GenPhrase Security Bug Bounties

Security Bug HuntPhoto: REUTERS

GenPhrase is a small PHP library (based on passwdqc’s pwqgen program) used to generate secure and easy to remember passphrases.

Due to the nature of the library, security is an absolute requirement (this is a reason GenPhrase is based on Openwall pwqgen).

To emphasise the security effort put on GenPhrase and to make the software better, I start a small GenPhrase security bug bounty program. I donate $100 to award people who find security bugs in the GenPhrase library.

The $100 bounty is split into smaller categories as follows:

  1. $50 for bugs which causes the generated passphrases to contain less entropy that was requested, i.e. with default settings (under certain “random byte output”) only two words are returned instead of three words, or if one element was being chosen from a set of 20 elements and only 19 different elements could get returned etc. And bugs which allow malicious code execution.
  2. $30 for bugs which causes the “elements” being chosen on non-uniform fashion.
  3. $5 for bugs which causes the “elements” being chosen on slightly non-uniform fashion or allows malicious code execution via unknown weaknesses in PHP core functions used by GenPhrase.

28 Aug 2014 Bounties for category 1 and 2 bugs were raised.

Bugs caused by a buggy (or malicious) system random number generator or “bad/invalid” wordlists added outside of the library are not subject to a bounty. Also, side-channels (i.e. in functions used to pick elements etc.) which are not practically exploitable are not subject to a bounty.

The target version of GenPhrase is always the latest tagged release on GitHub:

Found a security bug?

Send an email to with description of the bug(s). If it is an applicable find, I’ll send the payment to you (or whom you wish) via PayPal. You can send multiple bug reports in a single email, each will be awarded accordingly.

About payments

If the $100 bounty gets depleted, no more payments will be made until further notice. This page will be kept updated about how much of the bounty is still available.

GenPhrase Security Bug Bounty Recipients

  1. March 3. 2017. Words being chosen on (slight/medium) non-uniform fashion, found by Solar Designer. 20 USD Bitcoin payment was made to The Internet Archive by the request of Solar Designer.

The security bug bounty will be active until further notice.

This security bug bounty page was inspired by Tarsnap Bug Bounties.


comments powered by Disqus