Here at Ethos, we strongly believe in the power of the people. We also understand that security is more important than ever, and that there are many skilled security researchers that would like to make a positive impact, strengthen the systems we use daily, and help keep everyone safe.
We are pleased to announce our Ethos Bug Bounty program! This is an opportunity for responsible security engineers to be rewarded for their contributions. We are providing a channel for disclosing any vulnerabilities that you may come across. If you responsibly submit a qualified report, we will happily reward you for your efforts!
What is Responsible Disclosure?
We support Responsible Disclosure. In order to best protect our users, the integrity of our platform, and the community as a whole, we ask that you stick to the following guidelines:
- Provide us a reasonable time to fix the issue before publishing it elsewhere
- Make best efforts to prevent leaking or destroying user data
- Do not defraud Ethos or its users during the process
- Do not spam the platform with large amounts of fake data
We love our fellow white hats, and won't take legal action against researchers that make best efforts to follow these guidelines.
Once submitted you can expect a response within 60 days.
By submitting a report, you agree not to publicly disclose the findings. Failure to comply will result in disqualification of any potential rewards, and could result in legal action.
If you submit a report that contains a previously unknown vulnerability, and it results in a change in our codebase, you may qualify for the following:
- Eternal glory in our "Hacker Hall of Fame"
- Ethos gear and accessories
- Virtual hugs
- Monetary reward
Monetary rewards are payable in ETHOS. Reward is based on the severity and eligibility of the vulnerability. Final determination of severity, eligibility, and reward is determined by the Ethos security team.
Proof of identification is required to receive reward. Invalid identification will result in disqualification.
What is in scope?
- All Ethos services, including the mobile Universal Wallet and the Bedrock API.
In general, anything which has the potential for financial loss or data breach is of sufficient severity, including:
- Obtaining user information
- Authentication bypass or privilege escalation
- CSRF, SSRF
- Remote code execution
- Accounting errors
Anything that demonstrates practical method(s) for exploiting a vulnerability may be considered in scope.
What is not allowed, or out of scope?
- Social engineering attacks against either Ethos or its users are strictly forbidden
- Third parties that use the Bedrock API
- Exploits that require privileged access on mobile devices (phone rooted/jailbroken) or that are limited to physical device access
- Password complexity requirements
- Brute force attacks against user chosen passwords
- Reports from automated tools or scans without demonstration of exploitability
- Missing best practices which don't lead to a vulnerability (automated scanners tend to report these)
- Missing CSRF tokens which don't affect the security of the application
- SSL/TLS issues (renegotiation DoS, cipher suites, etc) unless you can demonstrate a practical attack
Anything that does not demonstrate practical method(s) for exploiting a vulnerability may be considered out of scope.
How to submit a report
- Check out How to Write a Good Vulnerability Report
- Send us the report via PGP-encrypted email at firstname.lastname@example.org
Our PGP Public Key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----