Agoric believes that strong security requires strong collaboration with skilled security researchers to improve the resilience of our code and all of the things it can do. If you believe you've found a security issue in our source code or smart contracts, we encourage you to notify us.

Coordinated Disclosure with Agoric

• Bugs in the Agoric SDK and can be reported to the Agoric HackerOne program or security@agoric.com .

  • Bugs submitted to H1 that are within the scope of the program may be eligible for reward.

• It is important to be able to provide steps that reproduce the issue and demonstrate its impact with a Proof of Concept example in an initial bug report. Before reporting a bug, a reporter may want to have another trusted individual reproduce the issue.

• A bug reporter can expect acknowledgment of a potential vulnerability reported through HackerOne or security@agoric.com within 1 day of submitting a report. If an acknowledgement of an issue is not received within this time frame, especially during a weekend or holiday period, please reach out again.

  • The bug triage team and Agoric code maintainers are primarily located in the San Francisco Bay Area with business hours in Pacific Time .

• For the safety and security of the network, bug reporters should not publicly share the details of a security bug on Twitter, Discord, Telegram, or in public Github issues during the coordination process.

• Once a vulnerability report has been received and triaged:

  • Agoric code maintainers will confirm whether it is valid, and will provide updates to the reporter on validity of the report.

  • It may take up to 72 hours for an issue to be validated, especially if reported during holidays or on weekends.

• When the Agoric team has verified an issue, remediation steps and patch release timeline information will be shared with the reporter.

  • Complexity, severity, impact, and likelihood of exploitation are all vital factors that determine the amount of time required to remediate an issue and distribute a software patch.

  • If an issue is Critical or High Severity, Agoric code maintainers will release a security advisory to notify impacted parties to prepare for an emergency patch.

  • While the current industry standard for vulnerability coordination resolution is 90 days, Agoric code maintainers will strive to release a patch as quickly as possible.

When a bug patch is included in a software release, the Agoric code maintainers will:

• Confirm the version and date of the software release with the reporter.

• Provide information about the security issue that the software release resolves.

• Credit the bug reporter for discovery by adding thanks in release notes, securing a CVE designation if applicable, or adding the researcher’s name to a Hall of Fame.

Program Rewards

• Rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard)

• All bounty amounts will be at the discretion of the Agoric team.

• Reports submitted using methods that violate policy rules will not be eligible for a reward.

• To be eligible for a reward, the report must be for bounty eligible assets as defined in the scope section of our policy.

• Multiple reports describing the same vulnerability against multiple assets or endpoints where the root cause is the same will be treated as one report. Do not submit duplicate reports for the same issue across multiple sites as the duplicates will be closed, and the issue will be treated as one report.

• While we aim for consistency, previous reports and prior bounty amounts will not set a precedent for future report eligibility or severity.

• Understand that there could be submissions for which we accept the risk, have other compensating controls, or will not address in the manner expected. When this happens, we will act as transparently as we can to provide you with the necessary context as how the decision was made.

Program Rules + Eligibility

Anyone can participate in this program, but there are no websites, web applications, or mobile applications include in the program scope.

• You agree and adhere to the Program Rules and Legal terms as stated in this policy.

• You are the first to submit a sufficiently reproducible report for a vulnerability in order to be eligible for the report to be accepted and Triaged.

• You are available to supply additional information, as needed by our team, to reproduce and triage the issue.

• Publically-known Zero-day vulnerabilities will not be considered for eligibility until more than 30 days have passed since patch availability.

• Out-of-scope vulnerability reports or reports that are technically reproducible but pose a very low security impact are likely to be closed as Informative.

• Agoric employees and third-party assets employees are not eligible for participation in this program.

Do

• Read and abide by the program policy.

• Perform testing using only accounts that are your own personal/test accounts or an account that you have explicit permission from the account holder to utilize.

• Exercise caution when testing to avoid negative impact to customers and the services they depend on.

• STOP testing if you are unsure about the impact it may have on our systems. If you think you may cause, or have caused, damage with testing a vulnerability, report your initial finding(s) and request authorization to continue testing.

Do NOT:

• Do not Brute force credentials or guess credentials to gain access to systems.

• Do not participate in denial of service attacks.

• Do not upload shells or create a backdoor of any kind.

• Do not engage in any form of social engineering of Agoric employees, customers, or vendors.

• Do not engage or target any Agoric employee, customer, or vendor during your testing.

• • Do not attempt to extract, download, or otherwise exfiltrate data that you believe may have PII or other sensitive data other than your own.

• Do not change passwords of any account that is not yours or that you do not have explicit permission to change. If ever prompted to change a password of an account you did not register yourself or an account that was not provided to you, stop and report the finding immediately.

• Do not do anything that would be considered a privacy violation, cause destruction of data, or interrupt or degrade our service. Do not interact with accounts you do not own or without the explicit permission of the account holder.

You may not discuss this program or any vulnerabilities (even invalid and resolved ones) outside of the program without express consent from the organization. If you are interested in sharing any information about your testing methodology related to a Agoric report, you must request permission on your report and you must receive written approval from a Agoric team member. Generally, we will strive to support the sharing of research and share information about issues reported to our program.

Scope

This program offers rewards for issues surfaced in:

• Hardened JavaScript, Agoric's a JavaScript runtime library for safely running third-party code.

• ERTP, Agoric's Electronic Rights Transfer Protocol that provides a uniform way of transferring tokens and other digital assets, both fungible and non-fungible, in JavaScript

• Zoe, Agoric's smart contract platform and language.

• The Automated Market Maker Smart Contract code.

• The Vaults (aka Treasury) Smart Contract code.

Out of Scope

As there are no web applications, mobile applications, or websites within the scope of this program, reports that include these issues will be considered out of scope. Please do not submit issues that fall into the following categories as they may negatively impact your reputation score.

• Dependency confusion

• Information leakage that cannot be used to make a direct attack, like server IP, server version, path, error message, internal IP, etc.

• PII - do not collect any personally identifiable information - including credit card information, addresses and phone numbers from other customers.

• Reports from automated tools or scans.

• Social engineering and physical attacks.

• Distributed Denial of Service attacks that require large volumes of data.

• 0-day vulnerabilities less than 30/60/90 days from patch release are ineligible for bounty.

• Provisioning and/or usability issues.

• Violations of licenses or other restrictions applicable to any vendor's product.

• Security vulnerabilities in third-party products or websites that are not under Agoric’s direct control.

• "Self" XSS

• Cross-site Scripting (XSS)

• Cross-site Request Forgery (CSRF)

• Session fixation

• Content Spoofing

• Missing cookie flags

• SSL/TLS best practices

• Mixed content warnings

• Clickjacking, tabnabbing, and UI redressing

• Flash-based vulnerabilities

• Local denial of service of Mobile APP

• Reflected file download attacks (RFD)

• Physical or social engineering attacks

• Feedback, comment, message, etc. flooding

• SMS/Email flooding for some of our business

• CSRF/XSS with long or unpredictable parameter

• Login_logout_unauthenticated/low-impact CSRF

• Unverified Results of automated tools or scanners

• No SPF_DMARC in non-email domains_subdomains

• Attacks requiring MITM or physical access to a user's device

• Issues related to networking protocols or industry standards

• Error information disclosure that cannot be used to make a direct attack

• Missing security-related HTTP headers which do not lead directly to a vulnerability

• Any issues related to the distribution of software.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep our company and our users safe!

F.A.Q.

1. Can I get Agoric swag?

Agoric does not currently offer swag to program participants, but we intend to add swag to this program in the future.

1. Can Agoric provide me with a pre-configured test account?

This program does not provide credentials or any special access.

1. What is required when submitting a report?

2. How do I make my report great?

3. I submitted a report. Now what? I have questions.

4. What causes a report to be closed as Informative, Duplicate, N/A, or Spam?

5. What is an example of an accepted vulnerability?

Valid and accepted vulnerabilities would be the type of report that identifies a unique security impact on this program’s specific scope. The report must also meet any submission criteria outlined in the policy, such as test plan instructions and a working proof of concept.