onionr/SECURITY.md

1.5 KiB

Security Policy

Scope

The Onionr software and any nodes you control are within scope.

Avoid social engineering, volume-based denial of service and disrupting or harming the Onionr network. Do not attempt to exploit any machines/servers you do not own or otherwise have permission to do so.

The following exploits are of particular interest:

  • Arbitrary code execution
  • API authentication bypass (such as accessing local API from public interface)
  • Deanonymization:
    • Easily associating public keys with server addresses
    • Discovering true server IPs when behind Tor/I2P (aside from Tor/i2p-level attacks)
    • Easily discovering which nodes are the block creator
  • XSS, CSRF, clickjacking
  • Timing attacks against the local http server (see blog post)
  • Discovering direct connection servers as a non participant.
  • Cryptography/protocol issues
  • Denying nodes access to the network by segmenting them out with Sybil nodes

We do not consider non-network based same-machine attacks to be very significant, but we are still willing to listen.

Rewards

Onionr is a student-owned hobby project, resources are not available for large rewards.

Stickers or other reasonable & negotiable rewards are available. We reserve the right to refuse rewards for any reason.

Public recognition can be given upon request.

Contact

Email: beardog [ at ] mailbox.org

PGP (optional): F61A 4DBB 0B3D F172 1F65 0EDF 0D41 4D0F E405 B63B