Agora Bug Bounty Program

Preface

Agora is always looking to better protect our system and customers. Therefore, we invite security researchers to report any bugs or vulnerabilities they discover to us.

Once we receive notice of a bug or vulnerability, Agora customer service and security teams will respond quickly to address the issue.

In addition to our gratitude, those who report a vulnerability may be eligible for a monetary “bounty” based on the risk associated with the vulnerability and the importance of the affected system.

System importance classifications

The following table shows system importance classifications (in descending order), along with some example Agora assets:

Vulnerability severity classifications

The following list outlines detailed examples of how various vulnerabilities would be classified:

Critical

1. Unauthorized system privileges

Examples include command injection (execution), code injection (execution), web shell execution, SQL injection, and buffer overflow that gains system privileges on the core system.

2. Direct denial of service

Examples include actions that make service unavailable, reduce service quality, and so on.

3. Sensitive information leakage

Examples include SQL injection of the core database (identity, order), unauthorized disclosure of sensitive information relating to a user, product order, or payment method, and so on.

4. Serious logic design flaws and process defects

Examples include the ability to send batches of fraudulent messages, account consumption through a business interface, and large-scale modification of account passwords, and so on.

High

1. Sensitive information leakage

Examples include unauthorized disclosure of sensitive information relating to a source code, hardcoded passwords, and so on.

2. Unauthorized access to sensitive information

Examples include bypassing authentication or backend password, leading to unauthorized access to sensitive intranet information.

3. Unauthorized sensitive operations

Examples include manipulating important information without authorization, such as orders, major business configurations, and so on.

Medium

1. Vulnerabilities that require interaction and affect users

Examples include stored XSS (cross-site scripting).

2. General unauthorized operations

Examples include incorrect direct object references, unauthorized access to orders, unauthorized access to user information, and so on.

3. General information leakage

Examples include client-side stored plaintext passwords, system path traversal, and so on.

4. General logic design flaws and process defects

Low

1. Local denial of service vulnerabilities, CSRF (cross-site request forgery), reflected-XSS, and so on.

2. Minor information leakage, such as path information, SVN information, exception information, the local SQL injection of a client-side application (limited to database name, field name, log print), and so on.

3. Vulnerabilities that are difficult to exploit but still have security implications, such as plaintext transmission of passwords.

Info

1. Exposure of software banners, internal IP addresses, some public email addresses or phone numbers, and so on.

2. Using outdated versions of a system, supporting outdated version of an encryption protocol, such as SSL (secure-sockets layer) or tls (transport-layer security) 1.0, supporting low-strength encryption algorithms, and so on.

Bug Bounties

Please report any potential risks of Agora services that you may notice to security@agora.io. Any bounties awarded will conform roughly to the following ranges (based on the severity and system location of the bug or vulnerability, payable in $US):

• Critical: $300 to $5000
• High: $200 to $2000
• Medium: $150
• Low: $50
• Info: $0

Note: Agora reserves the sole right to determine any reward amount given.