Skip to content

Security: chainflip-io/chainflip-backend

Security

SECURITY.md

Bug Bounty & Responsible Disclosure Program Policy

Chainflip Labs is committed to ensuring the security and integrity of the Chainflip Protocol. To achieve this goal, we invite security researchers and ethical hackers to participate in our Bug Bounty Program. This program encourages responsible disclosure of security vulnerabilities and provides incentives for those who help us identify and address such issues. By participating in our Bug Bounty Program, you agree to the following terms and conditions:

Scope of the Program

Our Bug Bounty Program covers the following areas:

  • The Chainflip Protocol Code, including its Rust backend and solidity smart contracts.
  • Public API endpoints and associated services.
  • Chainflip Labs operated web applications related to the protocol, including scan, swap, auctions, and validators.

Please note that this program does not cover:

  • Third-party applications or services
  • Third-party dependencies
  • The Chainflip website or email configuration
  • Physical security or social engineering attacks
  • Denial of service (DoS) attacks
  • Issues already reported by another researcher or identified internally

Responsible Disclosure

If you discover a potential security vulnerability, please report it to Chainflip Labs as soon as possible by following the responsible disclosure process outlined below:

  1. Send an email to security@chainflip.io with the subject line "Bug Bounty Submission".
  2. Provide a detailed description of the vulnerability, including the steps to reproduce it and any supporting evidence.
  3. If applicable, include any relevant code snippets, proof-of-concept scripts, or tools used to identify the vulnerability.
  4. Include your contact information for us to reach out to you regarding the issue.

Rewards and Recognition

Chainflip Labs will reward security researchers for responsibly disclosing security vulnerabilities based on the severity and impact of the issue. Rewards will be provided at the discretion of Chainflip Labs.

The severity of the issue will be assessed according to the Common Vulnerability Scoring System (CVSS) version 3.0. Researchers are encouraged to provide CVSS scores when reporting vulnerabilities.

Rewards will be issued in FLIP tokens unless otherwise agreed upon with the researcher.

Chainflip Labs may recognize the contributions of security researchers in our security hall of fame or by mentioning them on our website, blog, or social media channels, subject to the researcher's consent.

Responsible Research

Researchers participating in the Bug Bounty Program must adhere to the following guidelines:

  1. Do not engage in any activity that could disrupt Chainflip Labs' services or harm our users.
  2. Do not access or modify data without proper authorization.
  3. Do not disclose or publish any information related to vulnerabilities until they have been resolved by Chainflip Labs.
  4. Comply with all applicable laws and regulations.

Confidentiality

Chainflip Labs will treat all bug submissions and communication with researchers as confidential, except when disclosure is required by law. We encourage researchers to maintain confidentiality as well.

No Legal Action

Chainflip Labs commits not to pursue legal action against security researchers who comply with the responsible disclosure guidelines outlined in this policy.

Safe Harbour for Returning Assets

If any security researcher or ethical hacker should decide to exploit a found vulnerability to extract tokens or assets from the protocol in order to safeguard them from malicious parties, we strongly encourage that party to notify us immediately, and hereby confirm that our safe-return address for the Governance Council at Chainflip Labs is 0x38a4BCC04f5136e6408589A440F495D7AD0F34DB.

Any party that sends safeguarded assets back to the Governance Council will be protected under no-legal-action rights and shall be rewarded for safeguarding exploitable assets.

Program Changes

Chainflip Labs reserves the right to modify or terminate the Bug Bounty Program at any time without prior notice. We also reserve the right to adjust rewards and criteria.

Contact

For any questions or to report security vulnerabilities, please contact us at security@chainflip.io

By participating in the Bug Bounty Program, you acknowledge that you have read and agree to these terms and conditions. Your cooperation in helping us improve our security is greatly appreciated. Thank you for contributing to the safety of our products and services.

Audits

Chainflip has commissioned the following audits of the code in this repository:

There aren’t any published security advisories