Security Vulnerability Disclosure Program

Overview

Blockchain Technology Research Innovations Corporation (BTRIC) is committed to protecting the privacy and security of our members, users of our software tools, and visitors to BTRIC sites. Our Security Vulnerability Disclosure Program is intended to minimize the impact any security flaws have on our tools, our hosted services, or their users. BTRIC’s Security Vulnerability Disclosure Program covers two types of software: select software partially or primarily written by BTRIC, and publicly facing software and systems BTRIC makes use of for its websites and other Internet services.

Scope: Software Written by BTRIC

In addition to the software and systems described below, this Program applies to security vulnerabilities discovered in any software that we have published on our GitHub repository. Please note this does not include simple forks that we have not contributed to.

In order to qualify, the vulnerability must exist in the latest public release (including officially released public betas) of the software. Only security vulnerabilities will qualify. We would love it if people reported other bugs via the appropriate channels, but since the purpose of this program is to fix security vulnerabilities, only bugs that lead to security vulnerabilities will be eligible for rewards.

Scope: Software and Systems BTRIC Uses

In addition to the software described above, BTRIC’s Security Vulnerability Disclosure Program applies to security vulnerabilities discovered in any web services or other public facing software running on any of the following domains:

• btric.org and all subdomains (*.btric.org)
• btric.net and all subdomains (*.btric.net)

Note: Our Security Vulnerability Disclosure Program may not apply on btric.info and all subdomains, as these are services in their research and development phase and are not production-ready services.

These are the vulnerabilities we are looking for:

• Cross-site request forgery (CSRF/XSRF)
• Cross-site scripting (XSS)
• Authentication bypass
• Remote code execution
• SQL Injection
• Privilege escalation

Bugs not listed will be accepted at our discretion. In order to qualify, the vulnerability must exist in software or a service that is actively running on BTRIC’s servers at the time the vulnerability is disclosed. (In other words, you won’t get a reward just for telling us about the latest CVE, unless we’ve neglected to patch it/update our software 5 days after a fix has been released.) Security vulnerabilities created by the specific configuration of software on BTRIC servers are also in scope under this program. Vulnerabilities that require physical access to server hardware are ineligble for submission.

Guidelines

Please adhere to the following guidelines in order to be eligible for rewards under this disclosure program:

• Do not permanently modify or delete BTRIC-hosted data.
• Do not intentionally access non-public BTRIC data any more than is necessary to demonstrate the vulnerability.
• Do not DDoS or otherwise disrupt, interrupt, or degrade our internal or external services.
• Do not share confidential information obtained from BTRIC, including but not limited to member or donor payment information, with any third party.
• Social engineering is out of scope. Do not send phishing emails to, or use other social engineering techniques against, anyone, including BTRIC staff, members, vendors, or partners.

In addition, please allow BTRIC at least 90 days to fix the vulnerability before publicly discussing or blogging about it. BTRIC believes that security researchers have a First Amendment right to report their research and that disclosure is highly beneficial, and understands that it is a highly subjective question of when and how to hold back details to mitigate the risk that vulnerability information will be misused. If you believe that earlier disclosure is necessary, please let us know so that we can begin a conversation.

Reporting

Just as important as discovering security flaws is reporting the findings so that users can protect themselves and vendors can repair their products. Public disclosure of security information enables informed consumer choice and inspires vendors to be truthful about flaws, repair vulnerabilities and build more secure products. Disclosure and peer review advances the state of the art in security. Researchers can figure out where new technologies need to be developed, and the information can help policymakers understand where problems tend to occur.

On the other hand, vulnerability information can give attackers who were not otherwise sophisticated enough to find the problem on their own the very information they need to exploit a security hole in a computer or system and cause harm. Therefore we ask that you privately report the vulnerability to BTRIC before public disclosure.

Send an email to security@btric.org using the GPG key located here, with information about the vulnerability and detailed steps on how to replicate it. Submissions that include detailed information on how to fix the corresponding vulnerability are more likely to receive more valuable rewards.

If you do not want to be publicly thanked, please let us know that you want your submission to be confidential in your report email. We can still provide rewards for confidential submissions, if you like.

We are also happy to accept anonymous vulnerability reports, but of course we can’t send you our thanks if you report a vulnerability anonymously.

We will make every effort to respond to valid reports within seven business days.

The validity of a vulnerability will be judged at the sole discretion of BTRIC.

Rewards

Not all reported issues may qualify for a reward. Rewards are awarded at BTRIC’s sole discretion. As a nonprofit organization we are unable to afford cash bounties (sorry!), but can offer non-cash rewards, including:

• Public acknowledgement on our website;
• BTRIC gear (coming soon);
• Free grant of “BTRIC Coin” (coming soon);
• Opportunities to tour BTRIC’s office and meet or Skype with BTRIC’s leadership; and
• Maybe we can even pick up your dinner tab if we ever meet up at an industry conference!

If you would like a particular reward (e.g., you already have a t-shirt and would prefer a sticker pack), please let us know when you report the vulnerability. While the reward BTRIC provides in exchange for disclosing a vulnerability under this policy will be up to the sole discretion of BTRIC, we will certainly take your request into consideration.

Please note that in some cases we will be unable to provide a physical reward if the shipping cost is prohibitively expensive.

Only the first report we receive about a given vulnerability will be rewarded. We cannot send rewards where prohibited by law (i.e. North Korea, Cuba, etc.) or to persons and entities subject to economic sanctions pursuant to U.S. law or regulation.

Questions

If you have any questions about our vulnerability disclosure policy, please email security@btric.org (GPG key).