Announcing’s Responsible Disclosure Policy and Bounty Program

David Turner
Mar 27, 2019 · 6 min read

Today, we’re announcing an updated responsible disclosures policy and bug bounty program for software included in the core repositories. We hope that we’ll be able to encourage security of the protocol and software through collaboration. In this post, I’ll cover some of the highlights of the policies we’re putting in place.

We value the input of researchers acting in good faith to help us maintain a high standard for the security and privacy for our users. This includes encouraging responsible vulnerability research and disclosure. Our policy sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.

This article does not contain the entirety of our policies on security/contributing and those policies may change over time. You should always review the most current policy in place that will be available at

What is a responsible disclosure policy?

For more information on full disclosures vs. responsible disclosures, take a look at an article by Bruce Schneier of Counterpane Internet Security that can be found at

What all will be covered under the responsible disclosures policy?

Other examples of out scope reports include, but are not limited to:

  • Findings from physical testing such as office access (e.g. open doors, tailgating);
  • Findings derived primarily from social engineering (e.g. phishing, vishing);
  • Findings from applications or systems not listed in the ‘Scope’ section;
  • UI and UX bugs and spelling mistakes;
  • Network level Denial of Service (DoS/DDoS) vulnerabilities

Also, reports must not be fully dependent on exposure to some contrived scenario that may not be feasible.

What can you expect from the team?

  • Extend Safe Harbor for your vulnerability research that is related to this policy
  • Work with you to understand and validate your report, including a timely initial response to the submission
  • Work to remediate discovered vulnerabilities in a timely manner
  • Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change

What about “safe harbor” protections?

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our official channels before going any further.

Where can I find the official channels for submissions?

We’ll look at adding more official channels over time. Please visit for an up to date list. Also, we’ve made a PGP key available for encrypting your submission that can be found on our website.

What about the bug bounty program?

Rewards will be based along the OWASP Risk Rating Methodology which allows us to estimate the associated risk of disclosed vulnerabilities to Using this rating system will help to ensure that we’re properly prioritizing any modifications that might need to be done and gives researchers a pretty well-known, simple system to reference. The basic way to describe the OWASP ratings is “Risk = Likelihood * Impact”.

What type of compensation is being given for the bounties?

  • Note: Up to $50
  • Low: Up to $100
  • Medium: Up to $500
  • High: Up to $1,500
  • Critical: Up to $3,000

Every submission will also be evaluated for quality as a factor for compensation. High quality submissions need to include reproduction steps, failing test cases, and well-written fixes. Low quality submissions may not be rewarded at all, especially if they are too vague or don’t contain steps for reproduction.

Only one bounty will be awarded per vulnerability. We’ll favor the first person to submit a complete report.

This is a private program and all bounties are subject to the discretion of the Foundation.

What eligibility requirements are there for collecting on any bounties?

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing
  • Perform research only within the scope set out below
  • Use the identified communication channels to report vulnerability information to us
  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and until we’ve had 90 days to resolve the issue
  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope
  • Submissions cannot be submitted through a broker or third-party
  • Must be the first person to submit a complete report

Also, you must:

  • Not be employed by any officially-related company of the organizations or Development Labs
  • Not reside in any country which the United States has issued sanctions against (e.g. Cuba, Iran, North Korea, Sudan, and Syria)
  • Not be in violation of any national, state, or local law or regulation with any activities related (directly or indirectly) to the responsible disclosures policy.
  • Not attempt to extort us or demand ransom.

If you fail to act in good faith of these guidelines, or if we believe you have violated these guidelines, you will become ineligible for any bounties. If you feel like you are potentially breaking the rules, contact us through one of the official security related communication channels and let us work with you to make sure everything that you’re doing is acceptable.

Anything else?

Some of the language we’ve used for our policies came from, a collaborative and vendor-agnostic project to standardize best practices around safe harbor for good-faith security research. We’ve also used language from Snyk in prior disclosure documents.

We hope that you’re excited about our approaches to collaborative security and look forward to any vulnerabilities that you may find!

Update: As of October 1st, 2019, we have closed the bug bounty program as we will be transitioning the protocols to become the Linked Claims protocols. The team will continue to contribute to the Linked Claims protocols and use it as we develop applications.

Join us on Telegram!

Follow us on Twitter!

Visit our Website!

Check out our GitHub! Blog

The decentralized protocol for content ownership, discovery…