Here at Ethos, we strongly believe in the power of the people. We also understand that security is more important than ever, and that there are many skilled security researchers that would like to make a positive impact, strengthen the systems we use daily, and help keep everyone safe.


We are pleased to announce our Ethos Bug Bounty program! This is an opportunity for responsible security engineers to be rewarded for their contributions. We are providing a channel for disclosing any vulnerabilities that you may come across. If you responsibly submit a qualified report, we will happily reward you for your efforts!


What is Responsible Disclosure?

We support Responsible Disclosure. In order to best protect our users, the integrity of our platform, and the community as a whole, we ask that you stick to the following guidelines:

- Provide us a reasonable time to fix the issue before publishing it elsewhere
- Make best efforts to prevent leaking or destroying user data
- Do not defraud Ethos or its users during the process
- Do not spam the platform with large amounts of fake data


We love our fellow white hats, and won't take legal action against researchers that make best efforts to follow these guidelines.



Rewards


If you submit a report that contains a previously unknown vulnerability, and it results in a change in our codebase, you may qualify for the following:

- Eternal glory in our "Hacker Hall of Fame"
- Ethos gear and accessories
- Virtual hugs
- Monetary reward

Monetary rewards are payable in ETHOS, but we may be able to make exceptions depending on the report and desires of the successful researcher. Reward is based on the severity and eligibility of the vulnerability. Final determination of severity, eligibility, and reward is determined by the Ethos security team.


Proof of identification is required to receive reward. Invalid identification will result in disqualification.



What is in scope?

- All Ethos services, including the mobile Universal Wallet and the Bedrock API.

In general, anything which has the potential for financial loss or data breach is of sufficient severity, including:

- Obtaining user information
- Authentication bypass or privilege escalation
- Injections
- XSS
- CSRF, SSRF
- Clickjacking
- Remote code execution
- Accounting errors

Anything that demonstrates practical method(s) for exploiting a vulnerability may be considered in scope.



What is not allowed, or out of scope?


- Social engineering attacks against either Ethos or its users are strictly forbidden
- Self XSS (getting someone to paste JavaScript into their browser console)
- DoS/DDoS
- Third parties that use the Bedrock API
- Exploits that require privileged access on mobile devices (phone rooted/jailbroken) or that are limited to physical device access
- Password complexity requirements
- Brute force attacks against user chosen passwords
- Reports from automated tools or scans without demonstration of exploitability
- Missing best practices which don't lead to a vulnerability (automated scanners tend to report these)
- Missing CSRF tokens which don't affect the security of the application
- SSL/TLS issues (renegotiation DoS, cipher suites, etc) unless you can demonstrate a practical attack

Anything that does not demonstrate practical method(s) for exploiting a vulnerability may be considered out of scope.


How to submit a report

- Check out How to Write a Good Vulnerability Report
- Send us the report via PGP-encrypted email at security@ethos.io

Our PGP Public Key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFqSIoEBEAC0lBVT2vsQ/JhajNCQRDgDhj8E+kcMNytrhSXj0HqEQ46Ub51a
C6IbEHMJsPpQsoyWx7EFghllHgJ3oYZopHpJhSC6/u+E2ZxxLOtYQ09BdRd9mXsM
gPJ+PaxyuBcD+4A7kH/05pp4ZiF+iWocLfFgkL4m6/jM+JDJroLeLsmof2xKSQlD
yHfkra628FAUtKu3Yk/TBJU2Yl9F27cTUCQtns2SKpvTIXrm+IYCx+ee/ICu4/oo
/Y0c6LS8ZHCD3uDaaBNgSActPABIep+dIyvc49NkTNC1UGhKTnDemKAUFmQiEdqP
y3fQs3JQ23ETd6d0Lq552incxdpc4pz0lUKrkUAJTbuhuT3+PKBMZuSlflciHZyh
X3IFP/fV32cxawTks1eyT7MkDu+h1N+8FVhYabtg6XPXb7KofrbB34ItZQPDZSme
zgnSS+hHYfv4+5Ilbqw+ghU2iLksWnpX5KIaorhAQubTzvCFphLnLCmYqWSc1+Ed
UgPI0e6XkdfVYWfX8qHj9pwmBjjiiarKi6m9s90BECoCpNyR6jlKiW4PabKARCae
SIXGmtZxySocCEZJ00urJAaFhyHx5IMOzGtqdVHYMELBXKqfnME9fSntqRctDT+M
Hz5ryII0f0uksVvGUeSP1jVO3YAi4zS2rqVYWTwbpKTKUTD68VN+NWn3+QARAQAB
tCdFdGhvcyBTZWN1cml0eSBUZWFtIDxzZWN1cml0eUBldGhvcy5pbz6JAlQEEwEI
AD4WIQROfNTGOhBuxK9YgwVP7oU/cbFGOwUCWpIigQIbAwUJB4YfgAULCQgHAgYV
CAkKCwIEFgIDAQIeAQIXgAAKCRBP7oU/cbFGO9lzD/wOiEukSpwLza/Et/MA0spf
onzR1RgyI0csTuGmcPXcWmdardBprLYjBxlNvxdtaJR2uewl8wvq8tH1X+I2sX+8
SVh0xXIEsowUxTCK6fZF/nMzvKwAVYE9rahnZLVXlzSsHCyAdJiyc9kQUMuaCGjH
0XuknrMomRck9AgoFIEnRhobUaQeUVCtdfqkdsAY3JXsQvT0UqwTJbmPUpcTfTEw
Pn9kzPW6T1tL6eTJZjEr/+4HhnWfDa77RKRcDOdeZwdzmxAN5lM3DsPccsZymyyr
nYMZNFHiGYbPzl85q+wG1LKdY9IrCA/kTWMtRLCoBn5ov+pZ5Zr57kC0KWo2G//U
Q7BOAtC0bVNXgQ7YNVbh0nPYHwVNXBIznL3dMBjw29uZfYa6zP33ILwxTVH+ECdP
5loEglDAmkn8g7gI9ptMTgzfKuM0/smsvYckcAKPX6n2WBkRE8HQzmMeOYl055VS
eajqoN3k8BMhJmMXwKtjX0Sve2KqaTnwailwN0l5KpKBURCJHpjVRmzyWPwcoQW1
F4Y6VEt68Dw0kxRCkVC3RUalCoxIxwGaoX2wgTXIBgugzd4NOduJAr7i6ov5GQLP
gv6AoAMxVvg6XfRYjZWrORjFk0g6zY3EZ69G2TfK6Hvbb/vnajWNIxc5DbiqaY5r
CAgpR8zigBe8QZudpmz/U7kCDQRakiKBARAAuq3srWGz2Fx8eCL5XQxaecVivVJt
2g1MzwyA2afSmZdkcAzqEgkKU0LkBKdZXLnWwND/oJXKKKtWbeBWjoL7aH4usd2c
w98dvs7eEymJhwGYOABBzWOr63o9P0xqkbLnIqNJPyiZdUymth6nLXLZRE9Irrmc
f+Q7trVkOpGYXCGXGw8STAxV8+9h6/X4jx+zzMfTKbmbX/tQFvG/yxnu55ZBw5AI
oTUn78pWn8dnPZUKSBIaxboF4dDQUq8+u4gk2d3AqDC+bFt5eKLDa5FgY+aEaBeD
H6ehTTSRtmCzNc52aD1DvfIQzVTVcGtqE2RzL9lW43IqwFm8B1zc5MZO5p2LsLPe
N9lmvKv3G+Yko08OcYJBpkLdVGR1cX+PGvrkpBaII4x+1a65UyZpJDaz1AJLV3pA
pQdzMFxQRMoOdLvdVk5Rg9uGJ4bTersDMoIIVEzayEx+WRzCDWmfv1ZRgErZbXwb
vAAngPg5MGp9Bmtd0B5h4H5DCclgmWbDRSoYl7p2i3r50588WTSu9NreEXjPdFJO
NTOpVc8FtF3T6TiLpIFdFtQa1nVcCn4pgrDYqoBlANlo7B1VS3wnqTeyV3w+LgkH
CZLHq84bwEjcnMUFoVYvHSJiaxAzBvKfsHqlT2K+pY95Vmj2zFuyFndbGYynSKQO
UvDweBtDIrnqYDsAEQEAAYkCPAQYAQgAJhYhBE581MY6EG7Er1iDBU/uhT9xsUY7
BQJakiKBAhsMBQkHhh+AAAoJEE/uhT9xsUY7YicP/jXGWj1n/vmSvhxQ6RatABP4
wFkf6qnni219+9pzB158gMO1SwZAIxXNXlBzOE1Lk69XVzSS1233CaEVtw9CV0Z6
9rJN/wtTL/ICTkqg6YrvyDGJod5BNPXL98OUawPugFPouIao/slrlWunCybioHSe
MQYGUKnGp/fvYI8G9yBGaNZf/c9RxsYhv7TCEB9MSdGZLQE9rRJf4tcsuhH33EIh
ihbglVfAi+nDM/D7i8D30w75RaXxGtDX+MQBDZMs7nir0t1UMR/3r3k/dNoPo+ya
tuXMJLEHL5sU4El2hzkbtjZZlaJMhHefahnaxiWsKkKpJlrhb93YPVTXppYAKVlS
ArQ/vZTI5JU2P9dc48k9SNJ8qE72JhIcYIuS1r9Wk03oSjZV+ntzu31KO7W4jhxU
TzRY3LRarCHH/a6HEQUwIltF4k+fnG6tfyQL5kxX5imDjKmgq9xIedFZCiNBBuPl
lcYw5KOl7L3YcAFsTPie8oFmcCsjLjYyuWlFNTCDZm+oOVml0nD9dZVEX14ENGB8
HAy07YQuSforwJvBr5K7KuWKUQbal14El+ewy8rg43+0/qVeoaeEv069itR4Oik5
t5Vzri52nDhWFk40ECSxNJcE06p+Daczs/9rGCaIIOn1/Z91mrcAhU5mkINhhZE+
GlimdUz2RccJ6xpXUzcJ
=IWWn

-----END PGP PUBLIC KEY BLOCK-----