Tezos Foundation Security Policy

Security is a core value of Tezos, and the input of security researchers acting in good-faith is highly valued to help the Tezos ecosystem maintain a high standard for the security, including high availability of the Tezos blockchain, and privacy of the community. This includes encouraging responsible vulnerability research and disclosure. This policy sets out the Tezos Foundation’s definition of good-faith in the context of finding and reporting vulnerabilities, as well as what security researchers can expect from the Tezos Foundation in return.

Expectations

According to this policy, security researchers can expect the Tezos Foundation to:

  • Work with them to understand and validate their reports, including timely initial responses to submissions
  • Work to remediate discovered vulnerabilities in a timely manner
  • Recognize contributions to improving the security of Tezos if one is the first to report a unique vulnerability, and a report triggers a code or configuration change

Scope

In scope of this policy are all security-relevant bugs and errors found in the Tezos blockchain and in components of the Tezos ecosystem. For instance,

  • Tezos node and protocol
  • Tezos standards, which are in status “Final”: https://gitlab.com/tzip/tzip
  • Smart contracts
  • Smart contract programming languages
  • Wallets
  • Block indexers
  • Block explorers
  • HSMs
  • SDKs / Language bindings

Our infrastructure; such as web servers, DNS, email, etc. are not part of this policy.

If a security researcher is not sure if an identified bug is within the scope, an e-mail can be sent to [email protected] for inquiries.

Rewards

For found bugs and errors, a reward in the form of Tezos tokens (“tez”) is compensated. The amount depends on factors such as the frequency of occurrence or the severity of the error.

Ground Rules

To encourage vulnerability research and to avoid any confusion between legitimate research and malicious attack, we ask that security researchers attempt, in good faith, to:

  • Play by the rules. This includes following this policy and any other commonly accepted best practices;
  • Promptly report any vulnerability one has discovered;
  • Avoid violating the privacy of others, disrupting systems, destroying data, and/or harming user experience;
  • Use only the channels defined in section below “How to report” to discuss vulnerability information with the Tezos Foundation;
  • Handle the confidentiality of details of any discovered vulnerabilities according to this policy;
  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
  • If a vulnerability provides unintended access to data: Limit the amount of data one accesses to the minimum required for effectively demonstrating a proof of concept; and cease testing and submit a report immediately if one encounters any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
  • Only interact with test accounts one owns or with explicit permission from the account holder;
  • Do not engage in extortion.

Exclusion

In order to establish a fair reward program, the following user groups are excluded.

  • Tezos core development teams, Tezos Foundation employees and all other persons paid directly or indirectly by the Tezos Foundation are not entitled to any rewards.
  • Any developer working in collaboration with one of the Tezos organizations is not entitled to rewards.

Furthermore, the listed points are not eligible for the program.

  • The public disclosure of a vulnerability results in it not being eligible for a reward;
  • Issues that have already been submitted by another security researcher or that are already known to the Tezos Foundation will not be considered.

Safe Harbor

When conducting vulnerability research according to this policy, the Tezos Foundation considers this research conducted under this policy to be:

  • Authorized in view of any applicable anti-hacking laws, and it will not initiate or support legal action against a security researcher for accidental, good faith violations of this policy
  • Authorized in view of relevant anti-circumvention laws, and it will not bring a claim against security researchers for circumvention of technology controls
  • Exempt from restrictions in the Tezos Foundation’s policy that would interfere with conducting security research, and it waives those restrictions on a limited basis
  • Lawful, helpful to the overall security of the Tezos blockchain and conducted in good faith

Security researchers are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against a security researcher and the security researcher has complied with this policy, we will take steps to make it known that the security researcher’s actions were conducted in compliance with this policy.

If at any time one has concerns or is uncertain whether its security research is consistent with this policy, please submit a report through one of the Tezos Foundation’s channels outlined in section below “How to report” before going any further.

How to report

Email to [email protected]. You can find our OpenPGP key at: https://tezos.foundation/.well-known/pgp-key.txt

Tezos Foundation uses cookies to provide you with the best possible service. By continuing to visit this website you agree to our use of cookies

Accept