A strong platform requires a robust community working together to find security vulnerabilities in order to keep the network safe.

Response Targets

The following represent best efforts response targets for hackers participating in this program:

• Time to first response (from report submit) - 2 business days

• Time to triage (from report submit) - 20 business days

• Time to bounty (from triage) - 10 business days

We’ll try to keep you informed about our progress throughout the process.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Reports out of scope will not be considered. Please check before submitting.

• Note that Celo is an open source project.

• Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

• Attacking any testnet other than the official Celo Baklava testnet (“Network”) is prohibited.

• Any attacks that could cause physical damage or incur costs to other’s property is prohibited.

• Any attacks against Network nodes that violate [Amazon Web Services Acceptable Use Policy] (https://aws.amazon.com/aup/) and Google Cloud Platform's Acceptable Use Policy and other specific services you use is prohibited.

• Follow the Celo Community Code of Conduct.

• Participation is subject to the Baklava testnet Terms & Conditions.

Test Plan

• Set up a node on the network following these instructions: Getting Started - Running a Full Node.

• If you are new to blockchains and/or to Celo, take a look at the Celo overview

• Explore the code on GitHub - the two main repositories are celo-monorepro and celo-blockchain.

• You’re now set up to start looking for vulnerabilities.

• Have questions? Checkout the Forum and join the discussion on Discord.

Out of scope vulnerabilities and assets

• Previously known vulnerabilities (resolved or not) on the [Ethereum] (https://github.com/ethereum) and [Quorum] (https://github.com/jpmorganchase/quorum) networks (and any other fork of these).

• Missing best practices in SSL/TLS configuration.

• Attacks requiring physical access to a user's device.

• Previously known vulnerable of standard libraries used.

• Vulnerabilities only affecting users of outdated Celo clients or unpatched operating systems (less than 1 stable versions behind the latest released stable version).

• Public Zero-day vulnerabilities that have had an official patch for less than 1 month.

• Issues that require unlikely user interaction.

• Examples and tests in the code, this includes mock (i.e. not real) values.

• Clickjacking

• learn.clabs.co

Out of Scope Domains

• learn.celo.org

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep the network safe!