[{"id":3710943,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## Core Node: github.com/smartcontractkit/chainlink/core\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. There are a few areas of this code base that are out of scope, see the Scope section at the bottom of this page for details.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there for issues that we already know about.\n\n## Solidity Smart Contracts: github.com/smartcontractkit/chainlink/tree/master/contracts\n\nThe smart contracts residing on the [Github repository](https://github.com/smartcontractkit/chainlink/tree/master/contracts)  are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.\n\nAlso the contracts for [Staking](https://github.com/smartcontractkit/staking-v0.1/tree/master/contracts) are in scope.\n\n## LINK Testnet Faucets: ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities that would cause a loss of service.\n\n## Feeds UI: feeds.chain.link (github.com/smartcontractkit/chainlink/feeds)\n\nThe application and source code driving the [Decentralized Price Reference Data](https://feeds.chain.link/) page.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Discord](https://discord.gg/aSK4zew) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# Testnet Chainlink Nodes\n\nUse our [Decentralized Oracles on Testnet](https://docs.chain.link/docs/any-api/testnet-oracles/#:~:text=test) documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the official Chainlink nodes (noted by being ran by Chainlink) on this page are considered in scope.\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Mentions of secrets, access tokens, API keys, private keys, etc. in Github, will be considered out of scope without proof that they are in-use in production\n* create.smartcontract.com and testnet.smartcontract.com\n* Any subdomain of *.smartcontract.com\n* Any repository outside the smartcontractkit Github organization \n* Intercom add-on on any asset (the in-browser chat application)\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Email or DNS configurations\n* Site or domain configuration\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Executing brute force attempts to perform actions beyond a proof of concept\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-17T22:17:13.880Z"},{"id":3680707,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## Core Node: github.com/smartcontractkit/chainlink/core\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. There are a few areas of this code base that are out of scope, see the Scope section at the bottom of this page for details.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there for issues that we already know about.\n\n## Solidity Smart Contracts: github.com/smartcontractkit/chainlink/tree/master/contracts\n\nThe smart contracts residing on the [Github repository](https://github.com/smartcontractkit/chainlink/tree/master/contracts)  are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.\n\nAlso the contracts for [Staking](https://github.com/smartcontractkit/staking-v0.1/tree/master/contracts) are in scope.\n\n## LINK Testnet Faucets: ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities that would cause a loss of service.\n\n## Explorers: explorer.chain.link, rinkeby.explorer.chain.link, kovan.explorer.chain.link\n\nChainlink Explorer allows requesters to view information about their request without requiring access to the Chainlink node themselves.\n\n## Feeds UI: feeds.chain.link (github.com/smartcontractkit/chainlink/feeds)\n\nThe application and source code driving the [Decentralized Price Reference Data](https://feeds.chain.link/) page.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Discord](https://discord.gg/aSK4zew) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# Testnet Chainlink Nodes\n\nUse our [Decentralized Oracles on Testnet](https://docs.chain.link/docs/any-api/testnet-oracles/#:~:text=test) documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the official Chainlink nodes (noted by being ran by Chainlink) on this page are considered in scope.\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Mentions of secrets, access tokens, API keys, private keys, etc. in Github, will be considered out of scope without proof that they are in-use in production\n* create.smartcontract.com and testnet.smartcontract.com\n* Any subdomain of *.smartcontract.com\n* Any repository outside the smartcontractkit Github organization \n* Intercom add-on on any asset (the in-browser chat application)\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Email or DNS configurations\n* Site or domain configuration\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Executing brute force attempts to perform actions beyond a proof of concept\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-12-06T18:09:08.506Z"},{"id":3676299,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## Core Node: github.com/smartcontractkit/chainlink/core\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. There are a few areas of this code base that are out of scope, see the Scope section at the bottom of this page for details.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there for issues that we already know about.\n\n## Solidity Smart Contracts: github.com/smartcontractkit/chainlink/tree/master/contracts\n\nThe smart contracts residing on the [Github repository](https://github.com/smartcontractkit/chainlink/tree/master/contracts)  are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.\n\n## LINK Testnet Faucets: ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities that would cause a loss of service.\n\n## Explorers: explorer.chain.link, rinkeby.explorer.chain.link, kovan.explorer.chain.link\n\nChainlink Explorer allows requesters to view information about their request without requiring access to the Chainlink node themselves.\n\n## Feeds UI: feeds.chain.link (github.com/smartcontractkit/chainlink/feeds)\n\nThe application and source code driving the [Decentralized Price Reference Data](https://feeds.chain.link/) page.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Discord](https://discord.gg/aSK4zew) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# Testnet Chainlink Nodes\n\nUse our [Decentralized Oracles on Testnet](https://docs.chain.link/docs/any-api/testnet-oracles/#:~:text=test) documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the official Chainlink nodes (noted by being ran by Chainlink) on this page are considered in scope.\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Mentions of secrets, access tokens, API keys, private keys, etc. in Github, will be considered out of scope without proof that they are in-use in production\n* create.smartcontract.com and testnet.smartcontract.com\n* Any subdomain of *.smartcontract.com\n* Any repository outside the smartcontractkit Github organization \n* Intercom add-on on any asset (the in-browser chat application)\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Email or DNS configurations\n* Site or domain configuration\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Executing brute force attempts to perform actions beyond a proof of concept\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-08-18T20:59:30.231Z"},{"id":3676286,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## Core Node: github.com/smartcontractkit/chainlink/core\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. There are a few areas of this code base that are out of scope, see the Scope section at the bottom of this page for details.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there for issues that we already know about.\n\n## Solidity Smart Contracts: github.com/smartcontractkit/chainlink/contracts\n\nThe smart contracts residing on the [Github repository](https://github.com/smartcontractkit/chainlink/tree/master/contracts)  are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.\n\n## LINK Testnet Faucets: ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities that would cause a loss of service.\n\n## Explorers: explorer.chain.link, rinkeby.explorer.chain.link, kovan.explorer.chain.link\n\nChainlink Explorer allows requesters to view information about their request without requiring access to the Chainlink node themselves.\n\n## Feeds UI: feeds.chain.link (github.com/smartcontractkit/chainlink/feeds)\n\nThe application and source code driving the [Decentralized Price Reference Data](https://feeds.chain.link/) page.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Discord](https://discord.gg/aSK4zew) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# Testnet Chainlink Nodes\n\nUse our [Decentralized Oracles on Testnet](https://docs.chain.link/docs/testnet-oracles) documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the official Chainlink nodes (noted by being ran by Chainlink) on this page are considered in scope.\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Mentions of secrets, access tokens, API keys, private keys, etc. in Github, will be considered out of scope without proof that they are in-use in production\n* create.smartcontract.com and testnet.smartcontract.com\n* Any subdomain of *.smartcontract.com\n* Any repository outside the smartcontractkit Github organization \n* Intercom add-on on any asset (the in-browser chat application)\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Email or DNS configurations\n* Site or domain configuration\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Executing brute force attempts to perform actions beyond a proof of concept\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-08-18T18:32:29.749Z"},{"id":3672560,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## Core Node: github.com/smartcontractkit/chainlink/core\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. There are a few areas of this code base which are out-of-scope, see the Scope section at the bottom of this page for details.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there for issues that we already know about.\n\n## Solidity Smart Contracts: github.com/smartcontractkit/chainlink/contracts\n\nThe smart contracts residing on the [Github repository](https://github.com/smartcontractkit/chainlink/tree/master/contracts)  are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.\n\n## LINK Testnet Faucets: ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities that would cause a loss of service.\n\n## Explorers: explorer.chain.link, rinkeby.explorer.chain.link, kovan.explorer.chain.link\n\nChainlink Explorer allows requesters to view information about their request without requiring access to the Chainlink node themselves.\n\n## Feeds UI: feeds.chain.link (github.com/smartcontractkit/chainlink/feeds)\n\nThe application and source code driving the [Decentralized Price Reference Data](https://feeds.chain.link/) page.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Discord](https://discord.gg/aSK4zew) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# Testnet Chainlink Nodes\n\nUse our [Decentralized Oracles on Testnet](https://docs.chain.link/docs/testnet-oracles) documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the official Chainlink nodes (noted by being ran by Chainlink) on this page are considered in scope.\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Mentions of secrets, access tokens, API keys, private keys, etc. in Github, will be considered out of scope without proof that they are in-use in production\n* create.smartcontract.com and testnet.smartcontract.com\n* Any subdomain of *.smartcontract.com\n* Any repository outside the smartcontractkit Github organization \n* Intercom add-on on any asset (the in-browser chat application)\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Email or DNS configurations\n* Site or domain configuration\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Executing brute force attempts to perform actions beyond a proof of concept\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-06-09T16:51:04.588Z"},{"id":3664033,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## Core Node: github.com/smartcontractkit/chainlink/core\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. There are a few areas of this code base which are out-of-scope, see the Scope section at the bottom of this page for details.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there for issues that we already know about.\n\n## Solidity Smart Contracts: github.com/smartcontractkit/chainlink/contracts\n\nThe smart contracts residing on the [Github repository](https://github.com/smartcontractkit/chainlink/tree/master/contracts)  are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.\n\n## LINK Testnet Faucets: ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities which would cause a loss of service.\n\n## Explorers: explorer.chain.link, ropsten.explorer.chain.link, rinkeby.explorer.chain.link, kovan.explorer.chain.link (github.com/smartcontractkit/chainlink/explorer)\n\nChainlink Explorer allows requesters to view information about their request without requiring access to the Chainlink node themselves.\n\n## Feeds UI: feeds.chain.link (github.com/smartcontractkit/chainlink/feeds)\n\nThe application and source code driving the [Decentralized Price Reference Data](https://feeds.chain.link/) page.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Discord](https://discord.gg/aSK4zew) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# Testnet Chainlink Nodes\n\nUse our [Decentralized Oracles on Testnet](https://docs.chain.link/docs/testnet-oracles) documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the official Chainlink nodes (noted by being ran by Chainlink) on this page are considered in scope.\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Mentions of secrets, access tokens, API keys, private keys, etc. in Github, will be considered out of scope without proof that they are in-use in production\n* create.smartcontract.com and testnet.smartcontract.com\n* Any subdomain of *.smartcontract.com\n* Any repository outside the smartcontractkit Github organization \n* Intercom add-on on any asset (the in-browser chat application)\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Email or DNS configurations\n* Site or domain configuration\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Executing brute force attempts to perform actions beyond a proof of concept\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-01-07T19:02:05.349Z"},{"id":3656203,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## Core Node: github.com/smartcontractkit/chainlink/core\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. There are a few areas of this code base which are out-of-scope, see the Scope section at the bottom of this page for details.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there for issues that we already know about.\n\n## Solidity Smart Contracts: github.com/smartcontractkit/chainlink/evm-contracts\n\nThe smart contracts residing on the [Github repository](https://github.com/smartcontractkit/chainlink/tree/master/evm-contracts)  are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.\n\n## LINK Testnet Faucets: ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities which would cause a loss of service.\n\n## Explorers: explorer.chain.link, ropsten.explorer.chain.link, rinkeby.explorer.chain.link, kovan.explorer.chain.link (github.com/smartcontractkit/chainlink/explorer)\n\nChainlink Explorer allows requesters to view information about their request without requiring access to the Chainlink node themselves.\n\n## Feeds UI: feeds.chain.link (github.com/smartcontractkit/chainlink/feeds)\n\nThe application and source code driving the [Decentralized Price Reference Data](https://feeds.chain.link/) page.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Discord](https://discord.gg/aSK4zew) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# Testnet Chainlink Nodes\n\nUse our [Decentralized Oracles on Testnet](https://docs.chain.link/docs/testnet-oracles) documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the official Chainlink nodes (noted by being ran by Chainlink) on this page are considered in scope.\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Mentions of secrets, access tokens, API keys, private keys, etc. in Github, will be considered out of scope without proof that they are in-use in production\n* create.smartcontract.com and testnet.smartcontract.com\n* Any subdomain of *.smartcontract.com\n* Any repository outside the smartcontractkit Github organization \n* Intercom add-on on any asset (the in-browser chat application)\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Email or DNS configurations\n* Site or domain configuration\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Executing brute force attempts to perform actions beyond a proof of concept\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-08-04T22:13:27.853Z"},{"id":3654206,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## Core Node: github.com/smartcontractkit/chainlink/core\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. There are a few areas of this code base which are out-of-scope, see the Scope section at the bottom of this page for details.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there for issues that we already know about.\n\n## Solidity Smart Contracts: github.com/smartcontractkit/chainlink/evm-contracts\n\nThe smart contracts residing on the [Github repository](https://github.com/smartcontractkit/chainlink/tree/master/evm-contracts)  are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.\n\n## LINK Testnet Faucets: ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities which would cause a loss of service.\n\n## Explorers: explorer.chain.link, ropsten.explorer.chain.link, rinkeby.explorer.chain.link, kovan.explorer.chain.link (github.com/smartcontractkit/chainlink/explorer)\n\nChainlink Explorer allows requesters to view information about their request without requiring access to the Chainlink node themselves.\n\n## Feeds UI: feeds.chain.link (github.com/smartcontractkit/chainlink/feeds)\n\nThe application and source code driving the [Decentralized Price Reference Data](https://feeds.chain.link/) page.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Discord](https://discord.gg/aSK4zew) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# Testnet Chainlink Nodes\n\nUse our [Decentralized Oracles on Testnet](https://docs.chain.link/docs/testnet-oracles) documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the official Chainlink nodes (noted by being ran by Chainlink) on this page are considered in scope.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Mentions of secrets, access tokens, API keys, private keys, etc. in Github, will be considered out of scope without proof that they are in-use in production\n* create.smartcontract.com and testnet.smartcontract.com\n* Any subdomain of *.smartcontract.com\n* Any repository outside the smartcontractkit Github organization \n* Intercom add-on on any asset (the in-browser chat application)\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Email or DNS configurations\n* Site or domain configuration\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Executing brute force attempts to perform actions beyond a proof of concept\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-07-02T09:00:53.786Z"},{"id":3649864,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## Core Node: github.com/smartcontractkit/chainlink/core\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. There are a few areas of this code base which are out-of-scope, see the Scope section at the bottom of this page for details.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there for issues that we already know about.\n\n## Solidity Smart Contracts: github.com/smartcontractkit/chainlink/evm-contracts\n\nThe smart contracts residing on the [Github repository](https://github.com/smartcontractkit/chainlink/tree/master/evm-contracts)  are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.\n\n## LINK Testnet Faucets: ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities which would cause a loss of service.\n\n## Explorers: explorer.chain.link, ropsten.explorer.chain.link, rinkeby.explorer.chain.link, kovan.explorer.chain.link (github.com/smartcontractkit/chainlink/explorer)\n\nChainlink Explorer allows requesters to view information about their request without requiring access to the Chainlink node themselves.\n\n## Feeds UI: feeds.chain.link (github.com/smartcontractkit/chainlink/feeds)\n\nThe application and source code driving the [Decentralized Price Reference Data](https://feeds.chain.link/) page.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Discord](https://discord.gg/aSK4zew) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# Testnet Chainlink Nodes\n\nUse our [Decentralized Oracles on Testnet](https://docs.chain.link/docs/testnet-oracles) documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the official Chainlink nodes (noted by being ran by Chainlink) on this page are considered in scope.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* Mentions of secrets, access tokens, API keys, private keys, etc. in Github, will be considered out of scope without proof that they are in-use in production\n* create.smartcontract.com and testnet.smartcontract.com\n* Any subdomain of *.smartcontract.com\n* Any repository outside the smartcontractkit Github organization \n* Intercom add-on on any asset (the in-browser chat application)\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Email or DNS configurations\n* Site or domain configuration\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-11T21:31:38.187Z"},{"id":3641054,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## Core Node: github.com/smartcontractkit/chainlink/core\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. There are a few areas of this code base which are out-of-scope, see the Scope section at the bottom of this page for details.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there for issues that we already know about.\n\n## Solidity Smart Contracts: github.com/smartcontractkit/chainlink/evm-contracts\n\nThe smart contracts residing on the [Github repository](https://github.com/smartcontractkit/chainlink/tree/master/evm-contracts)  are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.\n\n## LINK Testnet Faucets: ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities which would cause a loss of service.\n\n## Explorers: explorer.chain.link, ropsten.explorer.chain.link, rinkeby.explorer.chain.link, kovan.explorer.chain.link (github.com/smartcontractkit/chainlink/explorer)\n\nChainlink Explorer allows requesters to view information about their request without requiring access to the Chainlink node themselves.\n\n## Feeds UI: feeds.chain.link (github.com/smartcontractkit/chainlink/feeds)\n\nThe application and source code driving the [Decentralized Price Reference Data](https://feeds.chain.link/) page.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Discord](https://discord.gg/aSK4zew) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# Testnet Chainlink Nodes\n\nUse our [Decentralized Oracles on Testnet](https://docs.chain.link/docs/testnet-oracles) documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the official Chainlink nodes (noted by being ran by Chainlink) on this page are considered in scope.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* create.smartcontract.com and testnet.smartcontract.com\n* any subdomain of *.smartcontract.com\n* Intercom add-on on any asset (the in-browser chat application)\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Email or DNS configurations\n* Site or domain configuration\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-06T20:03:02.607Z"},{"id":3635730,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n#Bounty Multiplier during May\n\nWe're pleased to announce another 2x bounty multiplier for all valid reports submitted in the month of May. This is a public program, so we encourage you to tell your friends about this promotion!\n\nPlease be mindful of our policy when conducting your testing. We are especially interested in reports on our Solidity contracts and our Golang client, but any valid submission that could compromise our security will be eligible for the promotion.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## Core Node: github.com/smartcontractkit/chainlink/core\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. There are a few areas of this code base which are out-of-scope, see the Scope section at the bottom of this page for details.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there for issues that we already know about.\n\n## Solidity Smart Contracts: github.com/smartcontractkit/chainlink/evm-contracts\n\nThe smart contracts residing on the [Github repository](https://github.com/smartcontractkit/chainlink/tree/master/evm-contracts)  are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.\n\n## LINK Testnet Faucets: ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities which would cause a loss of service.\n\n## Explorers: explorer.chain.link, ropsten.explorer.chain.link, rinkeby.explorer.chain.link, kovan.explorer.chain.link (github.com/smartcontractkit/chainlink/explorer)\n\nChainlink Explorer allows requesters to view information about their request without requiring access to the Chainlink node themselves.\n\n## Feeds UI: feeds.chain.link (github.com/smartcontractkit/chainlink/feeds)\n\nThe application and source code driving the [Decentralized Price Reference Data](https://feeds.chain.link/) page.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Discord](https://discord.gg/aSK4zew) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# Testnet Chainlink Nodes\n\nUse our [Decentralized Oracles on Testnet](https://docs.chain.link/docs/testnet-oracles) documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the official Chainlink nodes (noted by being ran by Chainlink) on this page are considered in scope.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* create.smartcontract.com and testnet.smartcontract.com\n* any subdomain of *.smartcontract.com\n* Intercom add-on on any asset (the in-browser chat application)\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Email or DNS configurations\n* Site or domain configuration\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-01T18:01:43.194Z"},{"id":3632011,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## Core Node: github.com/smartcontractkit/chainlink/core\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. There are a few areas of this code base which are out-of-scope, see the Scope section at the bottom of this page for details.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there for issues that we already know about.\n\n## Solidity Smart Contracts: github.com/smartcontractkit/chainlink/evm-contracts\n\nThe smart contracts residing on the [Github repository](https://github.com/smartcontractkit/chainlink/tree/master/evm-contracts)  are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.\n\n## LINK Testnet Faucets: ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities which would cause a loss of service.\n\n## Explorers: explorer.chain.link, ropsten.explorer.chain.link, rinkeby.explorer.chain.link, kovan.explorer.chain.link (github.com/smartcontractkit/chainlink/explorer)\n\nChainlink Explorer allows requesters to view information about their request without requiring access to the Chainlink node themselves.\n\n## Feeds UI: feeds.chain.link (github.com/smartcontractkit/chainlink/feeds)\n\nThe application and source code driving the [Decentralized Price Reference Data](https://feeds.chain.link/) page.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Discord](https://discord.gg/aSK4zew) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# Testnet Chainlink Nodes\n\nUse our [Decentralized Oracles on Testnet](https://docs.chain.link/docs/testnet-oracles) documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the official Chainlink nodes (noted by being ran by Chainlink) on this page are considered in scope.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* create.smartcontract.com and testnet.smartcontract.com\n* any subdomain of *.smartcontract.com\n* Intercom add-on on any asset (the in-browser chat application)\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Email or DNS configurations\n* Site or domain configuration\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-02T15:36:48.884Z"},{"id":3632010,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## Core Node: github.com/smartcontractkit/chainlink\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. There are a few areas of this code base which are out-of-scope, see the Scope section at the bottom of this page for details.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there for issues that we already know about.\n\n## Solidity Smart Contracts: github.com/smartcontractkit/chainlink/evm-contracts\n\nThe smart contracts residing on the [Github repository](https://github.com/smartcontractkit/chainlink/tree/master/evm-contracts)  are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.\n\n## LINK Testnet Faucets: ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities which would cause a loss of service.\n\n## Explorers: explorer.chain.link, ropsten.explorer.chain.link, rinkeby.explorer.chain.link, kovan.explorer.chain.link\n\nChainlink Explorer allows requesters to view information about their request without requiring access to the Chainlink node themselves.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Discord](https://discord.gg/aSK4zew) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# Testnet Chainlink Nodes\n\nUse our [Decentralized Oracles on Testnet](https://docs.chain.link/docs/testnet-oracles) documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the official Chainlink nodes (noted by being ran by Chainlink) on this page are considered in scope.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* create.smartcontract.com and testnet.smartcontract.com\n* any subdomain of *.smartcontract.com\n* Intercom add-on on any asset (the in-browser chat application)\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Email or DNS configurations\n* Site or domain configuration\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-02T15:28:20.292Z"},{"id":3632003,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## Core Node: github.com/smartcontractkit/chainlink\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. There are a few areas of this code base which are out-of-scope, see the Scope section at the bottom of this page for details.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there for issues that we already know about.\n\n## Solidity Smart Contracts: github.com/smartcontractkit/chainlink/evm\n\nThe smart contracts residing on the [Github repository](https://github.com/smartcontractkit/chainlink/tree/master/evm/contracts)  are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.\n\n## LINK Testnet Faucets: ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities which would cause a loss of service.\n\n## Explorers: explorer.chain.link, ropsten.explorer.chain.link, rinkeby.explorer.chain.link, kovan.explorer.chain.link\n\nChainlink Explorer allows requesters to view information about their request without requiring access to the Chainlink node themselves.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Discord](https://discord.gg/aSK4zew) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# Testnet Chainlink Nodes\n\nUse our [Decentralized Oracles on Testnet](https://docs.chain.link/docs/testnet-oracles) documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the official Chainlink nodes (noted by being ran by Chainlink) on this page are considered in scope.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* create.smartcontract.com and testnet.smartcontract.com\n* any subdomain of *.smartcontract.com\n* Intercom add-on on any asset (the in-browser chat application)\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Email or DNS configurations\n* Site or domain configuration\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-02T13:59:58.538Z"},{"id":3630836,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## Core Node: github.com/smartcontractkit/chainlink\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. There are a few areas of this code base which are out-of-scope, see the Scope section at the bottom of this page for details.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there for issues that we already know about.\n\n## Solidity Smart Contracts: github.com/smartcontractkit/chainlink/evm\n\nThe smart contracts residing on the [Github repository](https://github.com/smartcontractkit/chainlink/tree/master/evm/contracts)  are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.\n\n## LINK Testnet Faucets: ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities which would cause a loss of service.\n\n## Explorers: explorer.chain.link, ropsten.explorer.chain.link, rinkeby.explorer.chain.link, kovan.explorer.chain.link\n\nChainlink Explorer allows requesters to view information about their request without requiring access to the Chainlink node themselves.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Discord](https://discord.gg/aSK4zew) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# Testnet Chainlink Nodes\n\nUse our [Decentralized Oracles on Testnet](https://docs.chain.link/docs/testnet-oracles) documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the nodes on this page are considered in scope.\n\n# HackerOne Ropsten Node\n\nWe have set up a Chainlink node specifically for the HackerOne bounty program. It is available at the link below. To test the security of this application, we will not be supplying credentials for it. Our [API Reference](https://docs.chain.link/reference) can be used to provide information on how to interact with the software.\n\nhttps://hackerone.node.chain.link/\n\nWhen creating [Chainlinked](https://docs.chain.link/docs/architecture-overview) contracts, you may use the information below to utilize this node. You are free to modify the ChainlinkClient contract and its imported contracts as you please, in order to find vulnerabilities with the deployed Oracle contract and the node that fulfills its requests. You can obtain Ropsten LINK by visiting our [Faucet](https://ropsten.chain.link) (also in-scope).\n\nLINK token address: [0x20fE562d797A42Dcb3399062AE9546cd06f63280](https://ropsten.etherscan.io/address/0x20fE562d797A42Dcb3399062AE9546cd06f63280)\nOracle contract address: [0x0d3A5e0bA82f245d5eaFBFFe990450f036Af30D4](https://ropsten.etherscan.io/address/0x0d3A5e0bA82f245d5eaFBFFe990450f036Af30D4)\n\nJobs have been added to this node which you can use to get data back to your smart contract:\n\n- Return Data Type: `bytes32`\n  - JobID: `84beb6b0753f43cfa5a324cd1fd41e55`\n  - Required Params: `get`, `path`\n- Return Data Type: `int256`\n  - JobID: `05a7c6a6841241eca8ba69b1fa265aaf`\n  - Required Params: `get`, `path`, `times`\n- Return Data Type: `uint256`\n  - JobID: `4e12314d570d45b288c507f81c3eb614`\n  - Required Params: `get`, `path`, `times`\n\nSee the [Request data using Chainlink](https://docs.chain.link/docs/request-and-receive-data) page for examples of how to create Chainlink requests from your Solidity smart contract.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* create.smartcontract.com and testnet.smartcontract.com\n* any subdomain of *.smartcontract.com\n* Intercom add-on on any asset (the in-browser chat application)\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Email or DNS configurations\n* Site or domain configuration\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-02-18T16:53:09.691Z"},{"id":3630699,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## Core Node: github.com/smartcontractkit/chainlink\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. There are a few areas of this code base which are out-of-scope, see the Scope section at the bottom of this page for details.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there for issues that we already know about.\n\n## Solidity Smart Contracts: github.com/smartcontractkit/chainlink/evm\n\nThe smart contracts residing on the [Github repository](https://github.com/smartcontractkit/chainlink/tree/master/evm/contracts)  are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.\n\n## LINK Testnet Faucets: ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities which would cause a loss of service.\n\n## Explorers: explorer.chain.link, ropsten.explorer.chain.link, rinkeby.explorer.chain.link, kovan.explorer.chain.link\n\nChainlink Explorer allows requesters to view information about their request without requiring access to the Chainlink node themselves.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Discord](https://discord.gg/aSK4zew) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# Testnet Chainlink Nodes\n\nUse our [Decentralized Oracles on Testnet](https://docs.chain.link/docs/testnet-oracles) documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the nodes on this page are considered in scope.\n\n# HackerOne Ropsten Node\n\nWe have set up a Chainlink node specifically for the HackerOne bounty program. It is available at the link below. To test the security of this application, we will not be supplying credentials for it. Our [API Reference](https://docs.chain.link/reference) can be used to provide information on how to interact with the software.\n\nhttps://hackerone.node.chain.link/\n\nWhen creating [Chainlinked](https://docs.chain.link/docs/architecture-overview) contracts, you may use the information below to utilize this node. You are free to modify the ChainlinkClient contract and its imported contracts as you please, in order to find vulnerabilities with the deployed Oracle contract and the node that fulfills its requests. You can obtain Ropsten LINK by visiting our [Faucet](https://ropsten.chain.link) (also in-scope).\n\nLINK token address: [0x20fE562d797A42Dcb3399062AE9546cd06f63280](https://ropsten.etherscan.io/address/0x20fE562d797A42Dcb3399062AE9546cd06f63280)\nOracle contract address: [0x0d3A5e0bA82f245d5eaFBFFe990450f036Af30D4](https://ropsten.etherscan.io/address/0x0d3A5e0bA82f245d5eaFBFFe990450f036Af30D4)\n\nJobs have been added to this node which you can use to get data back to your smart contract:\n\n- Return Data Type: `bytes32`\n  - JobID: `84beb6b0753f43cfa5a324cd1fd41e55`\n  - Required Params: `get`, `path`\n- Return Data Type: `int256`\n  - JobID: `05a7c6a6841241eca8ba69b1fa265aaf`\n  - Required Params: `get`, `path`, `times`\n- Return Data Type: `uint256`\n  - JobID: `4e12314d570d45b288c507f81c3eb614`\n  - Required Params: `get`, `path`, `times`\n\nSee the [Request data using Chainlink](https://docs.chain.link/docs/request-and-receive-data) page for examples of how to create Chainlink requests from your Solidity smart contract.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* create.smartcontract.com and testnet.smartcontract.com\n* any subdomain of *.smartcontract.com\n* Intercom add-on on any asset (the in-browser chat application)\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Email or DNS configurations\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-02-16T19:17:33.503Z"},{"id":3630614,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## Core Node: github.com/smartcontractkit/chainlink\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. There are a few areas of this code base which are out-of-scope, see the Scope section at the bottom of this page for details.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there for issues that we already know about.\n\n## Solidity Smart Contracts: github.com/smartcontractkit/chainlink/evm\n\nThe smart contracts residing on the [Github repository](https://github.com/smartcontractkit/chainlink/tree/master/evm/contracts)  are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.\n\n## LINK Testnet Faucets: ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities which would cause a loss of service.\n\n## Static Site: chain.link\n\nOur front-end site which displays information about the project. Currently there is no application residing here. Intercom is a 3rd party add-on and is not in scope for this program.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Discord](https://discord.gg/aSK4zew) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# Testnet Chainlink Nodes\n\nUse our [Decentralized Oracles on Testnet](https://docs.chain.link/docs/testnet-oracles) documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the nodes on this page are considered in scope.\n\n# HackerOne Ropsten Node\n\nWe have set up a Chainlink node specifically for the HackerOne bounty program. It is available at the link below. To test the security of this application, we will not be supplying credentials for it. Our [API Reference](https://docs.chain.link/reference) can be used to provide information on how to interact with the software.\n\nhttps://hackerone.node.chain.link/\n\nWhen creating [Chainlinked](https://docs.chain.link/docs/architecture-overview) contracts, you may use the information below to utilize this node. You are free to modify the ChainlinkClient contract and its imported contracts as you please, in order to find vulnerabilities with the deployed Oracle contract and the node that fulfills its requests. You can obtain Ropsten LINK by visiting our [Faucet](https://ropsten.chain.link) (also in-scope).\n\nLINK token address: [0x20fE562d797A42Dcb3399062AE9546cd06f63280](https://ropsten.etherscan.io/address/0x20fE562d797A42Dcb3399062AE9546cd06f63280)\nOracle contract address: [0x0d3A5e0bA82f245d5eaFBFFe990450f036Af30D4](https://ropsten.etherscan.io/address/0x0d3A5e0bA82f245d5eaFBFFe990450f036Af30D4)\n\nJobs have been added to this node which you can use to get data back to your smart contract:\n\n- Return Data Type: `bytes32`\n  - JobID: `84beb6b0753f43cfa5a324cd1fd41e55`\n  - Required Params: `get`, `path`\n- Return Data Type: `int256`\n  - JobID: `05a7c6a6841241eca8ba69b1fa265aaf`\n  - Required Params: `get`, `path`, `times`\n- Return Data Type: `uint256`\n  - JobID: `4e12314d570d45b288c507f81c3eb614`\n  - Required Params: `get`, `path`, `times`\n\nSee the [Request data using Chainlink](https://docs.chain.link/docs/request-and-receive-data) page for examples of how to create Chainlink requests from your Solidity smart contract.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* create.smartcontract.com and testnet.smartcontract.com\n* any subdomain of *.smartcontract.com\n* Intercom add-on on any asset (the in-browser chat application)\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Email or DNS configurations\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-02-14T18:35:32.811Z"},{"id":3624266,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## Core Node: github.com/smartcontractkit/chainlink\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. There are a few areas of this code base which are out-of-scope, see the Scope section at the bottom of this page for details.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there for issues that we already know about.\n\n## Solidity Smart Contracts: github.com/smartcontractkit/chainlink/evm\n\nThe smart contracts residing on the [Github repository](https://github.com/smartcontractkit/chainlink/tree/master/evm/contracts)  are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.\n\n## LINK Testnet Faucets: ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities which would cause a loss of service.\n\n## Static Site: chain.link\n\nOur front-end site which displays information about the project. Currently there is no application residing here. Intercom is a 3rd party add-on and is not in scope for this program.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Gitter](https://gitter.im/smartcontractkit-chainlink/Lobby) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# Testnet Chainlink Nodes\n\nUse our [Decentralized Oracles on Testnet](https://docs.chain.link/docs/testnet-oracles) documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the nodes on this page are considered in scope.\n\n# HackerOne Ropsten Node\n\nWe have set up a Chainlink node specifically for the HackerOne bounty program. It is available at the link below. To test the security of this application, we will not be supplying credentials for it. Our [API Reference](https://docs.chain.link/reference) can be used to provide information on how to interact with the software.\n\nhttps://hackerone.node.chain.link/\n\nWhen creating [Chainlinked](https://docs.chain.link/docs/architecture-overview) contracts, you may use the information below to utilize this node. You are free to modify the ChainlinkClient contract and its imported contracts as you please, in order to find vulnerabilities with the deployed Oracle contract and the node that fulfills its requests. You can obtain Ropsten LINK by visiting our [Faucet](https://ropsten.chain.link) (also in-scope).\n\nLINK token address: [0x20fE562d797A42Dcb3399062AE9546cd06f63280](https://ropsten.etherscan.io/address/0x20fE562d797A42Dcb3399062AE9546cd06f63280)\nOracle contract address: [0x0d3A5e0bA82f245d5eaFBFFe990450f036Af30D4](https://ropsten.etherscan.io/address/0x0d3A5e0bA82f245d5eaFBFFe990450f036Af30D4)\n\nJobs have been added to this node which you can use to get data back to your smart contract:\n\n- Return Data Type: `bytes32`\n  - JobID: `84beb6b0753f43cfa5a324cd1fd41e55`\n  - Required Params: `get`, `path`\n- Return Data Type: `int256`\n  - JobID: `05a7c6a6841241eca8ba69b1fa265aaf`\n  - Required Params: `get`, `path`, `times`\n- Return Data Type: `uint256`\n  - JobID: `4e12314d570d45b288c507f81c3eb614`\n  - Required Params: `get`, `path`, `times`\n\nSee the [Request data using Chainlink](https://docs.chain.link/docs/request-and-receive-data) page for examples of how to create Chainlink requests from your Solidity smart contract.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* create.smartcontract.com and testnet.smartcontract.com\n* any subdomain of *.smartcontract.com\n* Intercom add-on on any asset (the in-browser chat application)\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Email or DNS configurations\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-11-21T20:32:57.591Z"},{"id":3614488,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## Core Node: github.com/smartcontractkit/chainlink\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. There are a few areas of this code base which are out-of-scope, see the Scope section at the bottom of this page for details.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there for issues that we already know about.\n\n## Solidity Smart Contracts: github.com/smartcontractkit/chainlink/evm\n\nThe smart contracts residing on the [Github repository](https://github.com/smartcontractkit/chainlink/tree/master/evm/contracts)  are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.\n\n## LINK Testnet Faucets: ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities which would cause a loss of service.\n\n## Static Site: chain.link\n\nOur front-end site which displays information about the project. Currently there is no application residing here. Intercom is a 3rd party add-on and is not in scope for this program.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Gitter](https://gitter.im/smartcontractkit-chainlink/Lobby) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# Testnet Chainlink Nodes\n\nUse our [Decentralized Oracles on Testnet](https://docs.chain.link/docs/testnet-oracles) documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the nodes on this page are considered in scope.\n\n# HackerOne Ropsten Node\n\nWe have set up a Chainlink node specifically for the HackerOne bounty program. It is available at the link below. To test the security of this application, we will not be supplying credentials for it. Our [API Reference](https://docs.chain.link/reference) can be used to provide information on how to interact with the software.\n\nhttps://hackerone.node.chain.link/\n\nWhen creating [Chainlinked](https://docs.chain.link/docs/architecture-overview) contracts, you may use the information below to utilize this node. You are free to modify the ChainlinkClient contract and its imported contracts as you please, in order to find vulnerabilities with the deployed Oracle contract and the node that fulfills its requests. You can obtain Ropsten LINK by visiting our [Faucet](https://ropsten.chain.link) (also in-scope).\n\nLINK token address: [0x20fE562d797A42Dcb3399062AE9546cd06f63280](https://ropsten.etherscan.io/address/0x20fE562d797A42Dcb3399062AE9546cd06f63280)\nOracle contract address: [0x0d3A5e0bA82f245d5eaFBFFe990450f036Af30D4](https://ropsten.etherscan.io/address/0x0d3A5e0bA82f245d5eaFBFFe990450f036Af30D4)\n\nJobs have been added to this node which you can use to get data back to your smart contract:\n\n- Return Data Type: `bytes32`\n  - JobID: `84beb6b0753f43cfa5a324cd1fd41e55`\n  - Required Params: `get`, `path`\n- Return Data Type: `int256`\n  - JobID: `05a7c6a6841241eca8ba69b1fa265aaf`\n  - Required Params: `get`, `path`, `times`\n- Return Data Type: `uint256`\n  - JobID: `4e12314d570d45b288c507f81c3eb614`\n  - Required Params: `get`, `path`, `times`\n\nSee the [Request data using Chainlink](https://docs.chain.link/docs/request-and-receive-data) page for examples of how to create Chainlink requests from your Solidity smart contract.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* create.smartcontract.com and testnet.smartcontract.com\n* Intercom add-on on any asset (the in-browser chat application)\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-07-22T12:52:14.117Z"},{"id":3613469,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## Core Node: github.com/smartcontractkit/chainlink\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. There are a few areas of this code base which are out-of-scope, see the Scope section at the bottom of this page for details.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there for issues that we already know about.\n\n## Solidity Smart Contracts: github.com/smartcontractkit/chainlink/evm\n\nThe smart contracts residing on the [Github repository](https://github.com/smartcontractkit/chainlink/tree/master/evm/contracts)  are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.\n\n## LINK Testnet Faucets: ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities which would cause a loss of service.\n\n## Static Site: chain.link\n\nOur front-end site which displays information about the project. Currently there is no application residing here. Intercom is a 3rd party add-on and is not in scope for this program.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Gitter](https://gitter.im/smartcontractkit-chainlink/Lobby) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# Testnet Chainlink Nodes\n\nUse our [Decentralized Oracles on Testnet](https://docs.chain.link/docs/testnet-oracles) documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the nodes on this page are considered in scope.\n\n# HackerOne Ropsten Node\n\nWe have set up a Chainlink node specifically for the HackerOne bounty program. It is available at the link below. To test the security of this application, we will not be supplying credentials for it. Our [API Reference](https://docs.chain.link/reference) can be used to provide information on how to interact with the software.\n\nhttps://hackerone.node.chain.link/\n\nWhen creating [Chainlinked](https://docs.chain.link/docs/architecture-overview) contracts, you may use the information below to utilize this node. You are free to modify the ChainlinkClient contract and its imported contracts as you please, in order to find vulnerabilities with the deployed Oracle contract and the node that fulfills its requests. You can obtain Ropsten LINK by visiting our [Faucet](https://ropsten.chain.link) (also in-scope).\n\nLINK token address: [0x20fE562d797A42Dcb3399062AE9546cd06f63280](https://ropsten.etherscan.io/address/0x20fE562d797A42Dcb3399062AE9546cd06f63280)\nOracle contract address: [0x0d3A5e0bA82f245d5eaFBFFe990450f036Af30D4](https://ropsten.etherscan.io/address/0x0d3A5e0bA82f245d5eaFBFFe990450f036Af30D4)\n\nJobs have been added to this node which you can use to get data back to your smart contract:\n\n- Return Data Type: `bytes32`\n  - JobID: `84beb6b0753f43cfa5a324cd1fd41e55`\n  - Required Params: `get`, `path`\n- Return Data Type: `int256`\n  - JobID: `05a7c6a6841241eca8ba69b1fa265aaf`\n  - Required Params: `get`, `path`, `times`\n- Return Data Type: `uint256`\n  - JobID: `4e12314d570d45b288c507f81c3eb614`\n  - Required Params: `get`, `path`, `times`\n\nSee the [Request data using Chainlink](https://docs.chain.link/docs/request-and-receive-data) page for examples of how to create Chainlink requests from your Solidity smart contract.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* create.smartcontract.com and testnet.smartcontract.com\n* Intercom add-on on any asset\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-07-07T15:14:15.762Z"},{"id":3609908,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## Core Node: github.com/smartcontractkit/chainlink\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. Currently, SGX is experimental and is not considered in-scope for this program. The Coordinator contract is also currently under development and is also not considered in-scope for this program.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there and our [scratchpad](https://www.pivotaltracker.com/n/projects/2186311) for issues that we already know about.\n\n## Solidity Smart Contracts: github.com/smartcontractkit/chainlink/evm\n\nThe smart contracts residing on the [Github repository](https://github.com/smartcontractkit/chainlink/tree/master/evm/contracts)  are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.\n\n## LINK Testnet Faucets: ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities which would cause a loss of service.\n\n## Static Site: chain.link\n\nOur front-end site which displays information about the project. Currently there is no application residing here. Intercom is a 3rd party add-on and is not in scope for this program.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Gitter](https://gitter.im/smartcontractkit-chainlink/Lobby) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# Testnet Chainlink Nodes\n\nUse our [Decentralized Oracles on Testnet](https://docs.chain.link/docs/testnet-oracles) documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the nodes on this page are considered in scope.\n\n# HackerOne Ropsten Node\n\nWe have set up a Chainlink node specifically for the HackerOne bounty program. It is available at the link below. To test the security of this application, we will not be supplying credentials for it. Our [API Reference](https://docs.chain.link/reference) can be used to provide information on how to interact with the software.\n\nhttps://hackerone.node.chain.link/\n\nWhen creating [Chainlinked](https://docs.chain.link/docs/architecture-overview) contracts, you may use the information below to utilize this node. You are free to modify the ChainlinkClient contract and its imported contracts as you please, in order to find vulnerabilities with the deployed Oracle contract and the node that fulfills its requests. You can obtain Ropsten LINK by visiting our [Faucet](https://ropsten.chain.link) (also in-scope).\n\nLINK token address: [0x20fE562d797A42Dcb3399062AE9546cd06f63280](https://ropsten.etherscan.io/address/0x20fE562d797A42Dcb3399062AE9546cd06f63280)\nOracle contract address: [0x0d3A5e0bA82f245d5eaFBFFe990450f036Af30D4](https://ropsten.etherscan.io/address/0x0d3A5e0bA82f245d5eaFBFFe990450f036Af30D4)\n\nJobs have been added to this node which you can use to get data back to your smart contract:\n\n- Return Data Type: `bytes32`\n  - JobID: `84beb6b0753f43cfa5a324cd1fd41e55`\n  - Required Params: `get`, `path`\n- Return Data Type: `int256`\n  - JobID: `05a7c6a6841241eca8ba69b1fa265aaf`\n  - Required Params: `get`, `path`, `times`\n- Return Data Type: `uint256`\n  - JobID: `4e12314d570d45b288c507f81c3eb614`\n  - Required Params: `get`, `path`, `times`\n\nSee the [Request data using Chainlink](https://docs.chain.link/docs/request-and-receive-data) page for examples of how to create Chainlink requests from your Solidity smart contract.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* create.smartcontract.com and testnet.smartcontract.com\n* Intercom add-on on any asset\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-05-21T01:44:13.841Z"},{"id":3609889,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## github.com/smartcontractkit/chainlink\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. Currently, SGX is experimental and is not considered in-scope for this program. The Coordinator contract is also currently under development and is also not considered in-scope for this program.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there and our [scratchpad](https://www.pivotaltracker.com/n/projects/2186311) for issues that we already know about.\n\n## ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities which would cause a loss of service.\n\n## chain.link\n\nOur front-end site which displays information about the project. Currently there is no application residing here. Intercom is a 3rd party add-on and is not in scope for this program.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Gitter](https://gitter.im/smartcontractkit-chainlink/Lobby) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# Testnet Chainlink Nodes\n\nUse our [Decentralized Oracles on Testnet](https://docs.chain.link/docs/testnet-oracles) documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the nodes on this page are considered in scope.\n\n# HackerOne Ropsten Node\n\nWe have set up a Chainlink node specifically for the HackerOne bounty program. It is available at the link below. To test the security of this application, we will not be supplying credentials for it. Our [API Reference](https://docs.chain.link/reference) can be used to provide information on how to interact with the software.\n\nhttps://hackerone.node.chain.link/\n\nWhen creating [Chainlinked](https://docs.chain.link/docs/architecture-overview) contracts, you may use the information below to utilize this node. You are free to modify the ChainlinkClient contract and its imported contracts as you please, in order to find vulnerabilities with the deployed Oracle contract and the node that fulfills its requests. You can obtain Ropsten LINK by visiting our [Faucet](https://ropsten.chain.link) (also in-scope).\n\nLINK token address: [0x20fE562d797A42Dcb3399062AE9546cd06f63280](https://ropsten.etherscan.io/address/0x20fE562d797A42Dcb3399062AE9546cd06f63280)\nOracle contract address: [0x0d3A5e0bA82f245d5eaFBFFe990450f036Af30D4](https://ropsten.etherscan.io/address/0x0d3A5e0bA82f245d5eaFBFFe990450f036Af30D4)\n\nJobs have been added to this node which you can use to get data back to your smart contract:\n\n- Return Data Type: `bytes32`\n  - JobID: `84beb6b0753f43cfa5a324cd1fd41e55`\n  - Required Params: `get`, `path`\n- Return Data Type: `int256`\n  - JobID: `05a7c6a6841241eca8ba69b1fa265aaf`\n  - Required Params: `get`, `path`, `times`\n- Return Data Type: `uint256`\n  - JobID: `4e12314d570d45b288c507f81c3eb614`\n  - Required Params: `get`, `path`, `times`\n\nSee the [Request data using Chainlink](https://docs.chain.link/docs/request-and-receive-data) page for examples of how to create Chainlink requests from your Solidity smart contract.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* create.smartcontract.com and testnet.smartcontract.com\n* Intercom add-on on any asset\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-05-20T19:41:39.340Z"},{"id":3609888,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## github.com/smartcontractkit/chainlink\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. Currently, SGX is experimental and is not considered in-scope for this program. The Coordinator contract is also currently under development and is also not considered in-scope for this program.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there and our [scratchpad](https://www.pivotaltracker.com/n/projects/2186311) for issues that we already know about.\n\n## ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities which would cause a loss of service.\n\n## chain.link\n\nOur front-end site which displays information about the project. Currently there is no application residing here. Intercom is a 3rd party add-on and is not in scope for this program.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Gitter](https://gitter.im/smartcontractkit-chainlink/Lobby) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\nUse our [Decentralized Oracles on Testnet](https://docs.chain.link/docs/testnet-oracles) documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the nodes on this page are considered in scope.\n\n# HackerOne Ropsten Node\n\nWe have set up a Chainlink node specifically for the HackerOne bounty program. It is available at the link below. To test the security of this application, we will not be supplying credentials for it. Our [API Reference](https://docs.chain.link/reference) can be used to provide information on how to interact with the software.\n\nhttps://hackerone.node.chain.link/\n\nWhen creating [Chainlinked](https://docs.chain.link/docs/architecture-overview) contracts, you may use the information below to utilize this node. You are free to modify the ChainlinkClient contract and its imported contracts as you please, in order to find vulnerabilities with the deployed Oracle contract and the node that fulfills its requests. You can obtain Ropsten LINK by visiting our [Faucet](https://ropsten.chain.link) (also in-scope).\n\nLINK token address: [0x20fE562d797A42Dcb3399062AE9546cd06f63280](https://ropsten.etherscan.io/address/0x20fE562d797A42Dcb3399062AE9546cd06f63280)\nOracle contract address: [0x0d3A5e0bA82f245d5eaFBFFe990450f036Af30D4](https://ropsten.etherscan.io/address/0x0d3A5e0bA82f245d5eaFBFFe990450f036Af30D4)\n\nJobs have been added to this node which you can use to get data back to your smart contract:\n\n- Return Data Type: `bytes32`\n  - JobID: `84beb6b0753f43cfa5a324cd1fd41e55`\n  - Required Params: `get`, `path`\n- Return Data Type: `int256`\n  - JobID: `05a7c6a6841241eca8ba69b1fa265aaf`\n  - Required Params: `get`, `path`, `times`\n- Return Data Type: `uint256`\n  - JobID: `4e12314d570d45b288c507f81c3eb614`\n  - Required Params: `get`, `path`, `times`\n\nSee the [Request data using Chainlink](https://docs.chain.link/docs/request-and-receive-data) page for examples of how to create Chainlink requests from your Solidity smart contract.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* create.smartcontract.com and testnet.smartcontract.com\n* Intercom add-on on any asset\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-05-20T19:39:52.217Z"},{"id":3609805,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## github.com/smartcontractkit/chainlink\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. Currently, SGX is experimental and is not considered in-scope for this program. The Coordinator contract is also currently under development and is also not considered in-scope for this program.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there and our [scratchpad](https://www.pivotaltracker.com/n/projects/2186311) for issues that we already know about.\n\n## ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities which would cause a loss of service.\n\n## chain.link\n\nOur front-end site which displays information about the project. Currently there is no application residing here. Intercom is a 3rd party add-on and is not in scope for this program.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Gitter](https://gitter.im/smartcontractkit-chainlink/Lobby) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# HackerOne Ropsten Node\n\nWe have set up a Chainlink node specifically for the HackerOne bounty program. It is available at the link below. To test the security of this application, we will not be supplying credentials for it. Our [API Reference](https://docs.chain.link/reference) can be used to provide information on how to interact with the software.\n\nhttps://hackerone.node.chain.link/\n\nWhen creating [Chainlinked](https://docs.chain.link/docs/architecture-overview) contracts, you may use the information below to utilize this node. You are free to modify the ChainlinkClient contract and its imported contracts as you please, in order to find vulnerabilities with the deployed Oracle contract and the node that fulfills its requests. You can obtain Ropsten LINK by visiting our [Faucet](https://ropsten.chain.link) (also in-scope).\n\nLINK token address: [0x20fE562d797A42Dcb3399062AE9546cd06f63280](https://ropsten.etherscan.io/address/0x20fE562d797A42Dcb3399062AE9546cd06f63280)\nOracle contract address: [0x0d3A5e0bA82f245d5eaFBFFe990450f036Af30D4](https://ropsten.etherscan.io/address/0x0d3A5e0bA82f245d5eaFBFFe990450f036Af30D4)\n\nJobs have been added to this node which you can use to get data back to your smart contract:\n\n- Return Data Type: `bytes32`\n  - JobID: `84beb6b0753f43cfa5a324cd1fd41e55`\n  - Required Params: `get`, `path`\n- Return Data Type: `int256`\n  - JobID: `05a7c6a6841241eca8ba69b1fa265aaf`\n  - Required Params: `get`, `path`, `times`\n- Return Data Type: `uint256`\n  - JobID: `4e12314d570d45b288c507f81c3eb614`\n  - Required Params: `get`, `path`, `times`\n\nSee the [Request data using Chainlink](https://docs.chain.link/docs/request-and-receive-data) page for examples of how to create Chainlink requests from your Solidity smart contract.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* create.smartcontract.com and testnet.smartcontract.com\n* Intercom add-on on any asset\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-05-20T00:59:18.243Z"},{"id":3609184,"new_policy":"SmartContract looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nSmartContract will make a best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n|----------|--------------------|\n|  First Response | 3 day |\n| Time to Triage   | 5 days |\n| Time to  Bounty   | 30 days |\n|  Time to Resolution   | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Information \u0026 Resources\n\nThe Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. [Job Specifications](https://chainlink.readme.io/docs/job-specifications) are added to the node through a [REST API](https://docs.chain.link/reference) so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available [here](https://docs.chain.link/docs/architecture-overview).\n\n# Scope\n\n## github.com/smartcontractkit/chainlink\n\nThe [Chainlink](https://github.com/smartcontractkit/chainlink) node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. Currently, SGX is experimental and is not considered in-scope for this program. The Coordinator contract is also currently under development and is also not considered in-scope for this program.\n\nWe also have a [project tracker](https://www.pivotaltracker.com/n/projects/2129823) where existing bugs are kept. Be sure to check there and our [scratchpad](https://www.pivotaltracker.com/n/projects/2186311) for issues that we already know about.\n\n## ropsten.chain.link, rinkeby.chain.link, \u0026 kovan.chain.link\n\nThe faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities which would cause a loss of service.\n\n## chain.link\n\nOur front-end site which displays information about the project. Currently there is no application residing here.\n\n# Installation \u0026 Setup\n\nWe have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our [Gitter](https://gitter.im/smartcontractkit-chainlink/Lobby) for help.\n\n- [The Complete Setup Guide for a Chainlink Development Environment](https://github.com/smartcontractkit/chainlink/wiki/Development-Setup-Guide)\n- [Running a Chainlink Node](https://docs.chain.link/docs/running-a-chainlink-node)\n- [Fulfilling Requests](https://docs.chain.link/docs/fulfilling-requests)\n\n# HackerOne Ropsten Node\n\nWe have set up a Chainlink node specifically for the HackerOne bounty program. It is available at the link below. To test the security of this application, we will not be supplying credentials for it. Our [API Reference](https://docs.chain.link/reference) can be used to provide information on how to interact with the software.\n\nhttps://hackerone.node.chain.link/\n\nWhen creating [Chainlinked](https://docs.chain.link/docs/architecture-overview) contracts, you may use the information below to utilize this node. You are free to modify the ChainlinkClient contract and its imported contracts as you please, in order to find vulnerabilities with the deployed Oracle contract and the node that fulfills its requests. You can obtain Ropsten LINK by visiting our [Faucet](https://ropsten.chain.link) (also in-scope).\n\nLINK token address: [0x20fE562d797A42Dcb3399062AE9546cd06f63280](https://ropsten.etherscan.io/address/0x20fE562d797A42Dcb3399062AE9546cd06f63280)\nOracle contract address: [0x0d3A5e0bA82f245d5eaFBFFe990450f036Af30D4](https://ropsten.etherscan.io/address/0x0d3A5e0bA82f245d5eaFBFFe990450f036Af30D4)\n\nJobs have been added to this node which you can use to get data back to your smart contract:\n\n- Return Data Type: `bytes32`\n  - JobID: `84beb6b0753f43cfa5a324cd1fd41e55`\n  - Required Params: `get`, `path`\n- Return Data Type: `int256`\n  - JobID: `05a7c6a6841241eca8ba69b1fa265aaf`\n  - Required Params: `get`, `path`, `times`\n- Return Data Type: `uint256`\n  - JobID: `4e12314d570d45b288c507f81c3eb614`\n  - Required Params: `get`, `path`, `times`\n\nSee the [Request data using Chainlink](https://docs.chain.link/docs/request-and-receive-data) page for examples of how to create Chainlink requests from your Solidity smart contract.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n#Out of scope vulnerabilities\nWhen reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n* create.smartcontract.com and testnet.smartcontract.com\n* SGX-related issues or vulnerabilities\n* Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)\n* OS-related vulnerabilities\n* Clickjacking on pages with no sensitive actions.\n* Unauthenticated/logout/login CSRF.\n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n* Missing best practices in SSL/TLS configuration.\n* Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Chainlink and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-05-09T20:48:59.899Z"}]