|Scope Type||Scope Name|
Tlon Corp looks forward to working with the researcher community to find security vulnerabilities in order to keep our businesses and customers safe. Tlon Corp works on the Urbit project, a personal server built from scratch, revolutionizing modern computing and the internet as we know it.
Tlon Corp will make a best effort to meet the following response targets for hackers participating in our program:
We’ll try to keep you informed about our progress throughout the process.
Urbit is divided into two distinct parts. Azimuth, the PKI layer, is currently deployed and in-scope for this Bounty Program. Arvo, Urbit's operating system, is still under very active development and is not currently in scope during this phase of Tlon Corp’s Bug Bounty Program. Arvo will be included at a later date – stay tuned.
Azimuth is a suite of Solidity contracts that functions as Urbit’s PKI. In our PKI, an identity (called a “point”) is represented as an ERC-721 token. Each point is owned by an Ethereum address and other Ethereum addresses can be registered as proxies to perform subsets of actions on behalf of the point.
We’re interested in any vulnerability in the contracts (or their clients) that would allow an attacker to either seize other user’s points, impersonate points or that would result in the platform becoming unusable.
An Azimuth development environment consists of two main components: a deploy
of the contracts in the Azimuth __repo and
an instance of the web client, Bridge __.
Both of these can be deployed simultaneously by cloning the Bridge repo,
npm install and then running
npm run pilot.
Bridge is always hosted locally, and has instructions for running an instance and accessing this instance via a web browser. Bridge also has a menu for selecting which chain to interact with, so it can easily be pointed to either the Mainnet, Ropsten or a local node, depending on the network under test.
If you encounter the “SecurityError: The operation is insecure” error when launching the pilot, remember to allow insecure https in your browser configurations. More details on Bridge __.
The repos below include instructions on the setup for each of these two components and how they interact.
Azimuth __contains all of the Solidity contracts as deployed. In this repo, you’ll find both Azimuth and Ecliptic. Azimuth is the data contract and Ecliptic, the logic contract.
Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Tlon Corp.
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Tlon Corp and our users safe!