The "Fake it till you break it" Bounty Program

FakeProof verification is supposed to prevent fake videos. We'd like your help with improving FakeProof, by finding ways to break it ... so that we can fix them!

Bounty Program Rules

We expect all participants to be responsible bounty hunters, and to demonstrate good faith and ethics.

  • Contact with all disclosures, questions, or suggestions.

  • Discovered vulnerabilities must be disclosed to us promptly, and at least one week before public disclosure.

    • We would greatly appreciate it if you would also disclose your notes/observations of *potential* vulnerabilities!

    • Bounties will be awarded for disclosed vulnerabilities that are found to be capable of generating a fake, even if the discoverer does not exploit the vulnerability. However, these described vulnerabilities will be investigated at our sole discretion.

    • Bounties will only be awarded to the first person to disclose.

  • Discovered vulnerabilities may be exploited to claim bounties, but exploitation should be to the minimum extent needed to demonstrate the vulnerability.

  • In no case may the exploit be destructive (for example: destroying databases, attacking the server with a DDoS)

    • Please disclose destructive vulnerabilities to us -- we may award bounties at our sole discretion.

  • In no case may the exploit create recordings with an intent to deceive the public (we encourage them to be compelling but obvious!)

Bounty hunters found to be in violation of these guidelines (at our sole discretion) will not be awarded bounties.

Types of Exploit

  • Compromise a recording file, affecting the verification result on many phones

    • This is the default magnitude of exploit needed to claim the bounties.

  • Compromise a single phone (compromise the F/P app so that it *looks* like a fake recording passes all the verification checks)

    • There may be different bounties for rooted vs unrooted phones

    • This is a special Bounty case and gives only the fixed “F/P App itself” reward.

  • Compromise of the server with impact on many phones and recordings

    • This is a special Bounty case, and gives only the fixed “F/P Server itself” reward.

    • Note: if some fooling of the F/P Server is part of the mechanism of a Compromise of a recording on many phones exploit, we may award the related bounty, at our sole discretion (we’re trying to draw a line between script kiddy attacks on the web server, and serious fundamental attacks).

    • Please review the “Bounty Program Rules” section above!

Bounties will be awarded using prepaid debit cards or some other mechanism (we're still figuring out methods that are acceptable to us and to awardees).

Bounty awards will be publicly announced and tracked on this page (below).

Canonical Recordings

Note: to verify these recordings, download the full file to your phone, move it to the Movies/FakeProof folder, and then open them from the FakeProof app

  1. A snowy evening -- note: these recordings didn’t have OpenTimestamps attestations!

  1. In the mirror -- note: location turned off for privacy reasons