You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
removing assets out-of-scope to avoid duplicated maintenance of the list, and also making modifications regarding the severity classification of impacts (v2.2 -> v2.3)
Copy file name to clipboardExpand all lines: SECURITY.md
+2-37Lines changed: 2 additions & 37 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -19,47 +19,12 @@ Websites and Applications
19
19
20
20
A great place to begin your research is by working on our testnet. Please see our [documentation](https://docs.threshold.network) to get started. We ask that you please respect network machines and their owners. If you find a vulnerability that you suspect has given you access to a machine against the owner's permission, stop what you're doing and create a report using the immunefi dashboard for researchers.
21
21
22
-
### Out of Scope Impacts
23
-
24
-
Please note that the following impacts and attack vectors are excluded from rewards for the Immunefi bug bounty program:
25
-
26
-
General:
27
-
- Attacks that the reporter has already exploited themselves, leading to damage
28
-
- Attacks requiring access to leaked keys/credentials
29
-
- Attacks requiring access to privileged addresses (governance, strategist), except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible
- Theoretical impacts without any proof or demonstration
41
-
- Content spoofing / Text injection issues
42
-
- Self-XSS
43
-
- Captcha bypass using OCR
44
-
- CSRF with no security impact (logout CSRF, change language, etc.)
45
-
- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
46
-
- Server-side information disclosure such as IPs, server names, and most stack traces
47
-
- Vulnerabilities used to enumerate or confirm the existence of users or tenants
48
-
- Vulnerabilities requiring unlikely user actions
49
-
- Lack of SSL/TLS best practices
50
-
- Attacks involving DOS and/or DDoS
51
-
- Attacks that require physical contact to the victims computer and/or wallet
52
-
- Attacks requiring privileged access from within the organization
53
-
- SPF records for email domains
54
-
- Feature requests
55
-
- Best practices
56
-
57
-
Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.2](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/). This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.
22
+
Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). This is a simplified 4-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.
58
23
59
24
60
25
## Reporting a Vulnerability Not Covered by the Bug Bounty Program
61
26
62
-
Security researchers are encouraged to submit issues outside of the outlined Impacts and Assets in Scope. If you can demonstrate a critical impact on code in production for an asset not in scope, Threshold DAO encourages you to submit your bug report using the “primacy of impact exception” asset in Immunefi.
27
+
Please, verify the list of assets in-scope and out-of-scope available as part of the [Threshold Bug Bounty details](https://immunefi.com/bounty/thresholdnetwork/). Additionally, security researchers are encouraged to submit issues outside of the outlined Impacts and Assets in Scope. If you can demonstrate a critical impact on code in production for an asset not in scope, Threshold DAO encourages you to submit your bug report using the “primacy of impact exception” asset in Immunefi.
63
28
64
29
Threshold DAO will try to make an initial assessment of a bug's relevance, severity, and exploitability, and communicate this back to the reporter. The Threshold DAO will compensate important findings on a case-by-case basis. We value security researchers and we encourage you to contact us to discuss your findings.
0 commit comments