct under criminal law. 7-zip will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will they file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.

If legal action is initiated by a third party against you and you have complied with the Terms, 7-zip will take steps to make it known that your actions were conducted in compliance and with our approval.

Severity assessment

Severity breakdown

The severity of a vulnerability is calculated by using the CVSSv3 calculator. Intigriti uses the base metrics to calculate the CVSSv3 score:

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the Base score) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component.

Attack Complexity

This metric describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. Such conditions may require the collection of more information about the target, the presence of certain system configuration settings, or computational exceptions.

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. This metric is greatest if no privileges are required.

User Interaction

This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. This metric value is greatest when no user interaction is required.

Scope

When the vulnerability of a software component governed by one authorization scope is able to affect resources governed by another authorization scope, a Scope change has occurred.

Confidentiality

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Intigrity

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

Availibility

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the impacted component, this metric refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component.

The bounty category is based on the total CVSSv3 score

Severity CVSS Base score
None 0.0
Low 0.1 - 3.9
Medium 4.0 - 6.9
High 7.0 - 8.9
Critical 9.0 - 9.4
Exceptional      9.5 - 10.0

Bonus policy

The European Commission offers a 20% bonus on top of a vulnerability payout if the reporter provides a fully working fix that is committed and accepted by the community.

FAQ

Can 7-zip contributors claim bounties?

Anyone can claim a bug bounty as long as they were not involved in the introduction of the vulnerability.

All aboard!
Please login or register on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid intigriti account.

It will only take 2 minutes to create a new one or even less to login with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Program specifics
ID check required
Reputation points
Triage
Activity
4/27
7-zip
closed a submission
2/12
7-zip
accepted a submission
11/6
7-zip
changed the in scope
10/16
7-zip
accepted a submission
9/10
7-zip
accepted a submission
8/27
7-zip
closed a submission
8/5
7-zip
accepted a submission
7/6
7-zip
accepted a submission
6/1
7-zip
accepted a submission
5/31
logo
jodurryss
created a submission