Introduction

This project has been sponsored by the European Commission as part of the EU-Free and Open Source Software Auditing (EU-FOSSA) project designed to improve the security of free software.

This program will be open for submissions for 8 weeks, though rewards may be processed beyond the 8 week period in order to allow for full evaluation of the impact of valid vulnerability reports.

Disclosure Policy

• Follow HackerOne's disclosure guidelines.
• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Please provide detailed reports with reproducible steps demonstrating a plausible exploitation scenario.
• If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• The project maintainers have final decision on which issues constitute security vulnerabilities. We will respect their decision, and we ask that you do as well.

Exclusions

While researching, we'd like to ask you to refrain from:

• Denial of service
• Spamming
• Social engineering (including phishing) of staff or contractors

Description

Below is a description of the Notepad++ packages (both 32/64 bit binary releases) but see Scope for what should be tested:

• Installer includes Notepad++, auto-updater, plugins admine and plugins.
• Normal zip/7z package includes Notepad++, plugins admine and plugins.
• Minimal 7z package includes only Notepad++.

Notepad++ core is composed in 2 parts:

• notepad++.exe: the main executable binary. source: https://github.com/notepad-plus-plus/notepad-plus-plus/tree/master/PowerEditor

• SciLexer.dll: Scintilla (https://www.scintilla.org/) is the editor component used by Notepad++. It's modified slightly to meet Notepad++'s need. source: https://github.com/notepad-plus-plus/notepad-plus-plus/tree/master/scintilla

Check https://github.com/notepad-plus-plus/notepad-plus-plus/blob/master/README.md to learn how to build both binaries.

Scope

• notepad++.exe: the main executable binary ( https://github.com/notepad-plus-plus/notepad-plus-plus/tree/master/PowerEditor )

• The scope should be limit to the minimal 7z package, which corresponds to https://notepad-plus-plus.org/repository/7.x/7.6.4/npp.7.6.4.bin.minimalist.7z

• The PoC must work on the master branch of https://github.com/notepad-plus-plus/notepad-plus-plus.git, or the latest build. Older builds are explicitly out of scope.

• The PoC must work on the latest version of Windows. Other platforms like Linux and MacOSX with WINE are out of scope.

Out Of Scope

• SciLexer.dll: Scintilla component ( https://github.com/notepad-plus-plus/notepad-plus-plus/tree/master/scintilla )

• Known bugs listed in the issues section on Github ( https://github.com/notepad-plus-plus/notepad-plus-plus/issues ).

• Reports relating to the Github repo wiki being publicly editable.

Test environment

Here are the steps to build your test environment (that prevent from wasting your time to find fixed issues):

1. unzip npp.7.6.4.bin.minimalist.7z
2. download nighty build from here: https://ci.appveyor.com/project/donho/notepad-plus-plus (click on artifacts tab, then download exe binary)
3. copy the downloaded exe binary into the folder where you unzipped minimal 7z package.
4. Run downloaded exe binary (instead of notepad++.exe

POC

Vulnerabilities are to be evaluated given contemporary computer architectures.

The PoC must work on the respective repository trunk heads or the latest released version. Older builds are explicitly out of scope.

Please always provide the Debug Info via menu ?->Debug Info... with your POC.

Rewards

Our rewards are based on the severity of a vulnerability. HackerOne uses CVSS 3.0 (Common Vulnerability Scoring Standard) to calculate severity. We will update the program over time based on feedback, so please give us feedback on any part of the program you think we can improve on.

Critical severity bugs - €5000:

• Remote Code Execution

High severity bugs - €2500:

• Code Execution without user intervention

Medium severity bugs - €1000:

• Code Execution with user intervention
• High-impact Crashes
• Infinite loops

Low severity bugs - €250:

• Information leaks
• Crashes
• OOM

Bonus

There is a 20% bonus for including a fix in the report, when accepted by the maintainers.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Notepad++ and our users safe!

If you have any questions or concerns on this challenge, please contact [email protected].