Vulnerability Disclosure Program
Handling DFINITY Security Bugs
Security is a cornerstone of the Internet Computer, a blockchain that realizes the vision of a decentralized global computer running throughout the internet. Safeguarding this network is of the utmost importance, and the community’s participation in this effort is essential. The DFINITY Foundation’s newly launched Vulnerability Disclosure Program recognizes the contributions of researchers around the globe who help to ensure that the Internet Computer remains secure. The program provides guidelines and steps on how to responsibly disclose potential vulnerabilities. The DFINITY Security Team maintains this policy and coordinates the program. We will engage with you to understand and evaluate security bugs, as well as coordinate any corresponding fixes as may be necessary. Although the team will work hard to review submissions, as a small team, we have to prioritize our focus depending on the situation. Please be patient and continue to engage with us.
Vulnerability Disclosure Policy
- All of your findings must be submitted through the Vulnerability Disclosure Program.
- Ensure that the potential security bug you are reporting is in scope as specified by the “Scope” section below.
- For security reasons, do not share your findings with anyone other than DFINITY. All of your findings have to be treated as confidential for a period of time until the security team is able to fix the bug.
- The testing activities that you conduct must be limited to showing that a potential vulnerability exists.
- Provide clear technical details explaining the attack scenario, method of exploitation, steps to reproduce, and security impact.
- Provide details on how you uncovered the issue, the situational sequence that led to the finding, and your suggestions for remediation.
- Submit relevant logs, proof-of-concept code, documents, screenshots, and recordings of the vulnerability, along with the details of the environment you were working on while discovering the issue.
- In cases where you find an issue but don’t have the time or the resources to carry out a complete investigation, provide any information that you have at hand. Include a note saying that you could not complete your investigation, and provide details on how to continue the investigation further.
- Submit your report and artifacts via the Vulnerability Disclosure Program intake form.
- Do not use automated testing tools to look for vulnerabilities.
- Do not engage in social engineering techniques or spear-phishing campaigns.
- Do not undertake Denial-of-Service (DOS) testing.
- Do not exfiltrate data under any circumstances.
- Any accidental disclosures of sensitive data and information that result from testing activities must be disclosed to DFINITY.
- Bugs in third-party code are strictly excluded from scope.
- Public disclosure of the vulnerability without abiding by this policy makes it ineligible for rewards.
- If the same issue is reported by different researchers during a 48-hour window, it will result in the reward being split equally between them.
- If a bug was already reported, it will be ineligible for rewards after the 48-hour window.
- DFINITY Foundation employees and those of its subsidiaries and affiliates are ineligible for rewards.
- At this point in time, the rewards are reserved only for critical bugs identified in the Internet Computer that can affect its operation and stability.
- The DFINITY team will evaluate the severity of the reported bugs and allocate the appropriate reward. The rewards will depend solely on the team’s discretion.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.