Bounties
Low
Medium
High
Critical
Exceptional
Tier 2
€ 500
€ 2,500
€ 5,000
€ 7,500
€ 15,000
€ 500 - € 15,000
Domains

KeePass 2.x

Tier 2
Other
More precisely, all files within the latest KeePass-2.xx-Source.zip source code package. The Keepass software can be downloaded at keepass.info/download.html
Description

KeePass is a free, open source, light-weight and easy-to-use password manager. You can store your passwords in a highly-encrypted database, which can only be unlocked with one master password and/or a key file. This project is part of the EU-FOSSA 2 project, where the European Commission sponsors selected open source software in running bug bounty programs to test and improve their security.

In scope

KeePass 2.x. More precisely, all files within the latest KeePass-2.xx-Source.zip source code package.

We are looking for security vulnerabilities, especially ones that allow an attacker to obtain sensitive data stored in a KeePass database file (latest format).

All information can be found at our website https://keepass.info/. The latest downloads (source code, binaries, portable versions, etc.) can be found here.

Changelog KeePass 2.42:

https://keepass.info/news/n190501_2.42.html

Changelog KeePass 2.43:

https://keepass.info/news/n190910_2.43.html

Out scope

Everything that is not directly part of KeePass 2.x is out of scope, including but not limited to:

Attacks that are out of scope:

  • Brute-force attacks on database files and attacks where the user uses a weak master key.
  • Attacks requiring that the user is executing malware (for instance by social engineering or by bugs in other software).
  • Attacks requiring that the user manually performs a security-disruptive operation (like entering/importing malicious data into KeePass, exporting data to an unencrypted file, etc.), configures the environment in a way that does not allow secure execution, or helps an attacker in other obvious ways.
  • Attacks requiring write access to KeePass application/configuration files or the environment that KeePass is being executed in (operating system, .NET Framework and user account).
  • Attacks involving the process memory protection beyond its documented limitations.
  • Attacks involving auto-type (especially its window matching) beyond its documented design.
  • Highly speculative/theoretical attacks and best practice concerns without demonstrating a real exploit.
  • Criticizing intended, low-impact design decisions (like not locking the workspace in certain situations in order to prevent a data loss or leak) does not count.

Known issues that are out of scope:

  • Anything related to the cloud clipboard and the clipboard history that is introduced by Windows 10 1809. We are aware of the fact that turning on these features (which are off by default) is problematic in conjunction with copying passwords to the clipboard, and a solution will be implemented in one of the next KeePass versions.
Rules of engagement

Guidelines

  • Provide a detailed description (in English) of the problem and steps how to reproduce it. Include a clear attack scenario. Depending on the problem, an example database file and your KeePass.config.xml file may be helpful for reproducing the problem.
  • In order to be eligible for a bounty, your report must be submitted through Intigriti.
  • Payouts will only take place after agreement on the criticality of the impact and only if the submission was the first of its kind and agreed to be valid.
  • We can not pay bounties to individuals or residents of countries subject to EU financial sanctions

Disclaimer

This program is part of the EU FOSSA 2 project managed by the European Commission's Directorate-General for Informatics (DIGIT). EU FOSSA 2 will offer a systematic approach for the EU institutions to ensure that widely used critical software can be trusted. The project will help reinforcing the contribution of EU institutions to ensure and maintain integrity and security of key open source software.

For more information on EU FOSSA 2 please refer to https://joinup.ec.europa.eu/collection/eu-fossa-2.

Safe harbour for researchers

KeePass considers ethical hacking activities conducted consistent with the Researcher Guidelines, the Program description and restrictions (the Terms) to constitute “authorized” conduct under criminal law. KeePass will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will they file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.

If legal action is initiated by a third party against you and you have complied with the Terms, KeePass will take steps to make it known that your actions were conducted in compliance and with our approval.

Severity assessment

Severity breakdown

All rewards are impact based. To give you an idea of what kind of bugs belong in a certain severity rating we've put some indicative examples below. Note that depending on the impact a bug can sometimes be given a higher/lower severity rating.

Exceptional category bug - CVSS 9.5 – 10.0

  • Extract sensitive information from a KDBX file without any additional information (like the master key).

Critical category bug - CVSS 9.0 – 9.4

  • Malicious modifications of a KDBX file (like injecting malicious data that could later lead to a disclosure of sensitive data) that KeePass does not detect and report to the user, under the assumption that an attacker has access to the database file (but without knowing the master key; for instance when saving the database file in a cloud storage). The 'Repair Mode' does not count (KeePass shows a warning).
  • Data extraction/leakage/injection from/into a running KeePass instance.
  • Remote code execution.

High category bug - CVSS 7.0 – 8.9

  • Issues related to random number generation in places where cryptographically secure random numbers are necessary (like salts in KDBX files).
  • Flaws in the password generator.

Medium category bug - CVSS 4.0 – 6.9

  • Trick KeePass' update check to show a new version that actually does not exist (by intercepting/manipulating the communication with the server that provides the version information).

Low category bug - CVSS 0.1 – 3.9

  • Find a sequence of user actions (with a specific combination of options) where a security feature unexpectedly does not work as intended. Criticizing intended, low-impact design decisions (like not locking the workspace in certain situations in order to prevent a data loss or leak) does not count.

Bonus policy

The European Commission offers a 20% bonus on top of a vulnerability payout if the reporter provides a fully working fix that is committed and accepted by the community.

FAQ

Can KeePass contributors claim bounties?

Anyone can claim a bug bounty as long as they were not directly involved in the introduction of the vulnerability.

All aboard!
Please login or register on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid intigriti account.

It will only take 2 minutes to create a new one or even less to login with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Program specifics
ID check required
Triage
Activity
10/12
KeePass
changed the bounties
21/11
KeePass
closed a submission
21/11
logo
shobhit
created a submission
14/11
KeePass
closed a submission
14/11
logo
kingamir
created a submission
13/11
KeePass
closed a submission
13/11
logo
balu555
created a submission
11/11
KeePass
changed the bounties
11/11
KeePass
changed the domains
11/11
KeePass
changed the bounties