Skip to content

Latest commit

 

History

History
79 lines (62 loc) · 4.94 KB

SECURITY.md

File metadata and controls

79 lines (62 loc) · 4.94 KB
Raw

CELO Bug Bounty Program Intigriti

Security

Security Announcements

Public announcements of new releases with security fixes and of disclosure of any vulnerabilities will be made in the Celo Forum's Security Announcements channel.

Reporting a Vulnerability

We’re extremely grateful for security researchers and users that report vulnerabilities to the Celo community. All reports are thoroughly investigated.

Please do not file a public ticket mentioning any vulnerability.

The Celo community asks that all suspected vulnerabilities be privately and responsibly disclosed.

Creating a report:

  1. Submit your vulnerability to Celo on Intigriti.
    • This is currently a public program
  2. You can also email the [email protected] list with the details of reproducing the vulnerability as well as the usual details expected for all bug reports.

Primary Focus

  • Celo protocol, but the team may be able to assist in coordinating a response to a vulnerability in the third-party apps or tools in the Celo ecosystem.

In Scope

https://celo.org
https://*.celo.org
https://*.clabs.co
https://github.com/celo-org/*

Out of Scope

Verbose messages/files/directory listings without disclosing any sensitive information
CORS misconfiguration on non-sensitive endpoints
Missing cookie flags
Missing security headers
Presence of autocomplete attribute on web forms
Bypassing rate-limits
Clickjacking on pages with no sensitive actions
Host header injection without proven business impact
Anything related to email spoofing, SPF, DMARC or DKIM
Open ports without an accompanying proof-of-concept demonstrating vulnerability

General

  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity
  • Spam, social engineering and physical intrusion
  • DoS/DDoS attacks or brute force attacks
  • Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted
  • Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts
  • Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty.
  • Reports that state that software is out of date/vulnerable without a proof-of-concept

Frequently Asked Questions

  • What will happen if a vulnerability is reported and is known to the company from their own tests,?

    • It will be flagged as a duplicate

  • What kind of exploits are excluded from the program or may be lowered in severity?

    • Reports that state that software is out of date/vulnerable without a proof-of-concept
    • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces
    • Issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity
    • Spam, social engineering and physical intrusion
    • DoS/DDoS attacks or brute force attacks
    • Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted
    • Attacks requiring physical access to a victim’s computer/device will not be accepted.
    • Man in The Middle
    • Compromised User Accounts

  • Do you accept recently disclosed zero-day vulnerabilities?

    • We need time to patch our systems just like everyone else - please give us 2 weeks before reporting

Optional Method for Disclosure

You may encrypt your email using this GPG key (but encryption is NOT required)

PGP Fingerprint ID: A22B62A5EAFB6948