Thanks to God we are able to offer EU$100 ($300.000 colombian pesos) for each vulnerability found and fixed in SIVeL 1.0.5 (we thank EU$50 --$150.000-- offered by wiroal@riseup.net since 6.May.2010).
If you belong to an organization that documents infractions to Humanitarian international Law or Human Rights Violations with SIVeL, we invite you to donate for this public invitation, in order to increase the reward offered.
If you are developer or interested in information security we invite you to look for bugs in the security of SIVeL, by experimenting on the test installation; by doing your own installation, following the recommendations for the operation environment (see Capítulo 5, Instalación y Actualización), or by auditing the PHP sources in the public domain.
To report a vulnerability please have in mind:
You found the bug.
Each bug must be replicable in the
test installation.
You can check the form that doesn't
require authentication:
https://sivel1.pasosdeJesus.org/consulta_web.php ;
as well as other components that shouldn't allow
modification of information as
user sivel1
with
password sivel1
:
https://sivel1.pasosdeJesus.org/index.php ;
or as administrator
adminsivel1
--same
password.
This installation operates on the
recommended execution platform
(OpenBSD distribution
adJ 4.6
web server with SSL in chroot,
PostgreSQL and hardened PHP) and
uses data from
Banco De Datos de Violencia Política, DH y DIH del CINEP.
Your report should explain the methodology
that you used to find the bug and propose
a solution in the source code of the
branch SIVEL1_0 of the CVS repository
https://sourceforge.net/scm/?type=cvs&group_id=104373
(in the directory
doc
of the sources ther are examples of past
auditories).
To report a vulnerability subscribe your email address to the non moderated list sivel-desarrollo and send there your public domain report (by reporting a vulnerability in that list you confirm that your contribution is in the public domain).
Your report will be evaluated and answered in the same list, and if we are able to reproduce it, we will give you the monetary compensation personally, or via PayPal or a bank transfer.
The data about yourself that you don't want to publish in the list (for example your name), can be sent to Vladimir Támara Patiño vtamara@pasosdeJesus.org or by writing to Cr 5 #33A-08, Bogotá, Colombia (if you need to send encrypted information you can use the PGP public key available at http://vtamara.pasosdeJesus.org/vtamara-pgp.txt).
We thank your interest in this public call, its most recent version is available at: http://sivel.sf.net/1.0/call.html. We invite you to distribute it without changes.