Chainflip Labs is committed to ensuring the security and integrity of the Chainflip Protocol. To achieve this goal, we invite security researchers and ethical hackers to participate in our Bug Bounty Program. This program encourages responsible disclosure of security vulnerabilities and provides incentives for those who help us identify and address such issues. By participating in our Bug Bounty Program, you agree to the following terms and conditions:
Our Bug Bounty Program covers the following areas:
- The Chainflip Protocol Code, including it's Rust backend and solidity smart contracts
- Public API endpoints and associated services
- Chainflip Labs operated web applications related to the protocol, including scan, swap, auctions, and validators, where said vulnerabilities could lead to the loss of user funds
Disclosures related to the above will be taken seriously, but only if they can be proven to be true. We have received multiple reports which assert to be true without actually having an accompanying proof of concept.
- The Chainflip website, domain, or email configuration, including DNS settings, DKIM, etc.
- Phishing vectors not related the the Protocol
- Third-party applications or services
- Third-party dependencies
- Physical security or social engineering attacks
- Denial of Service (DoS) attacks
- Issues already reported by another researcher or identified internally
You are welcome to contact us regarding these issues, but please note that we do not pay bounties for these kinds of reports.
When you discover a potential security vulnerability, please report it to Chainflip Labs as soon as possible by following the responsible disclosure process outlined below:
- Send an email to security@chainflip.io with the subject line "Bug Bounty Submission."
- Provide a detailed description of the vulnerability, including the steps to reproduce it and any supporting evidence.
- Include any relevant code snippets, proof-of-concept scripts, or tools used to identify the vulnerability. Please conduct a proof-of-concept before submitting.
- Include your contact information for us to reach out to you regarding the issue.
- Please be patient while we review the submission.
Chainflip Labs will reward security researchers for responsibly disclosing security vulnerabilities based on the severity and impact of the issue. Rewards will be provided at the discretion of Chainflip Labs.
The severity of the issue will be assessed according to the Common Vulnerability Scoring System (CVSS) version 3.0. Researchers are encouraged to provide CVSS scores when reporting vulnerabilities.
Rewards will be issued in FLIP tokens unless otherwise agreed upon with the researcher.
Chainflip Labs may recognize the contributions of security researchers in our security hall of fame or by mentioning them on our website, blog, or social media channels, subject to the researcher's consent.
Researchers participating in the Bug Bounty Program must adhere to the following guidelines:
- Do not engage in any activity that could disrupt Chainflip Labs' services or harm our users.
- Do not access or modify data without proper authorization.
- Do not disclose or publish any information related to vulnerabilities until they have been resolved by Chainflip Labs.
- Comply with all applicable laws and regulations.
Chainflip Labs will treat all bug submissions and communication with researchers as confidential, except when disclosure is required by law. We encourage researchers to maintain confidentiality as well.
Chainflip Labs commits not to pursue legal action against security researchers who comply with the responsible disclosure guidelines outlined in this policy.
If any security researcher or ethical hacker should decide to exploit a found vulnerability to extract tokens or assets from the protocol in order to safe-guard them from malicious parties, we strongly encourage that party to notify us immediately. We also hereby confirm that our safe-return address for the Governance Council at Chainflip Labs is 0x38a4BCC04f5136e6408589A440F495D7AD0F34DB
Any party that sends safe-guarded assets back to the Governance Council will be protected under no-legal-action rights and shall be rewarded for safeguarding exploitable assets.
Chainflip Labs reserves the right to modify or terminate the Bug Bounty Program at any time without prior notice. We also reserve the right to adjust rewards and criteria.
For any questions or to report security vulnerabilities, please contact us at security@chainflip.io
By participating in the Bug Bounty Program, you acknowledge that you have read and agree to these terms and conditions. Your cooperation in helping us improve our security is greatly appreciated. Thank you for contributing to the safety of our products and services.
Last updated: 16Jan24