1.0 KiB
1.0 KiB
Bug bounties are requests for penetration testing against the AniNIX services.
Rules
- Do not test against AniNIX production services without prior authorization. Instead, set up a replica using ShadowArch and any other AniNIX Foundation repository.
- Report bugs immediately to AniNIX staff via AniNIX IRC.
- Control the scope of your pentesting. Using root access to the host to conduct a Direct Memory Access attack on CryptoWorkbench, for example, is not an exploit in that project. Physical penetration is always outside scope.
Active Targets
CryptoWorkbench
The CryptoWorkbench has a --blind option. This is intended to prevent data exfiltration and CLI access, despite being a CLI tool. Install ShadowArch, and use the CryptoWorkbench "make sshuser" command to set up the captive user. If you can use the captive user over SSH to gain a prompt or exfil data through the CryptoWorkbench, please announce it to the admins.