diff --git a/README.md b/README.md index 1b9d6a01..1fa16715 100644 --- a/README.md +++ b/README.md @@ -36,9 +36,8 @@ pnpm add @sablier/v2-periphery ## Security -This repository does not fall under our bug bounty program, but -[sablier-labs/v2-core](https://github.com/sablier-labs/v2-core) does. For any security-related concerns, please refer to -the terms specified in that repository. +Please refer to the [SECURITY](./SECURITY.md) policy for any security-related concerns. This repository is subject to a +bug bounty program per the terms outlined in the aforementioned policy. ## License diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..6a31f6fd --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,111 @@ +# Security + +Ensuring the security of the Sablier Protocol is our utmost priority. We have dedicated significant efforts towards the +design and testing of the protocol to guarantee its safety and reliability. However, we are aware that security is a +continuous process. If you believe you have found a security vulnerability, please read the following guidelines and +report it to us. + +## Bug Bounty + +### Overview + +Starting on July 1, 2023, the [sablier-labs/v2-periphery](https://github.com/sablier-labs/v2-periphery) repository is +subject to the Sablier V2 Bug Bounty (the "Program") to incentivize responsible bug disclosure. + +We are limiting the scope of the Program to critical and high severity bugs, and are offering a reward of up to $50,000. +Happy hunting! + +### Scope + +The scope of the Program is limited to bugs that result in the draining of funds locked up in contracts. + +The Program does NOT cover the following: + +- Code located in the [test](./test) or [script](./script) directories. +- External code in the [lib](./lib) directory, except for code that is explicitly used by a deployed contract located in + the [src](./src) directory. +- Contract deployments on test networks, such as Goerli. +- Bugs in third-party contracts or platforms interacting with Sablier V2 Periphery. +- Previously reported or discovered vulnerabilities in contracts built by third parties on Sablier V2 Periphery. +- Bugs that have already been reported. + +Vulnerabilities contingent upon the occurrence of any of the following also are outside the scope of this Program: + +- Front-end bugs +- DDOS attacks +- Spamming +- Phishing +- Social engineering attacks +- Private key leaks +- Automated tools (Github Actions, etc.) +- Compromise or misuse of third party systems or services + +### Assumptions + +Sablier V2 Periphery has been developed with a number of technical assumptions in mind. For a disclosure to qualify as a +vulnerability, it must adhere to these assumptions as well: + +- Every user creating streams via `SablierV2ProxyTarget` has a `SablierV2ProxyPlugin` contract installed for the + `onStreamCanceled` method. +- All relevant Sablier contracts are listed in the `SablierV2Archive` contract. +- [All assumptions](https://github.com/sablier-labs/v2-core/blob/main/SECURITY.md) in the Sablier V2 Core repository + apply to Sablier V2 Periphery as well. + +### Rewards + +Rewards will be allocated based on the severity of the bug disclosed and will be evaluated and rewarded at the +discretion of the Sablier Labs team. For critical bugs that lead to any loss of user funds, rewards of up to $50,000 +will be granted. Lower severity bugs will be rewarded at the discretion of the team. + +### Disclosure + +Any vulnerability or bug discovered must be reported only to the following email: +[security@sablier.com](mailto:security@sablier.com). + +The vulnerability must not be disclosed publicly or to any other person, entity or email address before Sablier Labs has +been notified, has fixed the issue, and has granted permission for public disclosure. In addition, disclosure must be +made within 24 hours following discovery of the vulnerability. + +A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount. Please +provide as much information about the vulnerability as possible, including: + +- The conditions on which reproducing the bug is contingent. +- The steps needed to reproduce the bug or, preferably, a proof of concept. +- The potential implications of the vulnerability being abused. + +Anyone who reports a unique, previously-unreported vulnerability that results in a change to the code or a configuration +change and who keeps such vulnerability confidential until it has been resolved by our engineers will be recognized +publicly for their contribution if they so choose. + +### Eligibility + +To qualify for a reward under this Program, you must adhere to the following criteria: + +- Identify an undisclosed, non-public vulnerability in Sablier V2 that could result in the loss of or lock on any ERC-20 + asset, and which is within the scope of this Program. +- Be the first to report the unique vulnerability to [security@sablier.com](mailto:security@sablier.com) in accordance + with the disclosure requirements specified above. If multiple similar vulnerabilities are reported within a 24-hour + timeframe, rewards will be split at the discretion of Sablier Labs. +- Provide sufficient information to enable our engineers to reproduce and fix the vulnerability. +- Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive + tactics. +- Avoid exploiting the vulnerability in any manner, such as making it public or profiting from it (aside from the reward + offered under this Program). +- Make a genuine effort to prevent privacy violations, data destruction, and any interruption or degradation of Sablier + V2. +- Submit only one vulnerability per submission, unless chaining vulnerabilities is necessary to demonstrate the impact + of any of them. +- Do not submit a vulnerability that stems from an underlying issue for which a reward has already been paid under this + Program. +- You must not be a current or former employee, vendor, or contractor of Sablier Labs, or an employee of any of its + vendors or contractors. +- You must not be subject to UK sanctions or reside in a UK-embargoed country. +- Be at least 18 years old, or if younger, submit the vulnerability with the consent of a parent or guardian. + +### Other Terms + +By submitting your report, you grant Sablier Labs any and all rights, including intellectual property rights, needed to +validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the +rewards and the manner in which such rewards will be paid, are made at our sole discretion. + +The terms and conditions of this Program may be altered at any time.