Bug Bounties
Findora's bug bounty program
Findora is committed to 100% security on its network and providing an intuitive user experience to our community. Security is our top priority, and we are dedicated to protecting your information both on and off-chain. To that end, we have instituted a bug-bounty system so you can submit any vulnerabilities. Your contributions are hugely appreciated by the project! All vulnerabilities submitted will be used to improve Findora’s security as well as the user experience. This program rewards anyone who can find security vulnerabilities in Findora or any of the tools it creates. We look forward to working with the security community to find vulnerabilities in order to keep our partners and users safe.
Reporting a vulnerability
All security issues and questions should be reported via email to bugs@findora.org. This will be acknowledged based on the following SLAs. You will receive a more detailed response, indicating the perceived severity and the next steps in handling your report after the initial response.
Response Targets
Findora will make its best effort to meet the following SLAs for hackers participating in our program:
| Type of Response | Details | SLA in business days |
|---|---|---|
First Response | Security report is received and assigned to an owner. This person will coordinate the process of evaluating, fixing, releasing and disclosing the issue. | 5 Days |
Time to Triage | The evaluation process is performed. It's identified if the issue exists, its severity and which version / components of the code is affected. Additional review to identify similar issues also happens. | 10 Days |
Time to Bounty | Rewards will be distributed to the issue reporter. | 14 Days |
Time to Resolution | Fixes are implemented for all supported releases. These fixes are not publicly communicated but held in a private repo of the Security Team or locally. | Depends on severity and complexity |
We will do our best to keep you informed about our progress.
Program Rules
Please provide reproducible steps in your report. As much detail as possible is appreciated – if the report doesn’t contain sufficient details to be reproducible, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
In the case of duplicate reports, we will reward the report that was first reproducible report received.
Multiple vulnerabilities caused by one underlying issue will be awarded a single bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
Rewards
Our rewards use the Common Vulnerability Scoring Standard and are based on the severity of the issue reported. These are general guidelines, and Findora reserves the right to make the final decision with regard to the reward.
| Critical (9.0 - 10.0) | Important (7.0 - 3.9) | Low (0.1 - 3.9) |
|---|---|---|
$10,000 | $2,000 | $500 |
Disclosure Policy
Because this is a private program, we request that you do not discuss this program or any vulnerabilities, whether resolved or not, with anyone outside of the program without express permission from Findora.
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
We really appreciate your contributions and work in keeping Findora and its users secure!
Last updated