Flow Responsible Disclosure
Guidelines for Responsible Disclosure
We appreciate and encourage the security researcher community to report potential vulnerabilities in our assets.If you identify a vulnerability, please notify us using the following guidelines.
Things To Do:
- Make every effort to avoid unauthorized access, use, downloading, destruction, or disclosure of personal or confidential information.
- Avoid actions which could impact user experience, disrupt production systems, change, or destroy data during security testing.
- Use our provided communication channels to report vulnerability information to us.
- Keep information about any vulnerability you discover confidential between us for a reasonable time that will allow us to review and resolve the vulnerability or until we have notified you that the vulnerability has been resolved.
- Only test assets covered by the “Assets In Scope” section.
Things Not To Do:
- Do not include Sensitive Data in your reports. See the “Sensitive Data” section for further information.
- Do not perform any attack that may cause denial-of-service to the network, hosts, applications, or services on any port or protocol.
- Do not use automated scanners to crawl us or hammer endpoints.
- Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
- Do not perform physical testing such as office and data-center access (e.g., open doors, tailgating, card reader attacks, or physically destructive testing).
- Do not test assets explicitly listed in the “Assets Out of Scope” section.
Assets In Scope
- *.flow.com
- *.onflow.org
Assets Out of Scope
- n/a
Sensitive Data
- Personal Information
- Payment card data (e.g. credit card numbers)
- Financial information (e.g. bank account numbers)
- Accessed or cracked credentials in cleartext
Exclusions (Non-Qualifying Vulnerabilities)
Flow Protocol Exclusions:
Protocol-level vulnerabilities which are only exploitable through the control of Collection, Consensus, Execution or Verification nodes are excluded.
Web Application Exclusions:
- Clickjacking on pages with no sensitive actions.
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
- Attacks requiring MITM or physical access to a user's device.
- Use of a known-vulnerable library without evidence of exploitability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service or denial-of-service attack (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
- Rate limiting or brute force issues on non-authentication endpoints.
- Missing best practices in Content Security Policy (CSP).
- Missing HttpOnly or Secure flags on cookies.
- Missing email best practices (Invalid, or incomplete SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers (i.e., less than two stable versions behind the latest released stable version).
- Software version disclosure, banner identification issues, or descriptive error messages or headers (e.g., stack traces, application, or server errors).
- Issues that require unlikely user interaction.
- Social engineering of Flow staff or contractors.
- Tabnabbing.
Our Commitment To You
Activities conducted in accordance with the Responsible Disclose Program shall be considered authorized, and we will not initiate legal action against you. Flow reserves all legal rights in the event of noncompliance with this program.
We will work with you and investigate and resolve vulnerabilities within a reasonable timeframe.
We reserve the right to change the Responsible Disclosure Program at any time.
Rewards
Rewards are based on the severity of the vulnerability. Reward amounts, if any, will be determined by us in our sole discretion. A maximum of $1M of rewards per person or organization shall be paid within any 12 consecutive months based on the reward value at time of payment. Additionally, all bounty rewards are subject to applicable law.
To qualify for a reward, the vulnerability must fall within our Assets In Scope, comply with our Responsible Disclosure Guidelines, and meet the following criteria:
- Previously unknown - When reported, we must not have already known of the issue, either by internal discovery or other report.
- Material impact - Demonstrable vulnerability where, if exploited, the vulnerability would materially affect the confidentiality, integrity, or availability of our assets.
- Requires action - The vulnerability requires some mitigation.
- Your participation is not prohibited by applicable law.
The following defines the rewards for Flow protocol and cadence:
- Severity: Critical
Reward: $100,000 USD
Criteria:
- Emergency remediation
- Public announcement
- Hard-forking of a smart contract
- Severity: High
Reward: $50,000 USD
Criteria:
- Immediate analysis and action is necessary
- Public disclosure in most cases
- Exploitation would significantly affect the business
- Eventual fix of smart contract
- Severity: Medium
Reward: $10,000 USD
Criteria:
- Remediation required, but impact is not significant
- Severity: Low
Reward: $1000 USD
Criteria:
- Low risk issues like misconfigurations with no proven path to exploit
Reporting Vulnerabilities To Us
Please do reach out to us if you have a security concern. If you believe you may have found a security vulnerability in one of our products or platforms, send us an email: security@onflow.org
If you prefer to encrypt the information you send us please use our PGP key at OpenPGP Key Server.
Please include the following details with your report:
- A description of the location (e.g. playground/emulator/CLI/Testnet/domain) and the potential impact of the vulnerabilities;
- A detailed description of the steps required to reproduce the vulnerability; and
- Any proof of concept, screenshots, and screen captures. Where feasible, please also include the following:
1. Cadence Version or Node with Software Version
2. A transaction or a script that demonstrates the issue
3. Link to relevant documentation in case the documentation is unclear/ambiguous, or mention if this is not covered by docs