Security Policy & Bug Bounty

Expectations

According to this policy, security researchers can expect the Tezos Foundation to:

  • Work with them to understand and validate their reports, including timely initial responses to submissions,
  • Work to remediate discovered vulnerabilities in a timely manner,
  • Recognise contributions to improving the security of Tezos if one is the first to report a unique vulnerability, and a report triggers a code or configuration change,
  • Reward complete, well-documented, vulnerability reports appropriately.

Scope

In scope of this policy are all security-relevant bugs and errors found in the Tezos blockchain and in components of the Tezos ecosystem.

These include, but are not limited to, the following:

  • Tezos nodes and protocol,
  • Tezos standards, in their “Final” version: https://gitlab.com/tzip/tzip,
  • Smart contracts and their programming languages,
  • Wallets,
  • Block indexers and explorers,
  • HSMs,
  • SKDs / language bindings.

Note: the Tezos Foundation infrastructure (web servers, DNS, email, etc.) is not part of this policy.

Should you have doubts as to the eligibility of your bug please contact the Tezos Foundation Security Team.

Bug Bounties

For confirmed vulnerabilities, presented with a complete, well-documented, report a bounty in Tezos tokens (“tez”) will be offered proportional to the frequency of occurrence and/or the severity of the vulnerability being reported.

Ground Rules

To encourage vulnerability research and to avoid any confusion between legitimate research and malicious attacks, we ask that security researchers attempt, in good faith, to abide by the following:

  • Play by the rules. This includes following this policy and any other commonly accepted best practices,
  • Promptly report any vulnerability one has discovered,
  • Avoid violating the privacy of others, disrupting systems, destroying data, and/or harming user experience,
  • Use only the channels defined in section below “How to report” to discuss vulnerability information with the Tezos Foundation,
  • Handle details of any vulnerability discovered confidentially,
  • Perform testing only on in-scope systems avoiding systems and activities which are out-of-scope,
  • Should a vulnerability provide unintended access to data:
  • limit the amount of data accessed to the minimum necessary to demonstrate the vulnerability,
  • cease testing and submit a report the moment user data is encountered including, but not limited to: Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data or proprietary information.
  • Only interact with test accounts one owns or with explicit permission from the account holder,
  • Do not engage in extortion.

Exclusion

In order to establish a fair reward program, the following user groups are not eligible to receive bug bounties:

  • Tezos core development teams, Tezos Foundation employees and all other persons paid directly or indirectly by the Tezos Foundation,
  • Any developer working in collaboration with one of the Tezos organisations,

Furthermore, the following disqualify the researcher from the bug bounty programme:

  • Public disclosure of the vulnerability without coordination with the Tezos Foundation,
  • Submitting issues which have already been submitted by another security researcher or that already known to the Tezos Foundation.

Safe Harbour Provisions

For vulnerability research abiding by the conditions set out in this policy the Tezos foundation will consider said research to be:

  • Authorised with respect to any applicable computer crime legislation:
  • The Tezos Foundation will not initiate or support legal action against the security researcher for accidental, good-faith violations of this policy.
  • Authorised with respect to any relevant anti-reverse engineering legislation:
  • The Tezos Foundation will not initiate or support legal action against the security researcher for circumvention of anti-reverse engineering restrictions.
  • Exempt from restrictions in the Tezos Foundation’s policy which would interfere with conducting security research, waiving said restrictions on a limited basis.

Security researchers are expect to abide by all applicable laws. Should legal action be initiated by a third party against a security researcher, and the security researcher is in compliance with this policy, the Tezos Foundation will take appropriate steps to make it known that the security researcher’s actions were conducted in compliance with this policy.

Should a security researcher have concerns or doubts regarding the compliance of their research with this policy they are invited to contact the Tezos Foundation Security Team.

Reporting

The Tezos Foundation Security Team can be contacted via email to [email protected] (PGP key id DD3930479B725A5E1C4B8E6E01DA2052F1A3A889).

Tezos Foundation uses cookies to provide you with the best possible service. By continuing to visit this website you agree to our use of cookies

Accept