FakeProof verification is supposed to prevent fake videos. We'd like your help with improving FakeProof, by finding ways to break it ... so that we can fix them!
We expect all participants to be responsible bounty hunters, and to demonstrate good faith and ethics.
Contact firstname.lastname@example.org with all disclosures, questions, or suggestions.
Discovered vulnerabilities must be disclosed to us promptly, and at least one week before public disclosure.
We would greatly appreciate it if you would also disclose your notes/observations of *potential* vulnerabilities!
Bounties will be awarded for disclosed vulnerabilities that are found to be capable of generating a fake, even if the discoverer does not exploit the vulnerability. However, these described vulnerabilities will be investigated at our sole discretion.
Bounties will only be awarded to the first person to disclose.
Discovered vulnerabilities may be exploited to claim bounties, but exploitation should be to the minimum extent needed to demonstrate the vulnerability.
In no case may the exploit be destructive (for example: destroying databases, attacking the server with a DDoS)
In no case may the exploit create recordings with an intent to deceive the public (we encourage them to be compelling but obvious!)
Bounty hunters found to be in violation of these guidelines (at our sole discretion) will not be awarded bounties.
Compromise a recording file, affecting the verification result on many phones
Compromise a single phone (compromise the F/P app so that it *looks* like a fake recording passes all the verification checks)
Compromise of the server with impact on many phones and recordings
This is a special Bounty case, and gives only the fixed “F/P Server itself” reward.
Note: if some fooling of the F/P Server is part of the mechanism of a Compromise of a recording on many phones exploit, we may award the related bounty, at our sole discretion (we’re trying to draw a line between script kiddy attacks on the web server, and serious fundamental attacks).
Please review the “Bounty Program Rules” section above!
Bounties will be awarded using prepaid debit cards or some other mechanism (we're still figuring out methods that are acceptable to us and to awardees).
Bounty awards will be publicly announced and tracked on this page (below).