Thanks to God we are able to offer $360.000 colombian pesos (aprox. EU$120) for each vulnerability found and fixed in SIVeL 1.2 (we thank EU$50 offered by wiroal@riseup.net since 6.May.2010).
If you belong to an organization that documents infractions to Humanitarian International Law or Human Rights Violations with SIVeL, we invite you to donate for this public invitation, in order to increase the reward offered.
If you are developer or interested in information security we invite you to look for in the security of SIVeL, by experimenting on the test installation; or by doing your own installation, following the recommendations for the operation environment (see Capítulo 5, Instalación y Actualización), or by auditing the PHP sources in the public domain.
To report a vulnerability please have in mind:
You found the bug.
Each bug must be replicable in the test installation.
You can check the form that doesn't require authentication:
https://www.pasosdeJesus.org/sivel12/consulta_web.php ;
as well as in other components as the user
sivel12 with password
sivel12 and role analyst:
https://www.pasosdeJesus.org/sivel12/index.php ;
or as administrator
adminsivel12 also with
password sivel12.
This installation operates on the
recommended execution platform
(OpenBSD distribution
adJ
5.7,
web server nginx with SSL in chroot,
PostgreSQL with authentication and hardened PHP) and
uses data from
Banco De Datos de Violencia Política, DH y DIH del CINEP.
Your report should explain the methodology
that you used to find the bug and propose
a solution in the source code of the
branch master of the git repository
https://github.com/pasosdeJesus/SIVeL.
(in the directory
doc
of the sources there are examples of past
auditories).
Report the vulnerability as an issue in github and the fix as a pull request with the commentary "given to public domain."
Your report will be evaluated there and if we are able to reproduce the bug, we will give you the monetary compensation as you prefer: personally or via PayPal or bank transfer in Colombia.
The data about yourself that you don't want to publish in github (for example your name), can be sent to Vladimir Támara Patiño vtamara@pasosdeJesus.org or by writing to Cr 5 #33B-02, Bogotá, Colombia (if you need to send encrypted information you can use the PGP public key available at http://vtamara.pasosdeJesus.org/vtamara-pgp.txt).
We thank your interest in this public call, its most recent version is available at: http://sivel.sf.net/1.2/call.html. We invite you to distribute it without changes.