The Agoric Coordinated Vulnerability Disclosure Policy
Strong security requires strong collaboration with security researchers who seek to improve the resilience of the Agoric ecosystem. Agoric welcomes feedback from anyone who believes that they may have discovered a vulnerability or other security issues, and we encourage you to contact us so that we can work together to resolve any valid issues that may exist.
Reporting a Security Bug to Agoric
- Bugs in the Agoric SDK and can be reported to the Agoric HackerOne program, or [email protected].
- Bugs submitted to HackerOne that are within the scope of the program will be eligible for reward. It may be necessary to create a HackerOne account to submit a bug report, but submitting via HackerOne is required to be eligible for bounty rewards.
- Bug reporters who may not want to sign up for a HackerOne account can always directly contact Agoric’s code maintainers via [email protected] with an issue, however any issue submitted through email will not be eligible for a bounty, even if it is also submitted through HackerOne.
- It is important to be able to provide steps that reproduce the issue and demonstrate its impact with a Proof of Concept example in an initial bug report. Before reporting a bug, a reporter may want to have another trusted individual or validator on devnet to reproduce the issue.
- A bug reporter can expect acknowledgment of a potential vulnerability reported through HackerOne within the timelines listed on the program page, or within a day of submitting a report to [email protected]. If an issue is not acknowledged within this time frame, especially during a weekend or holiday period, please reach out again.
- The Security team and Agoric code maintainers are part of a remote organization with operations primarily located in the San Francisco Bay Area. As we are a small team that is active during business hours in PST (UTC -8:00), our location and resources may also impact response times for issues reported from distant time zones.
- For the safety and security of the network, it is best to conduct testing on an available devnet. We strongly discourage testing on our active mainnet as it is a production environment. Additionally, bug reporters should avoid publicly sharing the details of a security bug on Twitter, Discord, Telegram, or in public Github issues during the vulnerability coordination process. Doing so may void your eligibility for bounty if submitting through HackerOne.
- Once a vulnerability report has been received and triaged:
- Agoric code maintainers will confirm whether it is valid, and will provide updates to the reporter on the status of the report.
- It may take up to 72 hours for an issue to be triaged, especially if reported during holidays or on weekends.
- When the Agoric team has verified an issue, remediation steps and patch release timeline information will be shared with the reporter.
- Complexity, severity, impact, and likelihood of exploitation are all vital factors that determine the amount of time required to remediate an issue and distribute a software patch.
- If an issue is Critical or High Severity, Agoric code maintainers will release a security advisory to notify impacted parties to prepare for an emergency patch.
- While the current industry standard for vulnerability coordination resolution is 90 days, Agoric code maintainers will strive to release a patch for a critical or high severity issue as quickly as possible within that time frame.
When a bug patch is included in a software release, the Agoric code maintainers will:
- Confirm the version and date of the software release with the reporter.
- Provide information about the security issue that the software release resolves.
- Credit the bug reporter for discovery by paying out a bounty (if applicable), adding acknowledgements in software release notes, or adding the researcher’s name to a Hall of Fame.
Our Commitment to Researchers
When working with us, according to this policy, you can expect us to:
- Respond to your report promptly, and work with you to understand and triage your report;
- Strive to keep you informed about the progress of a vulnerability as it is processed;
- Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and
- Extend Safe Harbor for your vulnerability research that is related to this policy.
Our Expectations for Collaborating with Researchers
In participating in our coordinated vulnerability disclosure program in good faith, we ask that you:
- Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;
- Report any vulnerability you’ve discovered promptly;
- Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
- Use only the Official Channels to discuss vulnerability information with us;
- Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly;
- Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
- If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
- You should only interact with test accounts you own or with explicit permission from the account holder; and
- Do not engage in extortion.
Safe Harbor for Security Researchers
When conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:
- Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;
- Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
- Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.