Submissions Round 1

Thank you for the first round of submissions! As part of our commitment to transparency, we will be sharing bug-finding attempts here (where no additional risk is posed) alongside our response and/or mediation.

Participants' identity will be anonymized. Submissions made here will also disqualify identical submissions made afterwards.

Submission 1 | Track 1

Leaked API Keys in API Service Respository Evidence of two exposed API keys found in the commit history of api-service. Auto-detected by Gitleaks on a local VPS. Response: Negative – misinterpretation of strings

Hard-coded JWT for Airdrop values in Dashboard Hard-coded JWT tokens and API-like keys in nuxt.config.ts for Supabase. Response: Not a secrets leakage as it has the anon service role and points to public data. However, this JWT could be stored as a deploy secret, good find!

Unnecessary private key and certificate included in test data Ran Gitleaks full-history scan. Repository: anyone-protocol/sbws. Response: Negative. We accept tests working out of the box with the same keys.

Private TLS key included in test directory Ran Gitleaks full-history scan. Detected PEM format private key. Response: Negative. We accept tests working out of the box with the same keys.

Leaked private signing keys inside Docker example directories Ran Gitleaks full-history scan. Detected PEM format keys in Docker example directories. Response: Negative. We accept tests working out of the box with the same keys.

Submission 2 | Track 2

Publicly reachable service at containers.ops.anyone.tech Passive reconnaissance scan of *.ops.anyone.tech to collect HTTP status codes and final redirect targets. Response: The containers are inherently setup as public. This track would have looked for a bypass of the oauth_proxy.

CORS misconfiguration on api.ec.anyone.tech During passive recon of public Anyone endpoints discovered via crt.sh, exposing a wildcard CORS policy. Response: Setup for the use by certain services, but this is not ideal practice. Needs review.

Prize: While this attempt did not strictly find a high-risk vulnerability, this was a thorough attempt making use of Gitleaks. The submitter will be contacted to receive a small prize!

Submission 3 | Track 1

Leaked APIKey of Supabase Manual repository review, found API key that allows public query Response: Not a secrets leakage as it has the anon service role and points to public data. However, this JWT could be stored as a deploy secret, good find as above!