Parity Technologies: Program info

In Scope

If you've found a potential bug in Polkadot SDK, Runtimes, or associated build and deployment infrastructure, then we want to hear from you! Parity welcomes vulnerability reports that demonstrate security flaws in:

• Polkadot SDK: implementation-related issues only. Any bugs which can be used to bring down or take control of Substrate based chains without direct access to the machine, including bugs in pallets and primitives.
• Runtimes: Any bugs that compromise the intended behaviour of the various blockchain runtimes (Kusama, Polkadot, etc).
• Parity Releases Pipeline: any bugs which could be used to enable an attacker to inject malicious code into our distributed binaries, or be used to halt Parity's release process or add malicious/unintended functions to the released binaries.
• Production infrastructure: publicly available infrastructure Parity runs for production-grade networks (in contrast to testnets), especially parts which are critical for a network's well-being or safety of funds. Please note that this does not include our publicly available web pages.
• Polkadot-JS: only apps, extension, and common repositories. Please note that where the scope of this policy includes third-party code this should not be taken as an indication that we are legally or otherwise responsible for that code, its security, quality or your rights in respect of that code.

Out of Scope

Did you find a bug in our open source blockchain code or related infrastructure? Great! Submit report!

Most other things are not in scope, though. Specifically:

• Static or dynamic websites (hosted behind parity.io, polkadot.network and substrate.io (sub)domains), until you can find a way to compromise the data on the website for all of the visitors.
• Bugs which have already been submitted by another user or are already known to the Parity team or have already been publicly disclosed.
• Bugs in third-party tools and services we're using (but we would be glad to connect you with the security team of the corresponding project).
• Parity Technologies' development team, Parity Technology employees and any other person employed or providing services in any way to the company, directly or indirectly, are not eligible for rewards. Social engineering attacks are also here.
• Anything that contravenes the spirit or letter of this Program.

Responsible investigation and reporting includes, but isn't limited to, the following:

• Use your best effort not to access, modify, delete, or store user data or Parity’s data. Instead, use your own accounts or test accounts for security research purposes.
• Don’t defraud, harm, or violate the privacy of Parity Technologies Ltd or its users during your research; you should make a good faith effort to not interrupt or degrade our services.
• Don't target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
• Initially report the bug only to us and not to anyone else.
• Keep the details of any suspected bug confidential.
• After reporting a suspected bug, give us a reasonable amount of time to fix the bug before disclosing it to anyone else, and seek our approval before disclosing it to anyone else. An uncoordinated public disclosure may lead to your submission being disqualified from the Program (consequently, leaving you without any payout or recognition from Parity’s side).
• Please don’t make repeat submissions of low quality, rejected or automated vulnerability reports. In general, please investigate and report bugs in a way that makes a reasonable, good faith effort not to be disruptive or harmful to us or our users. Otherwise your actions might be interpreted as an attack rather than an effort to be helpful.

We evaluate submissions based on impact and the following help us more quickly respond to your submission:

• Provide us with a working proof-of-concept or equivalent evidence, assuming that your research didn’t produce unrecoverable changes. This helps us evaluate that your submission is within the program’s scope and is usable in possible attacks.
• If you suspect that the flaw you have found may be fatal for the items in the scope, please DO NOT take further actions. Instead, describe your assumptions as much as possible in the report. The Security team will investigate and submit a higher bounty if it has a greater impact than you were able to determine without breaking our stuff. Please do not break our (or anyone’s) stuff.
• In the report, include your vision of the potential impact and potential attack scenario, including required attack conditions. If your submission requires special, unrealistic conditions, or must be chained with other attacks with such conditions to be executed, unfortunately, it is OUT OF SCOPE.
• If there is no impact, then we aren’t really interested. Purely theoretical findings are sometimes entertaining to investigate, so feel free to send us any — but if there’s no way it can be used to break our systems in practice, it won’t be eligible.
• If you can identify some issues in our core products (Polkadot, Substrate, Polkadot-JS, cryptography libraries or consensus algorithm), but you can’t provide a working proof of concept, you are always welcome to share your inputs with Parity. We will evaluate your findings carefully, it just takes more time this way.
• If you are able to compromise something significant, please STOP at the point of recognition, collect the small evidence enough to understand where you are and what you can do, and report the vulnerability. This is particularly important if after having discovered the initial vulnerability, your continued research is likely to look a lot more like an attack than research. At that point, we might find the vulnerability before you tell us, making your discovery no longer eligible, and if we do not know that you are friendly, we might be required to get law enforcement or other authorities involved. We would prefer to avoid dealing with either of situations.
• You are welcome (and encouraged!) to include additional comments about your assumptions and further suspicions in your bug bounty report. The Security team will investigate your report and the potential consequences of the flaw you have identified, and submit a higher bounty if it is a valuable finding with an impact higher than you were able to determine.
• To be eligible for a reward under this Program:
• Play by the rules — this includes complying with the spirit and letter of this policy as well as any other applicable laws or agreements.
• The security bug must be original and previously unreported. Duplicate submissions made within 72 hours of each other will split the bounty between reporters. If duplicate submissions are of unequal quality, the split will be at the level of the lesser report, and the greater report will receive a pro-rated additional bounty on top of the split. Despite striving to be transparent as much as possible, we do not disclose other participant’s names in such cases.
• The security bug must be a part of Parity’s code, not the code of a third party. We will pay bounties for vulnerabilities in third-party libraries (for instance, libp2p) incorporated into shipped client code utilized by Parity if both of the following two conditions are met:
• the bug leads to an exploitable vulnerability in Parity's software in particular, and
• is not actively maintained by another commercial entity with a separate bug bounty program.
• You must not have written the buggy code or otherwise been involved in contributing the buggy code to the Parity project.
• You must be old enough to be eligible to participate in and receive payment from this Program in your jurisdiction, or otherwise qualify to receive payment, whether through consent from your parent or guardian or some other way.
• You must not be an employee, contractor, or otherwise have a business relationship with the Parity or any of its subsidiaries.
• If you inadvertently access, modify, delete, or store user data, we ask that you notify Parity immediately at [email protected] and delete any stored data after notifying us.
• We might be prevented by law from paying you. For example, if you happen to live in a country on a sanctions list that applies to us. In this case, if we can we would be happy to make a donation to a well-established charity of your choice.
• You must not either directly or indirectly exploit the security vulnerability for your own gain or incite, encourage or assist anyone else in doing so.
• Before sharing any part of the security issue with a third party, you must give us a reasonable amount of time to address the security issue.
• To the extent that you propose a fix that includes code we will ask you to sign our standard contributor license agreement with respect to that fix so that we can deploy it going forwards.
• Do not threaten or attempt to extort Parity. We reserve the right to disqualify individuals from the Program if they threaten to withhold the security issue from us or if you threaten to release the vulnerability or any exposed data to the public or any third party or otherwise act in a malicious, disrespectful, or disruptive manner.

We want your bugs! But please note that it's entirely at our discretion to decide whether a bug is significant enough to be eligible for reward.

In case that your finding is valid you might be asked for extra KYC verification to proceed with payments

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
• No vulnerability disclosure, including partial is allowed for the moment.
• Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must not be a former or current employee of us or one of its contractor.
• ONLY USE YOUR HackenProof ADDRESS (in case of violation, no bounty can be awarded)
• Provide detailed but to-the point reproduction steps