|Scope Type||Scope Name|
Out of Scope
|Scope Type||Scope Name|
|other||Intercom is a 3rd party add-on and is not in scope.|
SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.
SmartContract will make a best effort to meet the following SLAs for hackers participating in our program:
Type of Response | SLA in business days
First Response | 3 day
Time to Triage | 5 days
Time to Bounty | 30 days
Time to Resolution | depends on severity and complexity
We’ll try to keep you informed about our progress throughout the process.
The Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. Job Specifications __are added to the node through a REST API __so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available here __.
The Chainlink __node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. There are a few areas of this code base which are out-of-scope, see the Scope section at the bottom of this page for details.
We also have a project tracker __where existing bugs are kept. Be sure to check there for issues that we already know about.
The smart contracts residing on the Github repository __are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.
The faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities which would cause a loss of service.
Our front-end site which displays information about the project. Currently there is no application residing here. Intercom is a 3rd party add-on and is not in scope for this program.
We have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our Gitter __for help.
Use our Decentralized Oracles on Testnet __documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the nodes on this page are considered in scope.
We have set up a Chainlink node specifically for the HackerOne bounty program. It is available at the link below. To test the security of this application, we will not be supplying credentials for it. Our API Reference __can be used to provide information on how to interact with the software.
When creating Chainlinked __contracts, you may use the information below to utilize this node. You are free to modify the ChainlinkClient contract and its imported contracts as you please, in order to find vulnerabilities with the deployed Oracle contract and the node that fulfills its requests. You can obtain Ropsten LINK by visiting our Faucet __(also in-scope).
Jobs have been added to this node which you can use to get data back to your smart contract:
See the Request data using Chainlink __page for examples of how to create Chainlink requests from your Solidity smart contract.
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Chainlink and our users safe!