OnFinality welcomes security vulnerability reports from the public, and we do pay out bug bounties for responsibly reported issues and vulnerabilities

Scope

While we welcome reports for any vulnerability or issue, our standard practice is to reward responsibly reported vulnerabilities that are found with a CVSS score of 4.5 or higher.

At a high level, all services under the onfinality.io domain are in scope for reporting. However we run a lot of nodes and executable code on behalf of partners (e.g. a partner provides us executable code to run a node in their network), so in the case where a reported issue is from a partner’s codebase we will:

  • Contact you to let you know that the vulnerability has been determined to exist in the partner’s codebase, and to give you a chance to directly contact our partner via their own vulnerability/bug submission processes.

  • If no response has been received after 72hours from you, we will automatically pass knowledge of this vulnerability to the relevant partner (with correct attribution to you).

Rules

 Before you start

  • Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

  • When in doubt, contact us at privacy@onfinality.io.

  • By participating in OnFinality’s vulnerability reporting program (the “Program”), you acknowledge that you have read and agree to OnFinality’s Terms of Service as well as the following:

    • you are not currently a OnFinality employee or contractor, were not a OnFinality employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.

    • your participation in the Program will not violate any law applicable to you, or disrupt or compromise any data that is not your own.

    • you are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.

    • OnFinality reserves the right to terminate or discontinue the Program at its discretion.

    • Only test for vulnerabilities on sites you know to be operated by OnFinality and are in-scope.

    • We cannot reward any individual on any U.S. sanctions list, or any individual residing in any U.S.-sanctioned country or region.

Performing your research

  • Do not impact other users with your testing, this includes testing vulnerabilities in workspaces you do not own. If you are attempting to find an authorisation bypass, you must use accounts you own.

  • If you intend to perform load testing, please notify us before hand at privacy@onfinality.io

  • The following are never allowed and are ineligible for reward:

    • Performing distributed denial of service (DDoS) or other volumetric attacks

    • Spamming content

    • Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.

Handling personally identifiable information (PII)

  • Personally identifying information (PII) includes legal and/or full names, or email addresses

  • Do not intentionally access others’ PII. If you suspect a vulnerability provides access to PII, limit queries to your own personal information.

  • Report the vulnerability immediately and do not attempt to access any other data. The OnFinality Security team will assess the scope and impact of the PII exposure.

  • Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned

  • You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.

  • We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability

 Reporting your vulnerability

  • Please email privacy@onfinality.io with all submissions

  • Submissions must include written instructions for reproducing the vulnerability. Submissions without clear reproduction steps or which only include reproduction steps in video form may be ineligible for a reward.

  • When reporting vulnerabilities you must keep all information private. Please refrain from posting information to video-sharing or pastebin sites.

  • For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.

  • During the course of an investigation, it may take time to resolve the issue you have reported. We ask that you refrain from publicly disclosing details regarding an issue you’ve reported until the fix has been publicly made available.