github.com/core-coin/go-core/v2@v2.1.9/SECURITY.md (about) 1 ## Introduction 2 3 Core Blockchain aspires to engage with responsible global security experts to bolster the security of the Core Blockchain ecosystem. We've instituted a program to facilitate the reporting of vulnerabilities to the Core Team and to recognize your efforts in strengthening blockchain as a reliable and trustworthy technology. 4 5 ## Security Declaration 6 7 The Core development team's allocated time frame for implementing a solution varies according to the severity level indicated in the report, which can last up to 90 days. Kindly ensure this process has been concluded before bringing the vulnerability to public light. 8 9 ## Rewards 10 11 In recognition of researchers uncovering systemic flaws, we extend bounties in our digital currency, Core Coin (XCB). The final sum of the reward is contingent upon the severity level of the reported vulnerability. 12 13 The assessment of rewards in our system aligns with the [OWASP](https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology) risk rating model, which takes into account both impact and likelihood in the calculation process. 14 15 | **Impact** | **Severity** | **Severity** | **Severity** | 16 |--------------|-----------------|-----------------|-----------------| 17 | **High** | Moderate //S3// | High //S4// | Critical //S5// | 18 | **Moderate** | Low //S2// | Moderate //S3// | High //S4// | 19 | **Low** | Note //S1// | Low //S2// | Moderate //S3// | 20 | | **Low** | **Medium** | **High** | 21 | | **Likelihood** | **Likelihood** | **Likelihood** | 22 23 ## Eligibility 24 25 In our assessment, a bug's potential to jeopardize the security or stability of the Core Network forms the basis for potential reward qualification. However, it ultimately falls under our purview to discern whether a bug aligns with the established criteria for reward eligibility. 26 27 - You must be the very first individual to ethically report a previously unknown problem. 28 - The bug must be reported using the most recent software version. 29 - Ensure the bug has not been previously identified. Please, review any [published security advisories](https://github.com/core-coin/go-core/security/advisories). 30 31 Generally, the following vulnerabilities are not considered severe and are, therefore, not eligible to report: 32 33 - 0-day vulnerabilities that have just been released. 34 - Vulnerabilities reliant on physical attacks, spamming, DDOS attacks, social engineering, etc. 35 - Vulnerabilities on third-party hosted sites that are not proven prone to causing a vulnerability on a main-website scale. 36 - Third-party application vulnerabilities utilizing Core Blockchain’s API. 37 - Vulnerabilities found on past versions of or otherwise unpatched applications. 38 - Flaws that have not been thoroughly investigated and have not been reported in a satisfying manner. 39 - Issues with no successful reproducibility. 40 - Bugs that the team had prior knowledge of or those previously reported by another party (the reward is granted to the initial reporter). 41 - Vulnerabilities that the team cannot reasonably be expected to address. 42 43 ## Severity 44 45 The evaluation of a bug's severity plays a pivotal role in determining the monetary reward. Factors taken into account encompass the number of individuals affected and whether the core or supplementary modules are implicated. 46 47 ## Best Practices 48 49 - Employ your localized Go-core instance alongside a distinct network (avoid the test or public networks) for scouring security vulnerabilities. 50 - Keep in mind the public nature of blockchains; someone might chance upon your discoveries and report a bug ahead of you. 51 - Providing a detailed step-by-step report or an exploit script is highly encouraged. This expedites our comprehension and resolution of the issue, ensuring you receive your rewards promptly. 52 53 ## Legal 54 55 Residents or individuals situated within countries listed on any EU sanctions roster are ineligible to partake in this program. It is incumbent upon you to account for any tax ramifications or supplementary constraints contingent on your country's specific laws and regulations. While we reserve the right to amend or conclude this program at any juncture, any alterations made to the program terms will not be applied retroactively. 56 57 ## Vulnerability Reporting 58 59 - Ensure your report is comprehensive, encompassing details about the bug's nature, potential consequences, and instructions for reproduction or a proof of concept. 60 - Express your message in English. 61 - Kindly allow a period of three business days for our response before considering sending a follow-up email. 62 63 [Report Vulnerability](https://dev.coreblockchain.net/vulnerability-report)