Closing the First Bug Bounty
Our first formal external security engagement is closed. We published a bug bounty program. We invited a researcher in. Over nine days, he produced thirteen findings. Today we shipped fixes for the unauthenticated-disclosure issues that were straightforward enough to land cleanly, and put a structural change behind one of them so it stays fixed.
Before anything else — the credit:
The Engagement
We gave NullFox a wide-open scope: the apex domain, the affiliate platform, the API. The directive was, in his words, "really try and break past its gates with whatever trick I have."
What came back was thirteen findings, organized cleanly by severity. The headline finding — an authentication chain on the affiliate registration endpoint that allowed unauthenticated credential retrieval — was disclosed on day one. We patched the credential exposure within an hour.
What He Found That We Hadn't
The single most useful contribution wasn't a specific vulnerability. It was a structural observation we hadn't named clearly ourselves.
The affiliate platform's registration endpoint accepts any string formatted as an email address and creates a live account immediately. There's no confirmation step. That single missing check is the shared root of four separate attack categories: mass account creation, automated user enumeration, brute-force reach, and a payout-fraud chain that doesn't even require exploiting a vulnerability — just observing how affiliate invitation emails work.
The fix is one workstream, not four tickets. Email validation plus CAPTCHA, in that order, collapses the whole family.
That kind of pattern-naming is the part of an external review you can't get from internal eyes. We were tracking those issues as four separate items. He wrote it as one.
What Shipped Today
Three of the smaller-scope findings were fixable cleanly without architectural change. Rather than ship one-line edits, we put structural fixes behind each — the goal is that they stay fixed even as the codebase moves.
{"status":"ok"}. Detailed tunnel and peer state was moved to the existing admin-only endpoint at /fleet/status, which now reads from a watchdog-published JSON state file rather than execing privileged shell commands. The change preserves NoNewPrivileges=yes on the API service while still giving operators accurate visibility.{"error":"unauthorized"} only. Documented API consumers don't need the auth mechanism echoed back at them; unauthenticated probes don't either.{"error":"not found"} only. Error responses don't map the API surface anymore.One bonus item we caught while in the same code path: /fleet/status was reporting tunnel: down even when the tunnel was healthy — a silent failure inside the privileged subprocess call. The watchdog-published state file fixes that as a side effect. Operators now see real WG state instead of a stale lie.
What's Still Open
Most of the remaining findings cluster in two places: the affiliate platform's email-validation gap, and a DNS configuration issue on the apex domain. Both are real work, neither is shipping today.
- F01 family (High — partially remediated). The credential-exposure piece was patched on day one. The user-enumeration, mass-create, and code-reset pieces ride together with the email-validation workstream. Email confirmation comes first; uniform-response enumeration fix lands once that's in place; CAPTCHA on registration completes the trio.
- F12 (Low). The affiliate invite logic flaw — sender's email plus their own affiliate code is the full credential set delivered to every recipient. Fix is to decouple the public referral token from the auth credential. Same workstream as F01.
- F02 (Low). Apex domain (
ghostporttechnologies.comwithoutwww.) doesn't reach the production stack — the A record points at a registrar parking IP. This is a DNS-panel fix, not a server fix. Already on the punch list. - F03, F04, F05, F11. Account recovery path, asset-routing audit, 404 standardization, blog multi-origin canonicalization. All scoped, none load-bearing for the security posture, all queued.
F06 (the public support@ address) and F07 (a stale GitHub redirect) are effectively closed: the support address is intentionally public, and the GitHub repo is now live at the documented URL after we open-sourced the OS earlier this week.
Why We're Publishing This
Two reasons. First, a researcher who finds something real and discloses it cleanly deserves their name on the page. NullFox did the work; he gets the credit. That's the whole job description of a Hall of Fame.
Second, security findings have a shelf life. A bug found in private and fixed in private is a fix nobody can verify. A bug found in private, fixed in public, with a researcher named and a status tracked, is something a future user, investor, or auditor can actually read. We'd rather be the company that publishes a remediation log than the one that publishes a "we take security seriously" boilerplate.
The bug bounty program is open. Scope, rules, and the report form are on the bounty page. If you find something, we want to hear about it. If you find something good, your name goes here.