Confection Republic

Getting Started

Welcome

The Confection Republic is a forum where our developer community can ask questions, share ideas, and collect bounties. If you haven't already, please familiarize yourself with the code and tactical rules we outline here: confection.io/developers

I. Members

To set up your account, please visit the homepage or any tag page and click "Start a Discussion" or "Sign Up."

a. "How do I post a security tip or bug?"

Visit the "Security Tips" section of our community. Click "Start a Discussion" or "Sign Up" to create an account. Then, you'll be able to post your tip. Once that's done, we'll evaluate it. If the vulnerability is in scope, we'll prioritize (and reward you) according to these guidelines. Make sure your report is as specific as possible. Include an "Affected Pages/Components" section and list other pages/UIs which may be affected by the same bug or vulnerability. In Scope

Out of Scope

PHP version and WordPress core file and plugin updates @ confection.io
Any WordPress plugin/core issues in files don't directly control (eg. Gravity Forms or Yoast SEO scripts)
Any scripts, applications, or libraries we don't directly control (and can't directly fix)
ai.confection.io is just a staging/testing site. It's out of scope.
status.confection.io
This is an Atlassian Statuspage. If you see a vulnerability there, let Atlassian know.
We built republic.confection.io using Flarum. You may find issues and behaviors related to that framework. If you post such an issue, it will be out of scope, and we'll encourage you to repost here.
We use Auth0 for authentication. If you see a vulnerability with their system, let them know.
Certain *.confection.io endpoints are not proxied through Cloudflare. This is intentional. For a complete list of endpoints, please email get@confection.io If you report that one of these endpoints is unproxied, unprotected by WAF, or otherwise vulnerable, we'll mark the issue out of scope/wontfix.
Any issue previously reported. Depending on the next steps we took, these kinds of issues may be tagged wontfix, done, paid, and/or in scope. If you report an issue that falls into this category, we'll tag it "Previously Reported/Fixed" and share links to the relevant posts with you.
If a fix for a bug also fixes another reported bug - directly or indirectly - only the first ticket will be rewarded, even if other tickets were already reviewed/accepted.
Any bug that will be fixed by a build in our current roadmap -- which we track at Jira -- will be ineligible for a bounty.
Server health issues -- server down, unresponsive, unreachable, &c. -- are out of scope.
Missing content -- iframes not loading, 404 pages, missing files, &c. - is out of scope.
Grammar errors, typos, encoding issues, or any other similar issues are out of scope.

Here are a few other relevant bug bounty programs. Any vulnerabilities in these systems which we can't directly fix are out of scope. The same is true for any known, intentional, "wontfix" issues and vulnerabilities.

b. "How do I claim a bounty?"

Browse available bounties here. State your intention to claim a bounty in the comments. An admin will ensure the bounty is assigned you you on a first-come, first-served basis. That is, if User A's comment has an earlier timestamp than User B, the admin will assign the bounty to User A.

c. "How do I get paid?"

We pay all bounties using Stripe. To add your Stripe information visit your account settings. Under "Payouts" click "Connect with Stripe." Follow Stripe's set up process. Then, when you return to your account, the button should read "Connected with Stripe." Once an admin marks a security tip "In Scope," the community owes the member the associated bounty. Once an admin marks a general bounty "Done," the community owes the member the associated bounty. We do not accept duplicate reports or pay duplicate bounties. There may be a lag between when a researcher reports a security tip and when that bug is fixed. If you report a bounty someone has already reported, it will be marked out of scope. We process all the payouts we owe -- security tips and bounties -- every Friday (California time).

II. Admins

a. "How do I manage security tips?"

New vulnerabilities appear here. All security tips are private by default -- visible only to the poster and the admins -- so you'll need to log in to see most vulnerabilities. If you need to make a vulnerability visible to a member, add that member to the thread by clicking the downward-facing arrow beside "Reply" and then "Edit Recipients." Managing and Evaluating New Tips When someone posts a new tip, click the downward-facing arrow beside "Reply" and then "Edit Tags." Select "Application," "Systems," and/or "Website," depending on the source of the vulnerability. Next, evaluate the post and determine whether or not it's in scope. If you think the vulnerability may be in scope, and need time to evaluate, add an "In Review" tag. Out of Scope If the vulnerability isn't in scope, use a reply to post the reason why. Then, do the following:

Click the downward-facing arrow beside "Reply" and select "Edit Tags."
Click "Out of Scope" and "Done." Remove the "In Review" tag if it's present.
Finally, lock the discussion by clicking the downward-facing arrow beside "Reply" and then "Lock."

In Scope If the vulnerability is in scope, click downward-facing arrow beside "Reply," and tag it according to these guidelines. Then, before you close the tag screen, add a "Done" and "In Scope" tag. Use a reply to post the reason why the bounty is in scope. (This can just be a summary of a similar entry in the Bugcrowd VRT For example, "Server Security Misconfiguration / Lack of Password Confirmation / Change Email Address.") Then, do the following:

Assign the vulnerability to the member who posted it. Click the downward-facing arrow beside "Reply" and then "Edit Recipients." Limit the discussion to yourself and the member who reported the vulnerability.
Lock the discussion by clicking the downward-facing arrow beside "Reply" and then "Lock." If it's present, remove the "In Review" tag by clicking the downward-facing arrow beside "Reply" and then "Edit Tags."
Pay the bounty using the instructions below. (See "How do I mark a bounty complete and initiate a payout?")

If you won't be fixing the vulnerability yourself, create a bounty using the instructions below. (See "How do I create and assign bounties?") If a vulnerability is urgent and sensitive, be sure to assign it to a trusted member of the community by clicking the downward-facing arrow beside "Reply" and then "Edit Recipients." This will keep the bounty private.

b. "How do I create and assign bounties?"

Create a public bounty post by clicking "Start a Discussion." Make sure you tag it according to our bounty priority and reward guidelines. A member will state his claim to a bounty in the comments. To assign the bounty, click the downward-facing arrow beside "Reply" and then "Edit Tags." Limit the discussion to yourself and the member who's claimed the bounty.

Once you've assigned a bounty, make sure you also add an "In Progress" tag.

c. "How do I mark a bounty complete and initiate a payout?"

Once you're satisfied a bounty has been completed, lock the discussion by clicking the downward-facing arrow beside "Reply" and then "Lock."

Then, add "Done" and "Paid" tags by clicking downward-facing arrow beside "Reply" and then "Edit Tags."

If you're unsure if the user has added a Stripe account, leave the following reminder as a comment on the thread: So I can initiate your payout, please add your Stripe information here. Once the user has added Stripe information, initiate the payout by hovering over the user's name or avatar. Click the three vertical dots and then "Send Payout."

You can also visit the user's profile page (eg., republic.confection.io/u/username), click "Controls" and then "Send Payout."

Enter the value of the bounty, a short description, click the red x to confirm the payout, and then click "Send." After making the payout, please add the transaction ID as a comment to the bottom of the thread.