Responsible Disclosure Policy
Policy and guidelines for submitting security related bugs.
If you believe you may have found a security vulnerability in one of our products or platforms, send us an email: security@onflow.org
Read information about rewards
Guidelines for Responsible Disclosure
We ask that all researchers adhere to these guidelines.
Rules of Engagement
- Make every effort to avoid unauthorized access, use, and disclosure of personal information.
- Avoid actions which could impact user experience, disrupt production systems, change, or destroy data during security testing.
- Don’t perform any attack that is intended to cause Denial of Service to the network, hosts, or services on any port or using any protocol.
- Use our provided communication channels to securely report vulnerability information to us.
- Keep information about any bug or vulnerability you discover confidential between us until we publicly disclose it.
- Please don’t use scanners to crawl us and hammer endpoints. They’re noisy and we already do this. If you find anything this way, we have likely already identified it.
- Never attempt non-technical attacks such as social-engineering, phishing, or physical attacks on our employees, users, or infrastructure.
In Scope URIs
Be careful that you're looking at domains and systems that belong to us and not someone else. When in doubt, please ask us. Maybe ask us anyway.
Bottom line, we suggest that you limit your testing to infrastructure that is clearly ours.
Out of Scope URIs
The following base URIs are explicitly out of scope:
- None
Things Not To Do
In the interests of your safety, our safety, and for our customers, the following test types are prohibited:
- Physical testing such as office and data-centre access (e.g. open doors, tailgating, card reader attacks, physically destructive testing)
- Social engineering (e.g. phishing, vishing)
- Testing of applications or systems NOT covered by the ‘In Scope’ section, or that are explicitly out of scope.
- Network level Denial of Service (DoS/DDoS) attacks
Sensitive Data
In the interests of protecting privacy, we never want to receive:
- Personally identifiable information (PII)
- Payment card (e.g. credit card) data
- Financial information (e.g. bank records)
- Health or medical information
- Accessed or cracked credentials in cleartext
Our Commitment To You
If you follow these guidelines when researching and reporting an issue to us, we commit to:
- Not send lawyers after you related to your research under this policy;
- Work with you to understand and resolve any issues within a reasonable timeframe, including an initial confirmation of your report within 72 hours of submission; and
- At a minimum, we will recognize your contribution in our Disclosure Acknowledgements if you are the first to report the issue and we make a code or configuration change based on the issue.
Disclosure Acknowledgements
Security acknowledgements can be found at https://dapperlabs.com/security_nods.txt
Reporting Security Findings
Reports welcome! Please do reach out to us if you have a security concern. If you believe you may have found a security vulnerability in one of our products or platforms, send us an email: security@dapperlabs.com
We encourage you to encrypt the information you send us using our PGP key at keys.openpgp.org/security@onflow.org
Please include the following details with your report:
- A description of the location and potential impact of the finding(s);
- A detailed description of the steps required to reproduce the issue; and
- Any POC scripts, screenshots, and compressed screen captures, where feasible.