Security Vulnerability Program
No software is ever perfect. Even fully vetted production releases can often have awkward bugs or security vulnerabilities that manage to slip through the cracks. We take the security of the ARK network very seriously and want to do everything we can to encourage and incentivize responsible and timely reporting of any discovered vulnerabilities in our code. To do this, we provide a vulnerability reporting process that includes monetary rewards for bugs or errors in the Core that could potentially harm or exploit the ARK network.
At this time, ARK Core (v3.x+) is the only product eligible for monetary rewards. All other products and services under the ARK Ecosystem SCIC domain do not fall within the scope of this program. If you find a security vulnerability in our other products and services, you can still report them to our email [email protected] and if they are valid we will address them accordingly with recognition of your contribution. Thank you in advance for all reports!
Security Vulnerability Disclosure Program
Security vulnerability disclosures are weighed based on the impact on the network and assigned a tier that determines the range of payment provided for proper disclosure. Patches are not required to receive payment for a vulnerability disclosure but any recommendations on potential mitigations are appreciated and welcome.
Note: All disclosures are examined on a case-by-case basis given the nature of the disclosed vulnerability and the impact on the network.
Github Repository: https://github.com/ArkEcosystem/core .
Security Vulnerability Classifications
Below you will find a tiered structure that outlines the general classification of our security vulnerability program.
Critical Vulnerabilities - up to $10,000 USD
Security vulnerabilities that have critical and irreversible/irreparable implications to the network or its infrastructure.
Severe Vulnerabilities - up to $3,000 USD
Security vulnerabilities that cause severe problems to the network for prolonged period of time.
Moderate Vulnerabilities - up to $1,500 USD
Security vulnerabilities that can cause moderate, temporary problems, but don’t expose any private data or cause permanent harm to the network.
Basic Vulnerabilities - up to $300 USD
Security vulnerabilities that usually have no impact on the blockchain infrastructure, but can still pose problems.
To report a possible security vulnerability, please include your name, preferred contact information, a full disclosure report, and a method to reproduce the issue being reported and email the information to [email protected] with the title “Security Vulnerability Report”.
This information is subject to change and current information will always be available on the current page .
Disclosure of Security Vulnerabilities
Do not discuss any vulnerabilities (even resolved ones) outside of the program without the written consent of the ARK Team.
Reporting Security Vulnerabilities
Before reporting a security vulnerability, the Researcher should review public branches and the latest commits to see if the team is currently aware of the vulnerability. If after review the Researcher believes the security vulnerability is still present, a report should be submitted. Only exploits in the ‘Master’ or ‘Develop’ branch are eligible for monetary rewards (Core v3 onwards, older versions of Core are not eligible for monetary rewards).
Note: Due to the nature of the work, we prioritize evaluations based on risk and other factors, and it may take time before you receive a reply.
To submit a report, send an email to [email protected], your email should include:
- Detailed reports with exact reproducible steps (can attach reproduction script as well). The Researcher must be able to completely reproduce and demonstrate the vulnerability or provide valid instructions so that our development team can do the same. This will allow us to properly test any patches prior to release. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Optional: patch or proposed solution to fix the exploit in question.
Some general rules to adhere to:
- The Researcher must not initiate an exploit on the ARK Public Network (APN) - see terms below. If testing is required for a potential vulnerability or to reproduce it, please use the ARK Development Network or set up your own local ARK-based chain.
- The Researcher must never have publicly disclosed the exploit or vulnerability.
- By making a submission, the Researcher acknowledges that the report is original to them.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded only one bounty.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
- Security vulnerability must be reproducible on a server running specifications outlined for Forger Node (Recommended), general server security (iptables script - Development or Public , tightening security on your server) and running closed Public API.
- Security vulnerabilities that are present in 3rd party libraries used in the Core are not eligible for monetary rewards.
- DDoS attacks on the network are not eligible for monetary rewards.
You must comply with security industry best practices, and all applicable Federal, State, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program. You agree that any and all information acquired or accessed as part of this exercise is confidential to ARK and you shall hold all such information in strict confidence and shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give, or disclose such information to third parties or use such information for any purposes other than for the performance of your work or expressly authorized in writing by the ARK.
All bounty and security vulnerability programs are discretionary. You understand that they can be canceled at any time. ARK reserves the right to make changes to the program at any time.
Any testing carried out must not violate any laws, or disrupt or compromise any data belonging to ARK.
Disclaimer: Category of the severity of the disclosure and all monetary decisions are at the sole discretion of the ARK Team and are final. Exploits that make indirect use of already known issues may not be eligible for payment. Tier classifications are for reference only and do not impact or predict potential classification or payment. Past evaluations of security vulnerabilities are not indicative of future evaluations. Security vulnerabilities are paid in ARK or BTC based on the daily average rate before the payout at the sole discretion of the ARK Team. Please direct any questions to [email protected] with the title “SV Program Help”.