Skip to content

Security: celo-org/celo-monorepo

Security

SECURITY.md

Security

Security Announcements

Important

Public announcements of new releases with security fixes and of disclosure of any vulnerabilities will be made in the Celo Forum's Security Announcements channel.

Reporting a Vulnerability

We’re extremely grateful for security researchers and users that report vulnerabilities to the Celo community. All reports are thoroughly investigated.

Caution

Please do not create a public ticket mentioning any vulnerability.

The Celo community asks that all suspected vulnerabilities be privately and responsibly disclosed.

Creating a Report

  1. Submit your vulnerability to Celo on Remedy. This is currently a private program in beta. Message us for an invite.

  2. You can also email the security.report@clabs.co list with the details for reproducing the vulnerability as well as the usual details expected for all bug reports.

    You may encrypt your email using this GPG key, but encryption is NOT required:

    PGP Fingerprint ID: A22B62A5EAFB6948
    

Primary Focus

  • Celo protocol

However, the team may be able to assist in coordinating a response to a vulnerability in the third-party apps or tools in the Celo ecosystem.

In Scope

Out of Scope

  • Verbose messages/files/directory listings without disclosing any sensitive information
  • CORS misconfiguration on non-sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Presence of autocomplete attribute on web forms
  • Bypassing rate-limits
  • Clickjacking on pages with no sensitive actions
  • Host header injection without proven business impact
  • Anything related to email spoofing, SPF, DMARC or DKIM
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability
  • Open write access of documents pertain to the community

General

  • In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate.
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity.
  • Spam, social engineering and physical intrusion
  • DoS/DDoS attacks or brute force attacks
  • Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted.
  • Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts
  • Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty.
  • Reports that state that software is out of date/vulnerable without a proof-of-concept

Frequently Asked Questions

  • What will happen if a vulnerability is reported and is known to the company from their own tests?

    It will be flagged as a duplicate

  • What kind of exploits are excluded from the program or may be lowered in severity?

    • Reports that state that software is out of date/vulnerable without a proof-of-concept
    • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces
    • Issues that would require complex end user interactions to be exploited
    • Spam, social engineering and physical intrusion
    • DoS/DDoS attacks or brute force attacks
    • Vulnerabilities that are limited to non-current browsers (older than 3 versions)
    • Attacks requiring physical access to a victim’s computer/device
    • Man in The Middle
    • Compromised User Accounts
  • Do you accept recently disclosed zero-day vulnerabilities?

    We need time to patch our systems just like everyone else - please give us 2 weeks before reporting

There aren’t any published security advisories