The ShockNet team and our open-source community take all security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
To report a security issue, please use the GitHub Security Advisory "Report a Vulnerability" feature on our repository page.
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
We request that you:
- Allow us a reasonable amount of time to fix the issue before disclosing it publicly.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of any services.
- Only interact with accounts you own or with explicit permission of the account holder.
- Do not exploit the vulnerability beyond the minimum amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
This security policy applies to all ShockNet repositories.
- The security team will acknowledge receipt of your report within 3 business days.
- We will send a more detailed response within 7 days indicating the next steps in handling your report.
- We will keep you informed about the progress towards a fix and full announcement.
- We may ask for additional information or guidance.
Due to griefing attacks we do not officially offer a paid bug bounty program.
We may offer a bounty for critical vulnerabilities on a case-by-case basis, payable in Bitcoin. Determining whether a vulnerability qualifies and the amount of the bounty is at our sole discretion.
We are deeply grateful to security researchers who take the time to investigate and report security vulnerabilities to stengthen the Bitcoin ecosystem.
We support safe harbor for security researchers who:
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
- Only exploit vulnerabilities to the extent necessary to confirm them.
- Do not use an exploit to compromise or exfiltrate user data.
- Cease testing and submit a report immediately upon discovery of a vulnerability.
- Do not publish or share vulnerabilities or associated details other than with the ShockNet team until the team has had a reasonable time to address them.
Thank you for helping keep our users safe!