Maintaining the security of our network and protecting our users’ privacy is a top priority at Orchid Labs. We recognize the value that the security researcher community brings to the table, and we welcome any and all contributions they might make to help make a more secure and private internet. If you follow these guidelines, Orchid Labs will not pursue or support any legal actions related to your research.
Any web or mobile property owned and operated by Orchid Labs is in scope for this program.
- *.orchid.com
- The Orchid iOS and Android applications
- The Orchid Network and Smart Contracts
Bandwidth Consumers and Bandwidth Providers on the Orchid network are out of scope, as are users of the network and their devices.
When submitting a report, please be sure to include the following details. Reports that are low quality and unclear may be closed. This recommended format will guarantee that your report is in a readable format and contains all information needed by Orchid Labs.
- Affected target, feature, or URL
- Version Number (for reports concerning the mobile application)
- Description of problem
- Impact of the issue
- Steps to reproduce
- Proof of Concept
- Is knowledge of this issue currently public?
To submit a vulnerability report to Orchid Labs’ Security Team, please email security@orchid.com .
- Well-written reports in English will have a higher chance of being accepted.
- Reports that include proof of concept code will be more likely to be accepted.
- Reports that include only crash dumps or other automated tool output will most likely not be accepted.
- Reports that include products not on the covered list will most likely be ignored.
- Include how you found the bug, the impact, and any potential remediation.
- Any plans for public disclosure.
- A timely response to your email (within 2 business days).
- An open dialog to discuss issues.
- Notification when the vulnerability analysis has completed each stage of our review.
- An expected timeline for patches and fixes (usually within 90 days).
- Credit after the vulnerability has been validated and fixed.
If applicable, Orchid Labs will coordinate public notification of a validated vulnerability with you. When possible, we would prefer that our respective public disclosures be posted simultaneously. In order to protect our customers, Orchid Labs requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed customers if needed.