CasperTech systems are widely regarded as the most secure platform for commerce in Second Life. Indeed, we have (to-date) never had a major security incident (major being defined as any incident which negatively impacts the service or its users). Part of this is due to our rigorous internal testing procedures and outsourced vulnerability testing and auditing.
However, this being said, we are not arrogant enough to believe that we are invulnerable, and as such we've launched a bounty system to reward security analysts who find security issues in our systems.
We will reward a bounty of at least L$10,000 to the first person who reports a security flaw to us, providing that the following rules are met:
- DO NOT use automated vulnerability scanners such as Acunetix Web Vulnerability Scanner against our servers. Even when throttled, these scanners cause a lot of load on our systems. We actively detect, block and ban users who use such tools.
- The bug must be something that can actively be exploited by any third party to compromise the integrity of the CasperVend or CasperLet system, or violate the privacy or integrity of our customers.
- The bug must be something which is under our control - an issue found with third party plugins or services does not qualify.
- You must not intentionally cause damage to our systems or our customer's data while testing the exploit. If you have intentionally exploited an issue in order to cause damage or to achieve gain, no reward will be paid.
- You must not release information on the exploit to any third parties.
- The bug MUST be filed on our bug tracker (https://bugs.casperdns.com) as a "Security violation" and ALSO by IM to Casper Warden with a link to the issue on the tracker. Note that issues filed as "security violations" are not publicly viewable.
- Only the first person who reports the issue will be rewarded.
- Bounties are not payable on beta testing or pre-release software or websites.
The following issues may not be eligible, and/or may not qualify for the full bounty depending on severity:
- DDoS attack vectors
- Spam or social engineering techniques
Any reward paid for issues pertaining to the these issues, if any, will be based upon severity and is at our sole discretion.