# Submissions Round 1

Thank you for the first round of submissions! As part of our commitment to transparency, we will be sharing bug-finding attempts here (where no additional risk is posed) alongside our response and/or mediation.&#x20;

Participants' identity will be anonymized. Submissions made here will also disqualify identical submissions made afterwards.&#x20;

#### Submission 1 | Track 1&#x20;

**Leaked API Keys in API Service Respository**\
Evidence of two exposed API keys found in the commit history of api-service. Auto-detected by Gitleaks on a local VPS. \
**Response**: Negative – misinterpretation of strings

**Hard-coded JWT for Airdrop values in Dashboard**\
Hard-coded JWT tokens and API-like keys in nuxt.config.ts for Supabase.\
**Response:** Not a secrets leakage as it has the *`anon`* service role and points to public data. However, this JWT could be stored as a deploy secret, good find!

**Unnecessary private key and certificate included in test data**\
Ran Gitleaks full-history scan. Repository: anyone-protocol/sbws.\
**Response:** Negative. We accept tests working out of the box with the same keys.

**Private TLS key included in test directory**\
Ran Gitleaks full-history scan. Detected PEM format private key. \ <mark style="color:blue;">**Response:**</mark> Negative. We accept tests working out of the box with the same keys.

**Leaked private signing keys inside Docker example directories**\
Ran Gitleaks full-history scan. Detected PEM format keys in Docker example directories.  \ <mark style="color:blue;">**Response:**</mark> Negative. We accept tests working out of the box with the same keys.

#### Submission 2 | Track 2

**Publicly reachable service at** [**containers.ops.anyone.tech**](http://containers.ops.anyone.tech)\
Passive reconnaissance scan of \*.[ops.anyone.tech](http://ops.anyone.tech) to collect HTTP status codes and final redirect targets.\ <mark style="color:blue;">**Response**</mark><mark style="color:blue;">:</mark> The containers are inherently setup as public. This track would have looked for a bypass of the oauth\_proxy.&#x20;

**CORS misconfiguration on api.ec.anyone.tech**\
During passive recon of public Anyone endpoints discovered via crt.sh, exposing a wildcard CORS policy. \ <mark style="color:blue;">**Response:**</mark> Setup for the use by certain services, but this is not ideal practice. Needs review.

<mark style="color:$success;">**Prize:**</mark> While this attempt did not strictly find a high-risk vulnerability, this was a thorough attempt making use of Gitleaks. The submitter will be contacted to receive a small prize!

#### Submission 3 | Track 1

**Leaked APIKey of Supabase**\
Manual repository review, found API key that allows public query\
**Response:** Not a secrets leakage as it has the *`anon`* service role and points to public data. However, this JWT could be stored as a deploy secret, good find as above!


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.anyone.io/security/bug-bounty/submissions-round-1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.