We hope that we’ll be able to encourage security of the Po.et protocol and software through incentivized collaboration.
We value the input of researchers acting in good faith to help us maintain a high standard for the security and privacy for our users. This includes encouraging responsible vulnerability research and disclosure. Our policy sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.
A responsible disclosure policy allows for researchers to collaborate with the Po.et core team to reveal potential vulnerabilities and give us a chance to fix the issue before a public release of the vulnerability. When vulnerabilities are submitted responsibly, it can encourage coordination to minimize the disruption of any services built using Po.et’s software.
Only software directly developed by the Po.et team is covered under this disclosure policy.
Third-party packages/software/plugins or community-built software are not included. If we get a disclosure for outside software, we will not disclose the vulnerability to the third-party as to protect you from any undue legal issues and to ensure you’re still eligible for any outstanding bounties that they provide.
Other examples of reports not covered under the responsible disclosures policy include:
When working with us according to this policy, you can expect us to:
When conducting vulnerability research according to this policy, we consider this research to be:
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our official channels before going any further.
Please email firstname.lastname@example.org for all communications. Do not use other channels such as Twitter, Telegram, or Reddit.
If you’d like to encrypt your submission, please use this PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFyUks4BEACxzvk+VvmgNxL+lutGzAh/g8jy2Ef/xH2q/YCiL62MgM5oPD8Q 2K2du6k8R498O94ppa27Nq9pmc4WphtSFlEw8F19zl7bvvPhgX20P0kAbg6nAybD sgafH7tpsNuqFV4ZwN/jdvIvA99I7SAotgmd+4i8Vd/8rb14Xce4jMfhkz4k55E3 1QymXqF/Jzz3eVrMSAsABSNrFzjA2I99AFYPvpw+PvV28ShHm0mc2T9/FDd3Iakg +PWvzVzcH5Mf5q8fzny6Y1ezX9Cyc8F7NLSxPBw493KaCnWAqDQFvq3x76gNCl7/ MdsRLgrZdrERFbH6541Y1XZNtoC9yPuTDk3i0yWbVa14a3j6Lk/1fNt4tgM0ihcN o19WkiK62E6+uP5ZRzCwmmWjTs9iSBXwjzP6B1Zu14zpXqyFKj74gaV37/A9AFHc tTI8+ZcXQdoNZExAM0OEaXmmMURnMgU3DipMSMHMdi2RUVqhksQ0MyAw5G5qRHoq QaKiSi7PnBSnqnV8HP+2dSQLzZux5+tZGgY1RDEgxgk0Dik/3ssXYHv4zjzhUIyd 4ZzNK8qVVoAXANnUpcxHVuSsAMBOM9EvfNMZu2v4vwJTSC9WwAIga8hPmj4kVKCG FRQKMM4YU+euVS5/TlIzrIUkdzDusdFLZcM0p2diovHdPOEIvvvfQP2F8QARAQAB tDVQb2V0IE5ldHdvcmsgKFBvZXQgTmV0d29yayBTZWN1cml0eSkgPHNlY3VyaXR5 QHBvLmV0PokCTgQTAQoAOBYhBHJhaM2b8Zgduun6tqNUEncfXDFpBQJclJLOAhsD BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEKNUEncfXDFpGOkP/0tuyL+us3WA zRMV7JRizXhZgra8YBRUuX4ujiecidspAXIcZSZnLonLXDoNCJtdnCKkSOpDx1Kn upZxaMW0EFqlUkCDXdUq3mL+5Lxsc0bAVzUvxTtGBF5SpGHxNuLvvDh6X4PlrmxM FXoKLVfq/p3uf/yms6Z5ETI03eHF0zq/2erPjq4yCn/T9tuTARDz/lkdJJ3/Cd9f 0vLjj2BCzcd1mDLEpRuUXES2SvlSRE5EAlafjJAQXvejWMI7IbugaoiUChcOxQRE EPJ0PusISP9L9/s/koS9JICBTpW2RQTB53O55e0TpPiegcKCU6XxRWqr7JqT/72Q 4QDcuH2JyQ6aheXMIYrbZPDKtFoM4LkJQZFP13uzCs3bOqEgodsPNkN+rqORC6p6 rQ9HXSDKsyRbDyrHJrz0ADAvOErnE8vVY8H6RQWjCIx2Cv9F0q+8iMsw5HBOcJmx ptF8nz3MXTofVqyBMTtlrqu1FeGmjbScBqKKz9pC91sd/9atcFjlr5taVFfQ/S31 TfvTG34V+eEZj1exFOOI+jFAvFjAOLXS1+e1f24YT7YVFrwKn+r6X1Y669gcqoyQ QOty8MaqEcthiiYzj9aTHhMr1Sl+0x9WLvHzuongXfpehl195tiNnPEw8iDFd53Q /16QikFovurVsxhkSOski5qAimhLqV3q =TSe+ -----END PGP PUBLIC KEY BLOCK-----
As of October 1st, 2019, we have closed the bug bounty program as we will be transitioning the Po.et protocols to become the Linked Claims protocols. The Po.et team will continue to contribute to the Linked Claims protocols and use it as we develop applications.
Some of the language we’ve used for our policies came from disclose.io, a collaborative and vendor-agnostic project to standardize best practices around safe harbor for good-faith security research. We’ve also used language from Snyk in prior disclosure documents.
We hope that you’re excited about our approaches to collaborative security and look forward to any vulnerabilities that you may find! 🙇