Active since 2022, our HackerOne program is growing in its scope and pace. We welcome you to discover this year’s statistics, read about a new item in scope — ONLYOFFICE DocSpace, and learn how to start testing ONLYOFFICE solutions via HackerOne.
About ONLYOFFICE bounty program
In 2022, we launched ONLYOFFICE bug bounty program on HackerOne, aspiring to boost our security improvement efforts by involving a broad professional hacker community in testing ONLYOFFICE solutions.
How does it work? Vulnerability specialists active on the platform are encouraged to run a variety of facilitated tests on a range of our solutions within the program’s scope. In return, we pay out bounties adequate to the issue severity and resolve them within a controlled timeframe.
Currently, we are keeping our program private to have better control over vulnerability handling at this early stage. The reporting is invitation-based with curated invitation quotas and candidate selection. In the future, we are planning to open the program to the wider community and let in the organic inflow of hackers.
Read our program launch blog to learn more about ONLYOFFICE bug bounty program essentials.
2023 program overview
This year so far, we have received 30 valid reports from the program participants, and have fully resolved 34 submissions (including some of the past year’s reports), paying out a total of $10,200 in bounties.
From all the resolved reports, we successfully eliminated 8 critical, 9 high-importance, and 17 lower importance vulnerabilities, which we consider a success with this period’s report volume in mind.
New in scope: ONLYOFFICE DocSpace
Since the launch of ONLYOFFICE DocSpace in spring 2023, we are observing an great interest of our users in testing the solution to discover and fix existing vulnerabilities. Although we have have previously accepted some related reports from our HackerOne crowd, now we decided to make it official and add the DocSpace repo to our program’s scope.
We invite both the new hackers and the earlier participants to take on a new challenge and put the code of ONLYOFFICE DocSpace repo to test. Read below to learn how to get invited.
How to participate
We are continuing our bounty program, aspiring to get it ready for a public launch. At this moment, we welcome you to apply for the private program.
Send us an email titled ONLYOFFICE HackerOne bounty at firstname.lastname@example.org and describe what you have found along with your username. You will receive an invitation shortly upon getting an approval from ONLYOFFICE security team.