Bug Bounty Submissions
One of the great things about Po.et is the community of enthusiastic and talented members we’ve been able to cultivate. We truly value all the ideas and feedback each and every one of you has given us over the last few years and appreciate how everyone has come together in order to help make this protocol the absolute best it can be. For those who want to continue to help us build a better web, we’ve put together a bug bounty program, aimed at helping us iron out any inevitable errors in our code.
Depending on the severity of a disclosure, we are offering up to $3,000 in compensation (to be paid out in POE); high quality disclosures will be compensated better than low quality submissions lacking in detail. What counts as “high-quality”? Here’s an overview:
Write an Attack Scenario
A good attack scenario will answer these questions:
- Who is exploiting this vulnerability?
- Why are they incentivized to exploit this vulnerability?
- How would they go about exploiting this vulnerability?
- What are the prerequisites for this attack? What position is the attacker in?
- Are there any assumptions that need to be made about the victim?
Answering these questions will give us a holistic view of the vulnerability and demonstrate how an attack might play out.
Give Clear Reproduction Steps
Give us step by step instructions on how to reproduce the bug. The easier it is for us to reproduce the bug, the happier everyone will be. Here is an example from Bughunter University:
Hi Google!
I found an XSS vulnerability in Google Fuzzy Bunnies.
Steps to reproduce:
- Go to https://fuzzy-bunnies.google.com/bunny_contact_form
- Click “Chat with a bunny specialist”
- Insert “><img src=x onerror=alert(document.domain);// > in the textfield
- Click “send”.
Tell us How to Fix it
Tell us how you would fix the bug; What immediate actions should we take? Are there any follow-up steps?
Make Sure the Vulnerability is in Scope
Only software directly developed by the Po.et team is covered under this disclosure policy.
Third-party packages/software/plugins or community-built software are not included. If we get a disclosure for outside software, we will not disclose the vulnerability to the third-party as to protect you from any undue legal issues and to ensure you’re still eligible for any outstanding bounties that they provide.
Other examples of reports not covered under the responsible disclosures policy include:
- Findings from physical testing such as office access (e.g. open doors, tailgating);
- Findings derived primarily from social engineering (e.g. phishing, vishing);
- Findings from applications or systems not listed in the ‘Scope’ section;
- UI and UX bugs and spelling mistakes;
- Network level Denial of Service (DoS/DDoS) vulnerabilities
Is the vulnerability in a repo listed below? If not, it’s not in scope.
- https://github.com/poetapp/node
- https://github.com/poetapp/frost-client
- https://github.com/poetapp/frost-api
- https://github.com/poetapp/explorer-web
- https://github.com/poetapp/poet-js
Follow our Responsible Disclosure Policy
A responsible disclosure policy allows for researchers to collaborate with the Po.et core team to reveal potential vulnerabilities and give us a chance to fix the issue before a public release of the vulnerability. When vulnerabilities are submitted responsibly, it can encourage coordination to minimize the disruption of any services built using Po.et’s software. For more information on responsible disclosures and the bounty program, check out this post.
Submit Through the Proper Channel
Please email security@po.et for all communications. Do not use other channels such as Twitter, Telegram, or Reddit.
We’ll look at adding more official channels over time. Please visit http://po.et/security for an up to date list. Also, we’ve made a PGP key available for encrypting your submission that can be found on our website.
Acknowledgements
Some of the language we’ve used for our policies came from disclose.io and Google Bughunter University. We’ve also used language from Snyk in prior disclosure documents.
We hope that you’re excited about our approaches to collaborative security and look forward to any vulnerabilities that you may find!
Update: As of October 1st, 2019, we have closed the bug bounty program as we will be transitioning the Po.et protocols to become the Linked Claims protocols. The Po.et team will continue to contribute to the Linked Claims protocols and use it as we develop applications.
