A strong platform requires a robust community working together to find
security vulnerabilities in order to keep the network safe.
The following represent best efforts response targets for hackers
participating in this program:
- Time to first response (from report submit) - 15 business days
- Time to triage (from report submit) - 20 business days
- Time to bounty (from triage) - 10 business days
We’ll try to keep you informed about our progress throughout the process.
- As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
- Follow HackerOne's disclosure guidelines .
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Reports out of scope will not be considered. Please check before submitting.
- Note that Celo is an open source project.
- Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
- Attacking any testnet other than the official Celo Baklava testnet (“Network”) is prohibited.
- Any attacks that could cause physical damage or incur costs to other’s property is prohibited.
- Any attacks against Network nodes that violate Amazon Web Services Acceptable Use Policy and Google Cloud Platform's Acceptable Use Policy and other specific services you use is prohibited.
- Follow the Celo Community Code of Conduct .
- Participation is subject to the Baklava testnet Terms & Conditions .
Out of scope vulnerabilities
- Previously known vulnerabilities (resolved or not) on the Ethereum and Quorum networks (and any other fork of these).
- Missing best practices in SSL/TLS configuration.
- Attacks requiring physical access to a user's device.
- Previously known vulnerable of standard libraries used.
- Vulnerabilities only affecting users of outdated Celo clients or unpatched operating systems (less than 1 stable versions behind the latest released stable version).
- Public Zero-day vulnerabilities that have had an official patch for less than 1 month.
- Issues that require unlikely user interaction.
- Examples and tests in the code, this includes mock (i.e. not real) values.
Any activities conducted in a manner consistent with this policy will be
considered authorized conduct and we will not initiate legal action against
you. If legal action is initiated by a third party against you in connection
with activities conducted under this policy, we will take steps to make it
known that your actions were conducted in compliance with this policy.
Thank you for helping keep the network safe!
This program crawled on the 2020-02-04 is sorted as bounty.