@@ -2,6 +2,7 @@ import { Button } from "@/components/ui/button";
22import { Card , CardContent } from "@/components/ui/card" ;
33import {
44 AlertTriangle ,
5+ Ban ,
56 Clock ,
67 DollarSign ,
78 ExternalLink ,
@@ -17,28 +18,28 @@ export default function Security() {
1718 severity : "Critical" ,
1819 cvssScore : "9.0 - 10.0" ,
1920 description : "Remote code execution, authentication bypass, privilege escalation" ,
20- compensation : "$200 - $500 " ,
21+ compensation : "$90 - $100 " ,
2122 color : "bg-red-500/10 text-red-600 dark:text-red-400 border-red-200 dark:border-red-800"
2223 } ,
2324 {
2425 severity : "High" ,
2526 cvssScore : "7.0 - 8.9" ,
2627 description : "Data exposure, unauthorized access, significant security impact" ,
27- compensation : "$100 - $200 " ,
28+ compensation : "$70 - $89 " ,
2829 color : "bg-orange-500/10 text-orange-600 dark:text-orange-400 border-orange-200 dark:border-orange-800"
2930 } ,
3031 {
3132 severity : "Medium" ,
3233 cvssScore : "4.0 - 6.9" ,
3334 description : "Limited data exposure, moderate security impact" ,
34- compensation : "$50 - $100 " ,
35+ compensation : "$40 - $69 " ,
3536 color : "bg-yellow-500/10 text-yellow-600 dark:text-yellow-400 border-yellow-200 dark:border-yellow-800"
3637 } ,
3738 {
3839 severity : "Low" ,
3940 cvssScore : "0.1 - 3.9" ,
4041 description : "Minor security issues, limited impact" ,
41- compensation : "$25 - $50 " ,
42+ compensation : "$1 - $39 " ,
4243 color : "bg-green-500/10 text-green-600 dark:text-green-400 border-green-200 dark:border-green-800"
4344 }
4445 ] ;
@@ -166,8 +167,7 @@ export default function Security() {
166167 < h3 className = "text-2xl font-semibold" > Compensation Guidelines</ h3 >
167168 </ div >
168169 < p className = "text-gray-600 dark:text-gray-300 mb-6" >
169- As a community-funded open source project, we offer modest but meaningful compensation based on CVSS v3 base metrics.
170- Final amounts are determined by impact, exploitability, and responsible disclosure practices.
170+ As a community-funded open source project, we offer modest compensation calculated directly from the CVSS v4 base score: each score point equals $10 (e.g. a score of 10.0 = $100).
171171 </ p >
172172 < div className = "grid gap-4" >
173173 { bountyLevels . map ( ( level , index ) => (
@@ -202,10 +202,12 @@ export default function Security() {
202202 < h3 className = "text-2xl font-semibold mb-4" > Eligibility Requirements</ h3 >
203203 < ul className = "space-y-2 text-gray-600 dark:text-gray-300 list-disc list-inside" >
204204 < li > First to report a previously unknown vulnerability</ li >
205- < li > Provide clear proof of concept</ li >
205+ < li > Provide a fully end-to-end reproducible code example as proof of concept</ li >
206206 < li > Follow responsible disclosure guidelines</ li >
207207 < li > Allow sufficient time for patching before disclosure</ li >
208208 < li > Vulnerability must affect the latest stable version</ li >
209+ < li > Report must be human-reviewed before submission</ li >
210+ < li > Respond to follow-up questions within 30 days during triage</ li >
209211 </ ul >
210212 </ CardContent >
211213 </ Card >
@@ -217,16 +219,37 @@ export default function Security() {
217219 </ div >
218220 < h3 className = "text-2xl font-semibold mb-4" > Out of Scope</ h3 >
219221 < ul className = "space-y-2 text-gray-600 dark:text-gray-300 list-disc list-inside" >
220- < li > Social engineering attacks</ li >
221- < li > Physical attacks against Parse infrastructure</ li >
222- < li > Denial of service attacks</ li >
222+ < li > Social engineering or physical attacks</ li >
223+ < li > Attacks against Parse Organization infrastructure</ li >
223224 < li > Issues in third-party dependencies (report to respective maintainers)</ li >
224225 < li > Already known or publicly disclosed vulnerabilities</ li >
226+ < li > AI-generated reports without manual verification</ li >
227+ < li > Submissions without Parse Server-specific code paths or context</ li >
228+ < li > Security hardening suggestions or configuration best practices (not vulnerabilities)</ li >
225229 </ ul >
226230 </ CardContent >
227231 </ Card >
228232 </ div >
229233
234+ < Card className = "mt-8 bg-red-50 dark:bg-red-900/20 border-red-200 dark:border-red-800" >
235+ < CardContent className = "p-8" >
236+ < div className = "flex items-start space-x-4" >
237+ < Ban className = "h-6 w-6 text-red-600 dark:text-red-400 flex-shrink-0 mt-1" />
238+ < div >
239+ < h3 className = "text-xl font-semibold mb-2 text-red-800 dark:text-red-200" > Anti-Abuse Policy</ h3 >
240+ < p className = "text-red-700 dark:text-red-300 mb-4" >
241+ To protect our volunteer maintainers from low-quality and AI-generated spam submissions, we enforce the following rules:
242+ </ p >
243+ < ul className = "space-y-2 text-red-700 dark:text-red-300 list-disc list-inside" >
244+ < li > < strong > AI-generated reports:</ strong > Generic or AI-generated descriptions without specific code paths are rejected</ li >
245+ < li > < strong > Strike system:</ strong > 3 invalid or spam submissions result in a permanent ban from the bounty program</ li >
246+ < li > < strong > Severity overstatement:</ strong > If the assessed CVSS score is significantly lower than claimed, compensation is voided</ li >
247+ </ ul >
248+ </ div >
249+ </ div >
250+ </ CardContent >
251+ </ Card >
252+
230253 < Card className = "mt-8 bg-blue-50 dark:bg-blue-900/20 border-blue-200 dark:border-blue-800" >
231254 < CardContent className = "p-8 text-center" >
232255 < h3 className = "text-2xl font-semibold mb-4 text-blue-800 dark:text-blue-200" >
0 commit comments