[{"id":3774062,"new_policy":"# Cosmos Stack Bug Bounty Program\n\nCosmos Labs believes that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Cosmos Stack.\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol. As such, this program is not the right place to search for web application vulnerabilities like XSS, CSRF, and header misconfigurations.\n\nThe focus of this program is on surfacing vulnerabilities in the protocols, modules, and infrastructure that make up the Cosmos Stack. Assets in scope include source code for integral components of Cosmos, and do not include third-party services or IT assets.  These assets are fully defined in our Scope section.\nBounty rewards are based on multiple factors, including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality, available here.\n\n## Program Rewards\n\nWhile there is no maximum program reward at this time, we value creative findings and high-severity bugs, and we maintain a robust program budget to reward them accordingly.\n\nWe evaluate each report and rate the severity of submitted issues. At our discretion, we may reward exceptionally high-quality reports or creative lower-severity findings at a higher tier.\n\nInformational reports are not eligible for bounty rewards.  Repeated informational or inapplicable submissions will be treated as spam and result in exclusion from the program.\n\nRewards for eligible bugs are paid out according to our assessment of issue severity:\n\n* Critical: starting at $50,000\n* High: starting at $12,500\n* Medium: starting at $2,500\n* Low: starting at $1,000\n\nIf duplicate reports are received, a bounty (if applicable) will be awarded to the first valid reporter.\nWhen an issue is on track to be mitigated or remediated, we will coordinate with researchers to credit the finding in advisories and release notes, and to support disclosure of valid issues reported through this program.\n\n##Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes they have discovered a vulnerability in the Cosmos Stack.\nThis policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Cosmos Stack and the teams and infrastructure it supports. It supersedes all previous security policies used by individual teams or projects within scope.\n\n## Our Commitments\n\nWhen working with us under this policy, we will always use reasonable efforts to:\n\n* Respond and work with you to understand and validate reports\n* Keep you informed about vulnerability status and progress\n* Remediate valid vulnerabilities in a timely manner, within operational constraints\n* Extend Safe Harbor for security research conducted in accordance with this policy\n\n## Expectations of Researchers\n\nWhen participating in this program in good faith, researchers must follow these guidelines. Participants who violate these expectations may have their reports closed, be deemed ineligible for bounty rewards, or be permanently banned from the program as Cosmos Labs’ discretion. \n\n* Adhere to the policy and agreements, including the requirements for confidentiality, privacy, disclosure, and eligibility.\n* Never violate privacy, disrupt systems, destroy data, or harm user experience\n* Use only Official Channels to discuss vulnerability information\n* Only disclose remediated vulnerabilities.\n* Perform testing and submit reports only on in-scope systems\n* Limit data access strictly to what is required for proof of concept\n* Cease testing immediately and submit a report if any sensitive user data is encountered (PII, PHI, financial data, proprietary information)\n* Use only test accounts you own or have explicit permission to use\n* Never engage in extortion or coercive behavior\n\nIn addition, repeated submissions that do not meet program guidelines will result in a ban from the program.\n\n# Program Scope\n\nWe are interested in a full range of vulnerabilities with demonstrable security impact, ranging from issues proven with unit tests to those requiring full cluster deployments and complex transaction flows.\n\n##Release Policy Requirement\n\n Only released code is eligible for bounty rewards.\n\nTo be considered valid and in scope:\n\n*The issue must exist in released code that is tagged and actively maintained under the Cosmos Release Family Policy\n*Code that exists only on main, master, or other development branches is not in scope\n\nThe Release Family Policy is defined here:\n\nhttps://docs.cosmos.network/sdk/latest/release-family#upgrades-and-support \n\n## In Scope\n\n*The issue must be exploitable in an intended deployed environment and configuration.\n* Exploitation must not require a previously compromised environment (e.g., a compromised node or a majority-compromised consensus).\n* The issue must exist in a supported release according to the Release Family Policy.\n\n## Out of Scope\n\n* Issues requiring a compromised environment to exploit.\n* Assets not explicitly listed as in scope, including those not owned by participating teams.\n* Issues already publicly or privately addressed.\n* Third-party services and websites.\n* Web vulnerabilities (including but not limited to XSS, CSRF, CORS, cookie flags, TLS config, headers, email configuration).\n* Documented configuration behaviors in expected deployment scenarios.\n* Governance misconfiguration-specific issues.\n* Package registry or dependency management issues without Cosmos-specific exploit PoCs.\n* Social engineering attacks.\n* Scanner-generated or informational-only reports.\n* Dependency vulnerability reports without demonstrated impact on in-scope systems.\n* Non-trivial or volumetric DoS attacks mitigated by gas, fees, or operational controls.\n* Architectural critiques without immediate exploitability.\n* Issues fixed upstream less than 90 days prior.\n* Downstream effects of previously resolved bounty issues.\n* Following https://github.com/cosmos/cosmos-sdk/pull/25090, the x/group, x/circuit, x/crisis, and x/nft modules are no longer in scope.\n\n### A Note on Gaia\n\nGaia is included only as a reference implementation of the Cosmos Stack.\nAll Cosmos Hub-specific features, third-party modules, or non-core functionality in the Gaia repository are out of scope for bounty rewards.\n\n# Program Policies\n\n* All submissions must include a Proof of Concept demonstrating real-world impact and exploitability. The proof of concept must be code that can be read and run by the security team. Descriptions of attacks do not count as valid PoCs and will result in submissions being closed as \"Not Applicable\".\n* PoCs must demonstrate real user flows\n* Mock-only or database-only calls are insufficient\n* Reports without adequate detail will be closed or returned\n\nSubmissions must be original work authored by humans. Reports generated or significantly assisted by AI tools (including but not limited to ChatGPT, Claude, Copilot, etc.) are prohibited and will result in immediate closure and potential program ban. All submissions must demonstrate genuine human understanding, manual testing, and original analysis.\n\n## Eligibility for Bounty\n\nTo be eligible for consideration under our bug bounty program, researchers must meet the following criteria: \n\n* You must not have been employed by or contracted to the team maintaining the affected code within the last 12 months\n* You must submit exclusively through HackerOne\n* Email submissions are not eligible for bounty rewards\n* You must maintain a HackerOne reputation score above 150 and a HackerOne signal above 1.\n* Have a HackerOne profile that is at least 6 months old.\n* If the researcher has previously submitted to our program, they must maintain a valid-to-closed report ratio above 50%.\n\nSubmissions from researchers who do not meet these requirements will be closed as Spam. Repeated submissions that fail to meet these criteria may result in removal from the program and/or a platform ban.\n\n## Confidentiality\n\nAll communication regarding submitted issues must occur exclusively on HackerOne.\n\nExternal communication, out-of-band disclosures, or premature publication will void eligibility for bounty rewards and future participation.\n\n## Official Channels\n\nHackerOne: official vulnerability reporting platform\nEmail (non-bounty): security@cosmoslabs.io\n\nEmail reports are accepted for disclosure purposes only and are not eligible for bounty rewards.\n\n## Disclosure\n\nPublic disclosure is supported only after an issue is marked Resolved on HackerOne.\n\nResearchers may request attribution in advisories or release documentation once disclosure is approved.  Researchers who bypass this will be banned permanently from all of our programs.\n\n## Good Faith\n\nResearchers must act respectfully and in good faith at all times. Misconduct—including threats, harassment, extortion, public shaming, or false accusations—will result in report closure and permanent exclusion from the program.\nCosmos Labs will work with you in good faith, but in the case of any dispute Cosmos Labs’ decision will be final.\n\n## Safe Harbor\n\nResearch conducted in accordance with this policy is considered:\n\n* Authorized under applicable anti-hacking and anti-circumvention laws\n* Exempt from relevant TOS/AUP restrictions\n* Conducted lawfully and in good faith\n* Safe Harbor applies only to claims under the control of participating organizations.\n\n","has_open_scope":null,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"SDK modules that are not maintained\",\"details\":\"Following https://github.com/cosmos/cosmos-sdk/pull/25090, we are no longer convering the following SDK modules in our bug bounty program as they are not being maintained:\\n\\n- `x/group`\\n- `x/circuit`\\n- `x/crisis`\\n- `x/nft`\"}","{\"category\":\"Cosmos EVM modules that are not covered or maintained\",\"details\":\"`x/precisebank` in Cosmos EVM is no longer covered in this program and will no longer be maintained.  Older versions of this software will not be patched and users are urged to no longer use this.\"}"],"timestamp":"2026-05-12T17:30:51.885Z"},{"id":3774061,"new_policy":"# Cosmos Stack Bug Bounty Program\n\nCosmos Labs believes that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Cosmos Stack.\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol. As such, this program is not the right place to search for web application vulnerabilities like XSS, CSRF, and header misconfigurations.\n\nThe focus of this program is on surfacing vulnerabilities in the protocols, modules, and infrastructure that make up the Cosmos Stack. Assets in scope include source code for integral components of Cosmos, and do not include third-party services or IT assets.  These assets are fully defined in our Scope section.\nBounty rewards are based on multiple factors, including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality, available here.\n\n## Program Rewards\n\nWhile there is no maximum program reward at this time, we value creative findings and high-severity bugs, and we maintain a robust program budget to reward them accordingly.\n\nWe evaluate each report and rate the severity of submitted issues. At our discretion, we may reward exceptionally high-quality reports or creative lower-severity findings at a higher tier.\n\nInformational reports are not eligible for bounty rewards.  Repeated informational or inapplicable submissions will be treated as spam and result in exclusion from the program.\n\nRewards for eligible bugs are paid out according to our assessment of issue severity:\n\n* Critical: starting at $50,000\n* High: starting at $12,500\n* Medium: starting at $2,500\n* Low: starting at $1,000\n\nIf duplicate reports are received, a bounty (if applicable) will be awarded to the first valid reporter.\nWhen an issue is on track to be mitigated or remediated, we will coordinate with researchers to credit the finding in advisories and release notes, and to support disclosure of valid issues reported through this program.\n\n##Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes they have discovered a vulnerability in the Cosmos Stack.\nThis policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Cosmos Stack and the teams and infrastructure it supports. It supersedes all previous security policies used by individual teams or projects within scope.\n\n## Our Commitments\n\nWhen working with us under this policy, we will always use reasonable efforts to:\n\n* Respond and work with you to understand and validate reports\n* Keep you informed about vulnerability status and progress\n* Remediate valid vulnerabilities in a timely manner, within operational constraints\n* Extend Safe Harbor for security research conducted in accordance with this policy\n\n## Expectations of Researchers\n\nWhen participating in this program in good faith, researchers must follow these guidelines. Participants who violate these expectations may have their reports closed, be deemed ineligible for bounty rewards, or be permanently banned from the program as Cosmos Labs’ discretion. \n\n* Adhere to the policy and agreements, including the requirements for confidentiality, privacy, disclosure, and eligibility.\n* Never violate privacy, disrupt systems, destroy data, or harm user experience\n* Use only Official Channels to discuss vulnerability information\n* Only disclose remediated vulnerabilities.\n* Perform testing and submit reports only on in-scope systems\n* Limit data access strictly to what is required for proof of concept\n* Cease testing immediately and submit a report if any sensitive user data is encountered (PII, PHI, financial data, proprietary information)\n* Use only test accounts you own or have explicit permission to use\n* Never engage in extortion or coercive behavior\n\nIn addition, repeated submissions that do not meet program guidelines will result in a ban from the program.\n\n# Program Scope\n\nWe are interested in a full range of vulnerabilities with demonstrable security impact, ranging from issues proven with unit tests to those requiring full cluster deployments and complex transaction flows.\n\n##Release Policy Requirement\n\n Only released code is eligible for bounty rewards.\n\nTo be considered valid and in scope:\n\n*The issue must exist in released code that is tagged and actively maintained under the Cosmos Release Family Policy\n*Code that exists only on main, master, or other development branches is not in scope\n\nThe Release Family Policy is defined here:\n\nhttps://docs.cosmos.network/sdk/latest/release-family#upgrades-and-support \n\n## In Scope\n\n*The issue must be exploitable in an intended deployed environment and configuration.\n* Exploitation must not require a previously compromised environment (e.g., a compromised node or a majority-compromised consensus).\n* The issue must exist in a supported release according to the Release Family Policy.\n\n## Out of Scope\n\n* Issues requiring a compromised environment to exploit.\n* Assets not explicitly listed as in scope, including those not owned by participating teams.\n* Issues already publicly or privately addressed.\n* Third-party services and websites.\n* Web vulnerabilities (including but not limited to XSS, CSRF, CORS, cookie flags, TLS config, headers, email configuration).\n* Documented configuration behaviors in expected deployment scenarios.\n* Governance misconfiguration-specific issues.\n* Package registry or dependency management issues without Cosmos-specific exploit PoCs.\n* Social engineering attacks.\n* Scanner-generated or informational-only reports.\n* Dependency vulnerability reports without demonstrated impact on in-scope systems.\n* Non-trivial or volumetric DoS attacks mitigated by gas, fees, or operational controls.\n* Architectural critiques without immediate exploitability.\n* Issues fixed upstream less than 90 days prior.\n* Downstream effects of previously resolved bounty issues.\n* Following https://github.com/cosmos/cosmos-sdk/pull/25090, the x/group, x/circuit, x/crisis, and x/nft modules are no longer in scope.\n\n### A Note on Gaia\n\nGaia is included only as a reference implementation of the Cosmos Stack.\nAll Cosmos Hub-specific features, third-party modules, or non-core functionality in the Gaia repository are out of scope for bounty rewards.\n\n# Program Policies\n\n* All submissions must include a Proof of Concept demonstrating real-world impact and exploitability. The proof of concept must be code that can be read and run by the security team. Descriptions of attacks do not count as valid PoCs and will result in submissions being closed as \"Not Applicable\".\n* PoCs must demonstrate real user flows\n* Mock-only or database-only calls are insufficient\n* Reports without adequate detail will be closed or returned\n\nSubmissions must be original work authored by humans. Reports generated or significantly assisted by AI tools (including but not limited to ChatGPT, Claude, Copilot, etc.) are prohibited and will result in immediate closure and potential program ban. All submissions must demonstrate genuine human understanding, manual testing, and original analysis.\n\n## Eligibility for Bounty\n\nTo be eligible for consideration under our bug bounty program, researchers must meet the following criteria: \n\n* You must not have been employed by or contracted to the team maintaining the affected code within the last 12 months\n* You must submit exclusively through HackerOne\n* Email submissions are not eligible for bounty rewards\n* You must maintain a HackerOne reputation score above 150 and a HackerOne signal above 1.\n* Have a HackerOne profile that is at least 6 months old.\n* If the researcher has previously submitted to our program, they must maintain a valid-to-closed report ratio above 50%.\n\nSubmissions from researchers who do not meet these requirements will be closed as Spam. Repeated submissions that fail to meet these criteria may result in removal from the program and/or a platform ban.\n\n## Confidentiality\n\nAll communication regarding submitted issues must occur exclusively on HackerOne.\n\nExternal communication, out-of-band disclosures, or premature publication will void eligibility for bounty rewards and future participation.\n\n## Official Channels\n\nHackerOne: official vulnerability reporting platform\nEmail (non-bounty): security@cosmoslabs.io\n\nEmail reports are accepted for disclosure purposes only and are not eligible for bounty rewards.\n\n## Disclosure\n\nPublic disclosure is supported only after an issue is marked Resolved on HackerOne.\n\nResearchers may request attribution in advisories or release documentation once disclosure is approved.  Researchers who bypass this will be banned permanently from all of our programs.\n\n## Good Faith\n\nResearchers must act respectfully and in good faith at all times. Misconduct—including threats, harassment, extortion, public shaming, or false accusations—will result in report closure and permanent exclusion from the program.\nCosmos Labs will work with you in good faith, but in the case of any dispute Cosmos Labs’ decision will be final.\n\n## Safe Harbor\n\nResearch conducted in accordance with this policy is considered:\n\n* Authorized under applicable anti-hacking and anti-circumvention laws\n* Exempt from relevant TOS/AUP restrictions\n* Conducted lawfully and in good faith\n* Safe Harbor applies only to claims under the control of participating organizations.\n\n","has_open_scope":null,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"SDK modules that are not maintained\",\"details\":\"Following https://github.com/cosmos/cosmos-sdk/pull/25090, we are no longer convering the following SDK modules in our bug bounty program as they are not being maintained:\\n\\n- `x/group`\\n- `x/circuit`\\n- `x/crisis`\\n- `x/nft`\"}","{\"category\":\"Cosmos EVM modules that are not covered or maintained\",\"details\":\"`x/precisebank` in Cosmos EVM is no longer covered in this program and will no longer be maintained.  Older versions of this software will not be patched and users are urged to no longer use this.\"}"],"timestamp":"2026-05-12T17:30:45.040Z"},{"id":3773572,"new_policy":"# Cosmos Stack Bug Bounty Program\n\nCosmos Labs believes that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Cosmos Stack.\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol. As such, this program is not the right place to search for web application vulnerabilities like XSS, CSRF, and header misconfigurations.\n\nThe focus of this program is on surfacing vulnerabilities in the protocols, modules, and infrastructure that make up the Cosmos Stack. Assets in scope include source code for integral components of Cosmos, and do not include third-party services or IT assets.  These assets are fully defined in our Scope section.\nBounty rewards are based on multiple factors, including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality, available here.\n\n## Program Rewards\n\nWhile there is no maximum program reward at this time, we value creative findings and high-severity bugs, and we maintain a robust program budget to reward them accordingly.\n\nWe evaluate each report and rate the severity of submitted issues. At our discretion, we may reward exceptionally high-quality reports or creative lower-severity findings at a higher tier.\n\nInformational reports are not eligible for bounty rewards.  Repeated informational or inapplicable submissions will be treated as spam and result in exclusion from the program.\n\nRewards for eligible bugs are paid out according to our assessment of issue severity:\n\n* Critical: starting at $50,000\n* High: starting at $12,500\n* Medium: starting at $2,500\n* Low: starting at $1,000\n\nIf duplicate reports are received, a bounty (if applicable) will be awarded to the first valid reporter.\nWhen an issue is on track to be mitigated or remediated, we will coordinate with researchers to credit the finding in advisories and release notes, and to support disclosure of valid issues reported through this program.\n\n##Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes they have discovered a vulnerability in the Cosmos Stack.\nThis policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Cosmos Stack and the teams and infrastructure it supports. It supersedes all previous security policies used by individual teams or projects within scope.\n\n## Our Commitments\n\nWhen working with us under this policy, we will always use reasonable efforts to:\n\n* Respond and work with you to understand and validate reports\n* Keep you informed about vulnerability status and progress\n* Remediate valid vulnerabilities in a timely manner, within operational constraints\n* Extend Safe Harbor for security research conducted in accordance with this policy\n\n## Expectations of Researchers\n\nWhen participating in this program in good faith, researchers must follow these guidelines. Participants who violate these expectations may have their reports closed, be deemed ineligible for bounty rewards, or be permanently banned from the program as Cosmos Labs’ discretion. \n\n* Adhere to the policy and agreements, including the requirements for confidentiality, privacy, disclosure, and eligibility.\n* Never violate privacy, disrupt systems, destroy data, or harm user experience\n* Use only Official Channels to discuss vulnerability information\n* Only disclose remediated vulnerabilities.\n* Perform testing and submit reports only on in-scope systems\n* Limit data access strictly to what is required for proof of concept\n* Cease testing immediately and submit a report if any sensitive user data is encountered (PII, PHI, financial data, proprietary information)\n* Use only test accounts you own or have explicit permission to use\n* Never engage in extortion or coercive behavior\n\nIn addition, repeated submissions that do not meet program guidelines will result in a ban from the program.\n\n# Program Scope\n\nWe are interested in a full range of vulnerabilities with demonstrable security impact, ranging from issues proven with unit tests to those requiring full cluster deployments and complex transaction flows.\n\n##Release Policy Requirement\n\n Only released code is eligible for bounty rewards.\n\nTo be considered valid and in scope:\n\n*The issue must exist in released code that is tagged and actively maintained under the Cosmos Release Family Policy\n*Code that exists only on main, master, or other development branches is not in scope\n\nThe Release Family Policy is defined here:\n\nhttps://docs.cosmos.network/sdk/latest/release-family#upgrades-and-support \n\n## In Scope\n\n*The issue must be exploitable in an intended deployed environment and configuration.\n* Exploitation must not require a previously compromised environment (e.g., a compromised node or a majority-compromised consensus).\n* The issue must exist in a supported release according to the Release Family Policy.\n\n## Out of Scope\n\n* Issues requiring a compromised environment to exploit.\n* Assets not explicitly listed as in scope, including those not owned by participating teams.\n* Issues already publicly or privately addressed.\n* Third-party services and websites.\n* Web vulnerabilities (including but not limited to XSS, CSRF, CORS, cookie flags, TLS config, headers, email configuration).\n* Documented configuration behaviors in expected deployment scenarios.\n* Governance misconfiguration-specific issues.\n* Package registry or dependency management issues without Cosmos-specific exploit PoCs.\n* Social engineering attacks.\n* Scanner-generated or informational-only reports.\n* Dependency vulnerability reports without demonstrated impact on in-scope systems.\n* Non-trivial or volumetric DoS attacks mitigated by gas, fees, or operational controls.\n* Architectural critiques without immediate exploitability.\n* Issues fixed upstream less than 90 days prior.\n* Downstream effects of previously resolved bounty issues.\n* Following https://github.com/cosmos/cosmos-sdk/pull/25090, the x/group, x/circuit, x/crisis, and x/nft modules are no longer in scope.\n\n### A Note on Gaia\n\nGaia is included only as a reference implementation of the Cosmos Stack.\nAll Cosmos Hub-specific features, third-party modules, or non-core functionality in the Gaia repository are out of scope for bounty rewards.\n\n# Program Policies\n\n* All submissions must include a Proof of Concept demonstrating real-world impact and exploitability. The proof of concept must be code that can be read and run by the security team. Descriptions of attacks do not count as valid PoCs and will result in submissions being closed as \"Not Applicable\".\n* PoCs must demonstrate real user flows\n* Mock-only or database-only calls are insufficient\n* Reports without adequate detail will be closed or returned\n\nSubmissions must be original work authored by humans. Reports generated or significantly assisted by AI tools (including but not limited to ChatGPT, Claude, Copilot, etc.) are prohibited and will result in immediate closure and potential program ban. All submissions must demonstrate genuine human understanding, manual testing, and original analysis.\n\n## Eligibility for Bounty\n\nTo be eligible for consideration under our bug bounty program, researchers must meet the following criteria: \n\n* You must not have been employed by or contracted to the team maintaining the affected code within the last 12 months\n* You must submit exclusively through HackerOne\n* Email submissions are not eligible for bounty rewards\n* You must maintain a HackerOne reputation score above 150 and a HackerOne signal above 1.\n* Have a HackerOne profile that is at least 6 months old.\n* If the researcher has previously submitted to our program, they must maintain a valid-to-closed report ratio above 50%.\n\nSubmissions from researchers who do not meet these requirements will be closed as Spam. Repeated submissions that fail to meet these criteria may result in removal from the program and/or a platform ban.\n\n## Confidentiality\n\nAll communication regarding submitted issues must occur exclusively on HackerOne.\n\nExternal communication, out-of-band disclosures, or premature publication will void eligibility for bounty rewards and future participation.\n\n## Official Channels\n\nHackerOne: official vulnerability reporting platform\nEmail (non-bounty): security@cosmoslabs.io\n\nEmail reports are accepted for disclosure purposes only and are not eligible for bounty rewards.\n\n## Disclosure\n\nPublic disclosure is supported only after an issue is marked Resolved on HackerOne.\n\nResearchers may request attribution in advisories or release documentation once disclosure is approved.\n\n## Good Faith\n\nResearchers must act respectfully and in good faith at all times. Misconduct—including threats, harassment, extortion, public shaming, or false accusations—will result in report closure and permanent exclusion from the program.\nCosmos Labs will work with you in good faith, but in the case of any dispute Cosmos Labs’ decision will be final.\n\n## Safe Harbor\n\nResearch conducted in accordance with this policy is considered:\n\n* Authorized under applicable anti-hacking and anti-circumvention laws\n* Exempt from relevant TOS/AUP restrictions\n* Conducted lawfully and in good faith\n* Safe Harbor applies only to claims under the control of participating organizations.\n\n","has_open_scope":null,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"SDK modules that are not maintained\",\"details\":\"Following https://github.com/cosmos/cosmos-sdk/pull/25090, we are no longer convering the following SDK modules in our bug bounty program as they are not being maintained:\\n\\n- `x/group`\\n- `x/circuit`\\n- `x/crisis`\\n- `x/nft`\"}"],"timestamp":"2026-05-04T15:04:30.714Z"},{"id":3773383,"new_policy":"# Cosmos Stack Bug Bounty Program\n\n## Overview\n\nSecurity is fundamental to the long-term success of the Cosmos Stack. This program reflects our ongoing commitment to building secure, resilient blockchain infrastructure and to working collaboratively with the security research community.\n\nWe have operated this program for over 8 years, maintain industry-standard Safe Harbor protections, and are committed to responding to high-quality reports efficiently and in good faith.\n\nThis policy defines strict participation requirements. Researchers who follow these guidelines contribute meaningfully to the ecosystem. Those who do not will be removed from the program.\n\n---\n\n## Program Rewards\n\nWe reward impactful, high-quality vulnerability reports.\n\n- **Critical:** starting at $50,000  \n- **High:** starting at $12,500  \n- **Medium:** starting at $2,500  \n- **Low:** starting at $1,000  \n\nThere is no maximum reward.\n\nReward determinations are based on:\n\n- Impact  \n- Likelihood of exploitation  \n- Report quality  \n- Reproducibility  \n\n**All reward decisions are made at our sole discretion.**\n\nAdditional rules:\n\n- Informational reports are **not eligible**\n- Duplicate reports are awarded to the **first valid submission only**\n- Exceptionally high-quality reports can be rewarded above their tier\n\n---\n\n## Key Program Requirements\n\nTo participate in this program, you must:\n\n- Test **only in-scope systems and supported, released code**\n- Submit **clear, high-quality reports with a valid Proof of Concept**\n- Demonstrate **real-world exploitability and impact**\n- Limit testing strictly to what is necessary to prove the issue\n- Use **only official channels (HackerOne)** for all communication\n\nThe following actions **will result in immediate report closure and a ban from the program**:\n\n- Repeated low-quality or spam submissions  \n- Submitting out-of-scope issues  \n- Attempting to bypass program rules  \n- Contacting team members outside official channels  \n- Violating confidentiality requirements  \n\n---\n\n## Proof of Concept Requirements\n\nAll submissions **must include a valid Proof of Concept (PoC)**.\n\n- The PoC must be **executable and reproducible by the security team**\n- It must demonstrate **real user flows and real impact**\n- Descriptions or theoretical attacks are **not sufficient**\n- Mock-only or database-only scenarios are **not sufficient**\n\nReports that do not meet these requirements **will be classified as Spam**.\n\nRepeated Spam submissions **will result in a permanent ban from the program and reporting to HackerOne**.\n\n---\n\n## AI-Generated Submissions\n\nSubmissions must reflect **original human analysis**.\n\nThe following are prohibited:\n\n- Fully AI-generated reports  \n- Heavily AI-assisted submissions without demonstrated understanding  \n- Template-based or mass-generated reports  \n\nViolations **will result in immediate report closure, a permanent ban from the program, and reporting to HackerOne**.\n\n---\n\n## Confidentiality and Disclosure\n\nAll vulnerability information must be handled strictly through official channels.\n\nThe following actions are strictly prohibited:\n\n- Sharing any HackerOne communications outside the platform  \n- Publicly disclosing vulnerabilities before resolution  \n- Discussing reports in external forums, social media, or private groups  \n\nViolations **will result in immediate report closure, a permanent ban from the program, and reporting to HackerOne**.\n\nPublic disclosure is permitted **only after** an issue is marked **Resolved** on HackerOne.\n\n---\n\n## Researcher Expectations\n\nWhen participating in this program, you must:\n\n- Act in good faith at all times  \n- Avoid harming users, systems, or data  \n- Immediately stop testing if sensitive data is exposed  \n- Use only accounts you own or are authorized to use  \n- Maintain strict confidentiality  \n\nFailure to meet these expectations **will result in removal from the program**.\n\n---\n\n## Eligibility Requirements\n\nTo be eligible for bounty rewards:\n\n- Submit exclusively via **HackerOne**  \n- Maintain:\n  - Reputation score **\u003e 150**\n  - Signal **\u003e 1**\n  - Account age **≥ 6 months**\n- Maintain a **valid-to-closed ratio above 50%**\n- Not have worked on the affected codebase in the past **12 months**\n\nSubmissions that do not meet these requirements **will be classified as Spam**.\n\nRepeated violations **will result in removal from the program and reporting to HackerOne**.\n\n---\n\n## Program Disclaimer\n\nBy participating in this program, you acknowledge and agree that:\n\n- **All bounty decisions are made at our sole discretion**\n- **Program rules, scope, and rewards can change at any time without notice**\n- **We can suspend, terminate, or modify the program at any time**\n- **We can remove any participant from the program at any time, for any reason**\n\nParticipation constitutes acceptance of these terms.\n\n---\n\n## Official Channels\n\n- **HackerOne:** primary reporting channel  \n- **security@cosmoslabs.io:** disclosure only (not bounty-eligible)\n\n---\n\n## Safe Harbor\n\nResearch conducted in accordance with this policy is considered:\n\n- Authorized under applicable laws  \n- Exempt from relevant ToS/AUP restrictions  \n- Conducted in good faith  \n\nSafe Harbor applies only to actions within the scope of this program.\n\n---\n\n## A Note on Gaia\n\nGaia is included only as a **reference implementation** of the Cosmos Stack.\n\nAll Cosmos Hub-specific features, third-party modules, or non-core functionality in the Gaia repository are **out of scope**.\n\n---\n\n## Closing\n\nWe value the contributions of the security research community and recognize the important role you play in strengthening open, secure software systems.\n\nHigh-quality, responsible research is essential to the long-term health of the Cosmos ecosystem.\n","has_open_scope":null,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"SDK modules that are not maintained\",\"details\":\"Following https://github.com/cosmos/cosmos-sdk/pull/25090, we are no longer convering the following SDK modules in our bug bounty program as they are not being maintained:\\n\\n- `x/group`\\n- `x/circuit`\\n- `x/crisis`\\n- `x/nft`\"}"],"timestamp":"2026-04-29T18:13:20.599Z"},{"id":3772434,"new_policy":"# Cosmos Stack Bug Bounty Program\n\nWithin the Cosmos ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Cosmos Stack that is built by decentralized development teams.\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol. As such, this program **is not** the right place to search for web application vulnerabilities like XSS, CSRF, and header misconfigurations.\n\nThe focus of this program is on surfacing vulnerabilities in the **protocols, modules, and infrastructure** that make up the Cosmos Stack. Assets in scope include source code for integral components of Cosmos, and **do not** include third-party services or IT assets.\n\nBounty rewards are based on multiple factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality, available [here](https://github.com/cosmos/security/blob/main/resources/CLASSIFICATION_MATRIX.md).\n\n---\n\n## Program Rewards\n\nWhile there is no maximum program reward at this time, we value creative findings and high-severity bugs, and we maintain a robust program budget to reward them accordingly.\n\nWe evaluate each report and are responsible for rating the severity of submitted issues. At our discretion, we may reward exceptionally high-quality reports or creative lower-severity findings at a higher tier.\n\n**Informational reports are not eligible for bounty rewards.**\n\nRewards for eligible bugs are paid out according to issue severity:\n\n- **Critical:** starting at $50,000  \n- **High:** starting at $12,500  \n- **Medium:** starting at $2,500  \n- **Low:** starting at $1,000  \n\nIf duplicate reports are received, a bounty (if applicable) will be awarded to the **first valid reporter**.\n\nWhen an issue is on track to be mitigated or remediated, we will coordinate with researchers to credit the finding in advisories and release notes, and to support disclosure of valid issues reported through this program.\n\n---\n\n## Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes they have discovered a vulnerability in the Cosmos Stack.\n\nThis policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Cosmos Stack and the teams and infrastructure it supports. It supersedes all previous security policies used by individual teams or projects within scope.\n\nFor the most up-to-date version of this policy, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true).\n\n---\n\n## Our Commitments\n\nWhen working with us under this policy, you can expect us to:\n\n- Respond promptly and work with you to understand and validate reports\n- Keep you informed about vulnerability status and progress\n- Remediate valid vulnerabilities in a timely manner, within operational constraints\n- Extend Safe Harbor for security research conducted in accordance with this policy\n\n---\n\n## Our Expectations\n\nWhen participating in this program in good faith, we ask that you:\n\n- Follow this policy and all relevant agreements\n- Report vulnerabilities promptly\n- Avoid violating privacy, disrupting systems, destroying data, or harming user experience\n- Use only **Official Channels** to discuss vulnerability information\n- Allow **at least 90 days** from initial report before public disclosure\n- Perform testing only on **in-scope systems**\n- Limit data access strictly to what is required for proof of concept\n- Cease testing immediately and submit a report if any sensitive user data is encountered (PII, PHI, financial data, proprietary information)\n- Use only test accounts you own or have explicit permission to use\n- Not engage in extortion or coercive behavior\n\n**Repeated submissions that do not meet program guidelines will result in a ban from the program.**\n\nParticipants who violate these expectations may have their reports closed, deemed ineligible for bounty rewards, or be permanently banned from the program.\n\n---\n\n## Program Scope\n\nWe are interested in a full range of vulnerabilities with demonstrable security impact, ranging from issues proven with unit tests to those requiring full cluster deployments and complex transaction flows.\n\nExamples include (but are not limited to):\n\n- Memory allocation and safety issues  \n- Race conditions and concurrency bugs  \n- Timing attacks  \n- Information leaks  \n- Authentication or authorization bypasses  \n- Incorrect block or state validation  \n- Trivial denial-of-service issues  \n- Lost writes or state corruption  \n- Business logic flaws  \n- Transactions or payloads that cause unhandled panics  \n\n### Release Policy Requirement\n\n**Only released code is eligible for bounty rewards.**\n\nTo be considered valid and in scope:\n- The issue **must exist in released code** that is tagged and actively maintained under the Cosmos **Release Family Policy**\n- Code that exists only on `main`, `master`, or other development branches **is not in scope**\n\nThe Release Family Policy is defined here:  \nhttps://github.com/cosmos/security/blob/main/POLICY.md\n\n---\n\n## In Scope\n\n1. The issue must be exploitable in an intended deployed environment and configuration.\n2. Exploitation must not require a previously compromised environment (e.g., compromised node, majority-compromised consensus).\n3. The issue must exist in a supported release according to the Release Family Policy.\n\n---\n\n## Out of Scope\n\n1. Issues requiring a compromised environment to exploit.\n2. Assets not explicitly listed as in scope, including those not owned by participating teams.\n3. Issues already publicly or privately addressed.\n4. Third-party services and websites.\n5. Web vulnerabilities (including but not limited to XSS, CSRF, CORS, cookie flags, TLS config, headers, email configuration).\n6. Documented configuration behaviors in expected deployment scenarios.\n7. Governance misconfiguration-specific issues.\n8. Package registry or dependency management issues without Cosmos-specific exploit PoCs.\n9. Social engineering attacks.\n10. Scanner-generated or informational-only reports.\n11. Dependency vulnerability reports without demonstrated impact on in-scope systems.\n12. Non-trivial or volumetric DoS attacks mitigated by gas, fees, or operational controls.\n13. Architectural critiques without immediate exploitability.\n14. Issues fixed upstream less than 90 days prior.\n15. Downstream effects of previously resolved bounty issues.\n16. Following https://github.com/cosmos/cosmos-sdk/pull/25090, the `x/group`, `x/circuit`, `x/crisis`, and `x/nft` modules are no longer in scope.\n\n---\n\n## A Note on Gaia\n\nGaia is included only as a **reference implementation** of the Cosmos Stack.\n\nAll Hub-specific features, third-party modules, or non-core functionality in the Gaia repository are **out of scope** for bounty rewards.\n\n---\n\n## Program Policies\n\nAll submissions **must include a Proof of Concept** demonstrating real-world impact and exploitability.  The proof of concept must be code that can be read and run by the security team.  Descriptions of attacks do not count as valid PoCs and will result in submissions being closed as \"Not Applicable\".\n\n- PoCs must demonstrate real user flows\n- Mock-only or database-only calls are insufficient\n- Reports without adequate detail may be closed or returned\n\nSubmissions must be original work authored by humans. Reports generated or significantly assisted by AI tools (including but not limited to ChatGPT, Claude, Copilot, etc.) are prohibited and will result in immediate closure and potential program ban. All submissions must demonstrate genuine human understanding, manual testing, and original analysis.\n\nTo be eligible for consideration under our bug bounty program, researchers must meet the following criteria:\n\n- Maintain a HackerOne reputation score above 150.\n- Maintain a HackerOne signal above 1.\n- Have a HackerOne profile that is at least 6 months old.\n- If the researcher has previously submitted to our program, they must maintain a valid-to-closed report ratio above 50%.\n\nSubmissions from researchers who do not meet these requirements will be closed as Spam. Repeated submissions that fail to meet these criteria may result in removal from the program and/or a platform ban.\n\n---\n\n## Eligibility for Bounty\n\nTo be eligible for a bounty reward:\n\n- You must not have been employed by or contracted to the team maintaining the affected code within the last **12 months**\n- You must submit exclusively through **HackerOne**\n- Email submissions are **not eligible** for bounty rewards\n\n---\n\n## Confidentiality\n\nAll communication regarding submitted issues must occur **exclusively on HackerOne**.\n\nExternal communication, out-of-band disclosures, or premature publication may void eligibility for bounty rewards and future participation.\n\n---\n\n## Official Channels\n\n- HackerOne: official vulnerability reporting platform\n- Email (non-bounty): [security@cosmoslabs.io](mailto:security@cosmoslabs.io)\n\nEmail reports are accepted for disclosure purposes only and are not eligible for bounty rewards.\n\n---\n\n## Disclosure\n\nPublic disclosure is supported **only after** an issue is marked **Resolved** on HackerOne.\n\nResearchers may request attribution in advisories or release documentation once disclosure is approved.\n\n---\n\n## Good Faith\n\nResearchers must act respectfully and in good faith at all times. Misconduct—including threats, harassment, extortion, or false accusations—will result in report closure and permanent exclusion from the program.\n\n---\n\n## Safe Harbor\n\nResearch conducted in accordance with this policy is considered:\n\n- Authorized under applicable anti-hacking and anti-circumvention laws\n- Exempt from relevant TOS/AUP restrictions\n- Conducted lawfully and in good faith\n\nSafe Harbor applies only to claims under the control of participating organizations.\n","has_open_scope":null,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"SDK modules that are not maintained\",\"details\":\"Following https://github.com/cosmos/cosmos-sdk/pull/25090, we are no longer convering the following SDK modules in our bug bounty program as they are not being maintained:\\n\\n- `x/group`\\n- `x/circuit`\\n- `x/crisis`\\n- `x/nft`\"}"],"timestamp":"2026-04-09T20:52:30.627Z"},{"id":3770454,"new_policy":"# Cosmos Stack Bug Bounty Program\n\nWithin the Cosmos ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Cosmos Stack that is built by decentralized development teams.\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol. As such, this program **is not** the right place to search for web application vulnerabilities like XSS, CSRF, and header misconfigurations.\n\nThe focus of this program is on surfacing vulnerabilities in the **protocols, modules, and infrastructure** that make up the Cosmos Stack. Assets in scope include source code for integral components of Cosmos, and **do not** include third-party services or IT assets.\n\nBounty rewards are based on multiple factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality, available [here](https://github.com/cosmos/security/blob/main/resources/CLASSIFICATION_MATRIX.md).\n\n---\n\n## Program Rewards\n\nWhile there is no maximum program reward at this time, we value creative findings and high-severity bugs, and we maintain a robust program budget to reward them accordingly.\n\nWe evaluate each report and are responsible for rating the severity of submitted issues. At our discretion, we may reward exceptionally high-quality reports or creative lower-severity findings at a higher tier.\n\n**Informational reports are not eligible for bounty rewards.**\n\nRewards for eligible bugs are paid out according to issue severity:\n\n- **Critical:** starting at $50,000  \n- **High:** starting at $25,000  \n- **Medium:** starting at $5,000  \n- **Low:** starting at $2,000  \n\nIf duplicate reports are received, a bounty (if applicable) will be awarded to the **first valid reporter**.\n\nWhen an issue is on track to be mitigated or remediated, we will coordinate with researchers to credit the finding in advisories and release notes, and to support disclosure of valid issues reported through this program.\n\n---\n\n## Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes they have discovered a vulnerability in the Cosmos Stack.\n\nThis policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Cosmos Stack and the teams and infrastructure it supports. It supersedes all previous security policies used by individual teams or projects within scope.\n\nFor the most up-to-date version of this policy, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true).\n\n---\n\n## Our Commitments\n\nWhen working with us under this policy, you can expect us to:\n\n- Respond promptly and work with you to understand and validate reports\n- Keep you informed about vulnerability status and progress\n- Remediate valid vulnerabilities in a timely manner, within operational constraints\n- Extend Safe Harbor for security research conducted in accordance with this policy\n\n---\n\n## Our Expectations\n\nWhen participating in this program in good faith, we ask that you:\n\n- Follow this policy and all relevant agreements\n- Report vulnerabilities promptly\n- Avoid violating privacy, disrupting systems, destroying data, or harming user experience\n- Use only **Official Channels** to discuss vulnerability information\n- Allow **at least 90 days** from initial report before public disclosure\n- Perform testing only on **in-scope systems**\n- Limit data access strictly to what is required for proof of concept\n- Cease testing immediately and submit a report if any sensitive user data is encountered (PII, PHI, financial data, proprietary information)\n- Use only test accounts you own or have explicit permission to use\n- Not engage in extortion or coercive behavior\n\n**Repeated submissions that do not meet program guidelines will result in a ban from the program.**\n\nParticipants who violate these expectations may have their reports closed, deemed ineligible for bounty rewards, or be permanently banned from the program.\n\n---\n\n## Program Scope\n\nWe are interested in a full range of vulnerabilities with demonstrable security impact, ranging from issues proven with unit tests to those requiring full cluster deployments and complex transaction flows.\n\nExamples include (but are not limited to):\n\n- Memory allocation and safety issues  \n- Race conditions and concurrency bugs  \n- Timing attacks  \n- Information leaks  \n- Authentication or authorization bypasses  \n- Incorrect block or state validation  \n- Trivial denial-of-service issues  \n- Lost writes or state corruption  \n- Business logic flaws  \n- Transactions or payloads that cause unhandled panics  \n\n### Release Policy Requirement\n\n**Only released code is eligible for bounty rewards.**\n\nTo be considered valid and in scope:\n- The issue **must exist in released code** that is tagged and actively maintained under the Cosmos **Release Family Policy**\n- Code that exists only on `main`, `master`, or other development branches **is not in scope**\n\nThe Release Family Policy is defined here:  \nhttps://github.com/cosmos/security/blob/main/POLICY.md\n\n---\n\n## In Scope\n\n1. The issue must be exploitable in an intended deployed environment and configuration.\n2. Exploitation must not require a previously compromised environment (e.g., compromised node, majority-compromised consensus).\n3. The issue must exist in a supported release according to the Release Family Policy.\n\n---\n\n## Out of Scope\n\n1. Issues requiring a compromised environment to exploit.\n2. Assets not explicitly listed as in scope, including those not owned by participating teams.\n3. Issues already publicly or privately addressed.\n4. Third-party services and websites.\n5. Web vulnerabilities (including but not limited to XSS, CSRF, CORS, cookie flags, TLS config, headers, email configuration).\n6. Documented configuration behaviors in expected deployment scenarios.\n7. Governance misconfiguration-specific issues.\n8. Package registry or dependency management issues without Cosmos-specific exploit PoCs.\n9. Social engineering attacks.\n10. Scanner-generated or informational-only reports.\n11. Dependency vulnerability reports without demonstrated impact on in-scope systems.\n12. Non-trivial or volumetric DoS attacks mitigated by gas, fees, or operational controls.\n13. Architectural critiques without immediate exploitability.\n14. Issues fixed upstream less than 90 days prior.\n15. Downstream effects of previously resolved bounty issues.\n16. Following https://github.com/cosmos/cosmos-sdk/pull/25090, the `x/group`, `x/circuit`, `x/crisis`, and `x/nft` modules are no longer in scope.\n\n---\n\n## A Note on Gaia\n\nGaia is included only as a **reference implementation** of the Cosmos Stack.\n\nAll Hub-specific features, third-party modules, or non-core functionality in the Gaia repository are **out of scope** for bounty rewards.\n\n---\n\n## Program Policies\n\nAll submissions **must include a Proof of Concept** demonstrating real-world impact and exploitability.  The proof of concept must be code that can be read and run by the security team.  Descriptions of attacks do not count as valid PoCs and will result in submissions being closed as \"Not Applicable\".\n\n- PoCs must demonstrate real user flows\n- Mock-only or database-only calls are insufficient\n- Reports without adequate detail may be closed or returned\n\nSubmissions must be original work authored by humans. Reports generated or significantly assisted by AI tools (including but not limited to ChatGPT, Claude, Copilot, etc.) are prohibited and will result in immediate closure and potential program ban. All submissions must demonstrate genuine human understanding, manual testing, and original analysis.\n\nTo be eligible for consideration under our bug bounty program, researchers must meet the following criteria:\n\n- Maintain a HackerOne reputation score above 150.\n- Maintain a HackerOne signal above 1.\n- Have a HackerOne profile that is at least 6 months old.\n- If the researcher has previously submitted to our program, they must maintain a valid-to-closed report ratio above 50%.\n\nSubmissions from researchers who do not meet these requirements will be closed as Spam. Repeated submissions that fail to meet these criteria may result in removal from the program and/or a platform ban.\n\n---\n\n## Eligibility for Bounty\n\nTo be eligible for a bounty reward:\n\n- You must not have been employed by or contracted to the team maintaining the affected code within the last **12 months**\n- You must submit exclusively through **HackerOne**\n- Email submissions are **not eligible** for bounty rewards\n\n---\n\n## Confidentiality\n\nAll communication regarding submitted issues must occur **exclusively on HackerOne**.\n\nExternal communication, out-of-band disclosures, or premature publication may void eligibility for bounty rewards and future participation.\n\n---\n\n## Official Channels\n\n- HackerOne: official vulnerability reporting platform\n- Email (non-bounty): [security@cosmoslabs.io](mailto:security@cosmoslabs.io)\n\nEmail reports are accepted for disclosure purposes only and are not eligible for bounty rewards.\n\n---\n\n## Disclosure\n\nPublic disclosure is supported **only after** an issue is marked **Resolved** on HackerOne.\n\nResearchers may request attribution in advisories or release documentation once disclosure is approved.\n\n---\n\n## Good Faith\n\nResearchers must act respectfully and in good faith at all times. Misconduct—including threats, harassment, extortion, or false accusations—will result in report closure and permanent exclusion from the program.\n\n---\n\n## Safe Harbor\n\nResearch conducted in accordance with this policy is considered:\n\n- Authorized under applicable anti-hacking and anti-circumvention laws\n- Exempt from relevant TOS/AUP restrictions\n- Conducted lawfully and in good faith\n\nSafe Harbor applies only to claims under the control of participating organizations.\n","has_open_scope":null,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"SDK modules that are not maintained\",\"details\":\"Following https://github.com/cosmos/cosmos-sdk/pull/25090, we are no longer convering the following SDK modules in our bug bounty program as they are not being maintained:\\n\\n- `x/group`\\n- `x/circuit`\\n- `x/crisis`\\n- `x/nft`\"}"],"timestamp":"2026-03-02T19:06:29.372Z"},{"id":3770453,"new_policy":"# Cosmos Stack Bug Bounty Program\n\nWithin the Cosmos ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Cosmos Stack that is built by decentralized development teams.\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol. As such, this program **is not** the right place to search for web application vulnerabilities like XSS, CSRF, and header misconfigurations.\n\nThe focus of this program is on surfacing vulnerabilities in the **protocols, modules, and infrastructure** that make up the Cosmos Stack. Assets in scope include source code for integral components of Cosmos, and **do not** include third-party services or IT assets.\n\nBounty rewards are based on multiple factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality, available [here](https://github.com/cosmos/security/blob/main/resources/CLASSIFICATION_MATRIX.md).\n\n---\n\n## Program Rewards\n\nWhile there is no maximum program reward at this time, we value creative findings and high-severity bugs, and we maintain a robust program budget to reward them accordingly.\n\nWe evaluate each report and are responsible for rating the severity of submitted issues. At our discretion, we may reward exceptionally high-quality reports or creative lower-severity findings at a higher tier.\n\n**Informational reports are not eligible for bounty rewards.**\n\nRewards for eligible bugs are paid out according to issue severity:\n\n- **Critical:** starting at $50,000  \n- **High:** starting at $25,000  \n- **Medium:** starting at $5,000  \n- **Low:** starting at $2,000  \n\nIf duplicate reports are received, a bounty (if applicable) will be awarded to the **first valid reporter**.\n\nWhen an issue is on track to be mitigated or remediated, we will coordinate with researchers to credit the finding in advisories and release notes, and to support disclosure of valid issues reported through this program.\n\n---\n\n## Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes they have discovered a vulnerability in the Cosmos Stack.\n\nThis policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Cosmos Stack and the teams and infrastructure it supports. It supersedes all previous security policies used by individual teams or projects within scope.\n\nFor the most up-to-date version of this policy, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true).\n\n---\n\n## Our Commitments\n\nWhen working with us under this policy, you can expect us to:\n\n- Respond promptly and work with you to understand and validate reports\n- Keep you informed about vulnerability status and progress\n- Remediate valid vulnerabilities in a timely manner, within operational constraints\n- Extend Safe Harbor for security research conducted in accordance with this policy\n\n---\n\n## Our Expectations\n\nWhen participating in this program in good faith, we ask that you:\n\n- Follow this policy and all relevant agreements\n- Report vulnerabilities promptly\n- Avoid violating privacy, disrupting systems, destroying data, or harming user experience\n- Use only **Official Channels** to discuss vulnerability information\n- Allow **at least 90 days** from initial report before public disclosure\n- Perform testing only on **in-scope systems**\n- Limit data access strictly to what is required for proof of concept\n- Cease testing immediately and submit a report if any sensitive user data is encountered (PII, PHI, financial data, proprietary information)\n- Use only test accounts you own or have explicit permission to use\n- Not engage in extortion or coercive behavior\n\n**Repeated submissions that do not meet program guidelines will result in a ban from the program.**\n\nParticipants who violate these expectations may have their reports closed, deemed ineligible for bounty rewards, or be permanently banned from the program.\n\n---\n\n## Program Scope\n\nWe are interested in a full range of vulnerabilities with demonstrable security impact, ranging from issues proven with unit tests to those requiring full cluster deployments and complex transaction flows.\n\nExamples include (but are not limited to):\n\n- Memory allocation and safety issues  \n- Race conditions and concurrency bugs  \n- Timing attacks  \n- Information leaks  \n- Authentication or authorization bypasses  \n- Incorrect block or state validation  \n- Trivial denial-of-service issues  \n- Lost writes or state corruption  \n- Business logic flaws  \n- Transactions or payloads that cause unhandled panics  \n\n### Release Policy Requirement\n\n**Only released code is eligible for bounty rewards.**\n\nTo be considered valid and in scope:\n- The issue **must exist in released code** that is tagged and actively maintained under the Cosmos **Release Family Policy**\n- Code that exists only on `main`, `master`, or other development branches **is not in scope**\n\nThe Release Family Policy is defined here:  \nhttps://github.com/cosmos/security/blob/main/POLICY.md\n\n---\n\n## In Scope\n\n1. The issue must be exploitable in an intended deployed environment and configuration.\n2. Exploitation must not require a previously compromised environment (e.g., compromised node, majority-compromised consensus).\n3. The issue must exist in a supported release according to the Release Family Policy.\n\n---\n\n## Out of Scope\n\n1. Issues requiring a compromised environment to exploit.\n2. Assets not explicitly listed as in scope, including those not owned by participating teams.\n3. Issues already publicly or privately addressed.\n4. Third-party services and websites.\n5. Web vulnerabilities (including but not limited to XSS, CSRF, CORS, cookie flags, TLS config, headers, email configuration).\n6. Documented configuration behaviors in expected deployment scenarios.\n7. Governance misconfiguration-specific issues.\n8. Package registry or dependency management issues without Cosmos-specific exploit PoCs.\n9. Social engineering attacks.\n10. Scanner-generated or informational-only reports.\n11. Dependency vulnerability reports without demonstrated impact on in-scope systems.\n12. Non-trivial or volumetric DoS attacks mitigated by gas, fees, or operational controls.\n13. Architectural critiques without immediate exploitability.\n14. Issues fixed upstream less than 90 days prior.\n15. Downstream effects of previously resolved bounty issues.\n16. Following https://github.com/cosmos/cosmos-sdk/pull/25090, the `x/group`, `x/circuit`, `x/crisis`, and `x/nft` modules are no longer in scope.\n\n---\n\n## A Note on Gaia\n\nGaia is included only as a **reference implementation** of the Cosmos Stack.\n\nAll Hub-specific features, third-party modules, or non-core functionality in the Gaia repository are **out of scope** for bounty rewards.\n\n---\n\n## Program Policies\n\nAll submissions **must include a Proof of Concept** demonstrating real-world impact and exploitability.  The proof of concept must be code that can be read and run by the security team.  Descriptions of attacks do not count as valid PoCs and will result in submissions being closed as \"Not Applicable\".\n\n- PoCs must demonstrate real user flows\n- Mock-only or database-only calls are insufficient\n- Reports without adequate detail may be closed or returned\n\nSubmissions must be original work authored by humans. Reports generated or significantly assisted by AI tools (including but not limited to ChatGPT, Claude, Copilot, etc.) are prohibited and will result in immediate closure and potential program ban. All submissions must demonstrate genuine human understanding, manual testing, and original analysis.\n\nTo be eligible for consideration under our bug bounty program, researchers must meet the following criteria:\n\n- Maintain a HackerOne reputation score above 200.\n- Maintain a HackerOne signal above 1.\n- Have a HackerOne profile that is at least 6 months old.\n- If the researcher has previously submitted to our program, they must maintain a valid-to-closed report ratio above 50%.\n\nSubmissions from researchers who do not meet these requirements will be closed as Spam. Repeated submissions that fail to meet these criteria may result in removal from the program and/or a platform ban.\n\n---\n\n## Eligibility for Bounty\n\nTo be eligible for a bounty reward:\n\n- You must not have been employed by or contracted to the team maintaining the affected code within the last **12 months**\n- You must submit exclusively through **HackerOne**\n- Email submissions are **not eligible** for bounty rewards\n\n---\n\n## Confidentiality\n\nAll communication regarding submitted issues must occur **exclusively on HackerOne**.\n\nExternal communication, out-of-band disclosures, or premature publication may void eligibility for bounty rewards and future participation.\n\n---\n\n## Official Channels\n\n- HackerOne: official vulnerability reporting platform\n- Email (non-bounty): [security@cosmoslabs.io](mailto:security@cosmoslabs.io)\n\nEmail reports are accepted for disclosure purposes only and are not eligible for bounty rewards.\n\n---\n\n## Disclosure\n\nPublic disclosure is supported **only after** an issue is marked **Resolved** on HackerOne.\n\nResearchers may request attribution in advisories or release documentation once disclosure is approved.\n\n---\n\n## Good Faith\n\nResearchers must act respectfully and in good faith at all times. Misconduct—including threats, harassment, extortion, or false accusations—will result in report closure and permanent exclusion from the program.\n\n---\n\n## Safe Harbor\n\nResearch conducted in accordance with this policy is considered:\n\n- Authorized under applicable anti-hacking and anti-circumvention laws\n- Exempt from relevant TOS/AUP restrictions\n- Conducted lawfully and in good faith\n\nSafe Harbor applies only to claims under the control of participating organizations.\n","has_open_scope":null,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"SDK modules that are not maintained\",\"details\":\"Following https://github.com/cosmos/cosmos-sdk/pull/25090, we are no longer convering the following SDK modules in our bug bounty program as they are not being maintained:\\n\\n- `x/group`\\n- `x/circuit`\\n- `x/crisis`\\n- `x/nft`\"}"],"timestamp":"2026-03-02T19:03:59.198Z"},{"id":3770452,"new_policy":"# Cosmos Stack Bug Bounty Program\n\nWithin the Cosmos ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Cosmos Stack that is built by decentralized development teams.\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol. As such, this program **is not** the right place to search for web application vulnerabilities like XSS, CSRF, and header misconfigurations.\n\nThe focus of this program is on surfacing vulnerabilities in the **protocols, modules, and infrastructure** that make up the Cosmos Stack. Assets in scope include source code for integral components of Cosmos, and **do not** include third-party services or IT assets.\n\nBounty rewards are based on multiple factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality, available [here](https://github.com/cosmos/security/blob/main/resources/CLASSIFICATION_MATRIX.md).\n\n---\n\n## Program Rewards\n\nWhile there is no maximum program reward at this time, we value creative findings and high-severity bugs, and we maintain a robust program budget to reward them accordingly.\n\nWe evaluate each report and are responsible for rating the severity of submitted issues. At our discretion, we may reward exceptionally high-quality reports or creative lower-severity findings at a higher tier.\n\n**Informational reports are not eligible for bounty rewards.**\n\nRewards for eligible bugs are paid out according to issue severity:\n\n- **Critical:** starting at $50,000  \n- **High:** starting at $25,000  \n- **Medium:** starting at $5,000  \n- **Low:** starting at $2,000  \n\nIf duplicate reports are received, a bounty (if applicable) will be awarded to the **first valid reporter**.\n\nWhen an issue is on track to be mitigated or remediated, we will coordinate with researchers to credit the finding in advisories and release notes, and to support disclosure of valid issues reported through this program.\n\n---\n\n## Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes they have discovered a vulnerability in the Cosmos Stack.\n\nThis policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Cosmos Stack and the teams and infrastructure it supports. It supersedes all previous security policies used by individual teams or projects within scope.\n\nFor the most up-to-date version of this policy, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true).\n\n---\n\n## Our Commitments\n\nWhen working with us under this policy, you can expect us to:\n\n- Respond promptly and work with you to understand and validate reports\n- Keep you informed about vulnerability status and progress\n- Remediate valid vulnerabilities in a timely manner, within operational constraints\n- Extend Safe Harbor for security research conducted in accordance with this policy\n\n---\n\n## Our Expectations\n\nWhen participating in this program in good faith, we ask that you:\n\n- Follow this policy and all relevant agreements\n- Report vulnerabilities promptly\n- Avoid violating privacy, disrupting systems, destroying data, or harming user experience\n- Use only **Official Channels** to discuss vulnerability information\n- Allow **at least 90 days** from initial report before public disclosure\n- Perform testing only on **in-scope systems**\n- Limit data access strictly to what is required for proof of concept\n- Cease testing immediately and submit a report if any sensitive user data is encountered (PII, PHI, financial data, proprietary information)\n- Use only test accounts you own or have explicit permission to use\n- Not engage in extortion or coercive behavior\n\n**Repeated submissions that do not meet program guidelines will result in a ban from the program.**\n\nParticipants who violate these expectations may have their reports closed, deemed ineligible for bounty rewards, or be permanently banned from the program.\n\n---\n\n## Program Scope\n\nWe are interested in a full range of vulnerabilities with demonstrable security impact, ranging from issues proven with unit tests to those requiring full cluster deployments and complex transaction flows.\n\nExamples include (but are not limited to):\n\n- Memory allocation and safety issues  \n- Race conditions and concurrency bugs  \n- Timing attacks  \n- Information leaks  \n- Authentication or authorization bypasses  \n- Incorrect block or state validation  \n- Trivial denial-of-service issues  \n- Lost writes or state corruption  \n- Business logic flaws  \n- Transactions or payloads that cause unhandled panics  \n\n### Release Policy Requirement\n\n**Only released code is eligible for bounty rewards.**\n\nTo be considered valid and in scope:\n- The issue **must exist in released code** that is tagged and actively maintained under the Cosmos **Release Family Policy**\n- Code that exists only on `main`, `master`, or other development branches **is not in scope**\n\nThe Release Family Policy is defined here:  \nhttps://github.com/cosmos/security/blob/main/POLICY.md\n\n---\n\n## In Scope\n\n1. The issue must be exploitable in an intended deployed environment and configuration.\n2. Exploitation must not require a previously compromised environment (e.g., compromised node, majority-compromised consensus).\n3. The issue must exist in a supported release according to the Release Family Policy.\n\n---\n\n## Out of Scope\n\n1. Issues requiring a compromised environment to exploit.\n2. Assets not explicitly listed as in scope, including those not owned by participating teams.\n3. Issues already publicly or privately addressed.\n4. Third-party services and websites.\n5. Web vulnerabilities (including but not limited to XSS, CSRF, CORS, cookie flags, TLS config, headers, email configuration).\n6. Documented configuration behaviors in expected deployment scenarios.\n7. Governance misconfiguration-specific issues.\n8. Package registry or dependency management issues without Cosmos-specific exploit PoCs.\n9. Social engineering attacks.\n10. Scanner-generated or informational-only reports.\n11. Dependency vulnerability reports without demonstrated impact on in-scope systems.\n12. Non-trivial or volumetric DoS attacks mitigated by gas, fees, or operational controls.\n13. Architectural critiques without immediate exploitability.\n14. Issues fixed upstream less than 90 days prior.\n15. Downstream effects of previously resolved bounty issues.\n16. Following https://github.com/cosmos/cosmos-sdk/pull/25090, the `x/group`, `x/circuit`, `x/crisis`, and `x/nft` modules are no longer in scope.\n\n---\n\n## A Note on Gaia\n\nGaia is included only as a **reference implementation** of the Cosmos Stack.\n\nAll Hub-specific features, third-party modules, or non-core functionality in the Gaia repository are **out of scope** for bounty rewards.\n\n---\n\n## Program Policies\n\nAll submissions **must include a Proof of Concept** demonstrating real-world impact and exploitability.  The proof of concept must be code that can be read and run by the security team.  Descriptions of attacks do not count as valid PoCs and will result in submissions being closed as \"Not Applicable\".\n\n- PoCs must demonstrate real user flows\n- Mock-only or database-only calls are insufficient\n- Reports without adequate detail may be closed or returned\n\nSubmissions must be original work authored by humans. Reports generated or significantly assisted by AI tools (including but not limited to ChatGPT, Claude, Copilot, etc.) are prohibited and will result in immediate closure and potential program ban. All submissions must demonstrate genuine human understanding, manual testing, and original analysis.\n\nTo be eligible for consideration under our bug bounty program, researchers must meet the following criteria:\n\n- Maintain a HackerOne reputation score above 25.\n- Maintain a HackerOne signal above 1.\n- Have a HackerOne profile that is at least 6 months old.\n- If the researcher has previously submitted to our program, they must maintain a valid-to-closed report ratio above 50%.\n\nSubmissions from researchers who do not meet these requirements will be closed as Spam. Repeated submissions that fail to meet these criteria may result in removal from the program and/or a platform ban.\n\n---\n\n## Eligibility for Bounty\n\nTo be eligible for a bounty reward:\n\n- You must not have been employed by or contracted to the team maintaining the affected code within the last **12 months**\n- You must submit exclusively through **HackerOne**\n- Email submissions are **not eligible** for bounty rewards\n\n---\n\n## Confidentiality\n\nAll communication regarding submitted issues must occur **exclusively on HackerOne**.\n\nExternal communication, out-of-band disclosures, or premature publication may void eligibility for bounty rewards and future participation.\n\n---\n\n## Official Channels\n\n- HackerOne: official vulnerability reporting platform\n- Email (non-bounty): [security@cosmoslabs.io](mailto:security@cosmoslabs.io)\n\nEmail reports are accepted for disclosure purposes only and are not eligible for bounty rewards.\n\n---\n\n## Disclosure\n\nPublic disclosure is supported **only after** an issue is marked **Resolved** on HackerOne.\n\nResearchers may request attribution in advisories or release documentation once disclosure is approved.\n\n---\n\n## Good Faith\n\nResearchers must act respectfully and in good faith at all times. Misconduct—including threats, harassment, extortion, or false accusations—will result in report closure and permanent exclusion from the program.\n\n---\n\n## Safe Harbor\n\nResearch conducted in accordance with this policy is considered:\n\n- Authorized under applicable anti-hacking and anti-circumvention laws\n- Exempt from relevant TOS/AUP restrictions\n- Conducted lawfully and in good faith\n\nSafe Harbor applies only to claims under the control of participating organizations.\n","has_open_scope":null,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"SDK modules that are not maintained\",\"details\":\"Following https://github.com/cosmos/cosmos-sdk/pull/25090, we are no longer convering the following SDK modules in our bug bounty program as they are not being maintained:\\n\\n- `x/group`\\n- `x/circuit`\\n- `x/crisis`\\n- `x/nft`\"}"],"timestamp":"2026-03-02T19:03:18.867Z"},{"id":3770451,"new_policy":"# Cosmos Stack Bug Bounty Program\n\nWithin the Cosmos ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Cosmos Stack that is built by decentralized development teams.\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol. As such, this program **is not** the right place to search for web application vulnerabilities like XSS, CSRF, and header misconfigurations.\n\nThe focus of this program is on surfacing vulnerabilities in the **protocols, modules, and infrastructure** that make up the Cosmos Stack. Assets in scope include source code for integral components of Cosmos, and **do not** include third-party services or IT assets.\n\nBounty rewards are based on multiple factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality, available [here](https://github.com/cosmos/security/blob/main/resources/CLASSIFICATION_MATRIX.md).\n\n---\n\n## Program Rewards\n\nWhile there is no maximum program reward at this time, we value creative findings and high-severity bugs, and we maintain a robust program budget to reward them accordingly.\n\nWe evaluate each report and are responsible for rating the severity of submitted issues. At our discretion, we may reward exceptionally high-quality reports or creative lower-severity findings at a higher tier.\n\n**Informational reports are not eligible for bounty rewards.**\n\nRewards for eligible bugs are paid out according to issue severity:\n\n- **Critical:** starting at $50,000  \n- **High:** starting at $25,000  \n- **Medium:** starting at $5,000  \n- **Low:** starting at $2,000  \n\nIf duplicate reports are received, a bounty (if applicable) will be awarded to the **first valid reporter**.\n\nWhen an issue is on track to be mitigated or remediated, we will coordinate with researchers to credit the finding in advisories and release notes, and to support disclosure of valid issues reported through this program.\n\n---\n\n## Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes they have discovered a vulnerability in the Cosmos Stack.\n\nThis policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Cosmos Stack and the teams and infrastructure it supports. It supersedes all previous security policies used by individual teams or projects within scope.\n\nFor the most up-to-date version of this policy, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true).\n\n---\n\n## Our Commitments\n\nWhen working with us under this policy, you can expect us to:\n\n- Respond promptly and work with you to understand and validate reports\n- Keep you informed about vulnerability status and progress\n- Remediate valid vulnerabilities in a timely manner, within operational constraints\n- Extend Safe Harbor for security research conducted in accordance with this policy\n\n---\n\n## Our Expectations\n\nWhen participating in this program in good faith, we ask that you:\n\n- Follow this policy and all relevant agreements\n- Report vulnerabilities promptly\n- Avoid violating privacy, disrupting systems, destroying data, or harming user experience\n- Use only **Official Channels** to discuss vulnerability information\n- Allow **at least 90 days** from initial report before public disclosure\n- Perform testing only on **in-scope systems**\n- Limit data access strictly to what is required for proof of concept\n- Cease testing immediately and submit a report if any sensitive user data is encountered (PII, PHI, financial data, proprietary information)\n- Use only test accounts you own or have explicit permission to use\n- Not engage in extortion or coercive behavior\n\n**Repeated submissions that do not meet program guidelines will result in a ban from the program.**\n\nParticipants who violate these expectations may have their reports closed, deemed ineligible for bounty rewards, or be permanently banned from the program.\n\n---\n\n## Program Scope\n\nWe are interested in a full range of vulnerabilities with demonstrable security impact, ranging from issues proven with unit tests to those requiring full cluster deployments and complex transaction flows.\n\nExamples include (but are not limited to):\n\n- Memory allocation and safety issues  \n- Race conditions and concurrency bugs  \n- Timing attacks  \n- Information leaks  \n- Authentication or authorization bypasses  \n- Incorrect block or state validation  \n- Trivial denial-of-service issues  \n- Lost writes or state corruption  \n- Business logic flaws  \n- Transactions or payloads that cause unhandled panics  \n\n### Release Policy Requirement\n\n**Only released code is eligible for bounty rewards.**\n\nTo be considered valid and in scope:\n- The issue **must exist in released code** that is tagged and actively maintained under the Cosmos **Release Family Policy**\n- Code that exists only on `main`, `master`, or other development branches **is not in scope**\n\nThe Release Family Policy is defined here:  \nhttps://github.com/cosmos/security/blob/main/POLICY.md\n\n---\n\n## In Scope\n\n1. The issue must be exploitable in an intended deployed environment and configuration.\n2. Exploitation must not require a previously compromised environment (e.g., compromised node, majority-compromised consensus).\n3. The issue must exist in a supported release according to the Release Family Policy.\n\n---\n\n## Out of Scope\n\n1. Issues requiring a compromised environment to exploit.\n2. Assets not explicitly listed as in scope, including those not owned by participating teams.\n3. Issues already publicly or privately addressed.\n4. Third-party services and websites.\n5. Web vulnerabilities (including but not limited to XSS, CSRF, CORS, cookie flags, TLS config, headers, email configuration).\n6. Documented configuration behaviors in expected deployment scenarios.\n7. Governance misconfiguration-specific issues.\n8. Package registry or dependency management issues without Cosmos-specific exploit PoCs.\n9. Social engineering attacks.\n10. Scanner-generated or informational-only reports.\n11. Dependency vulnerability reports without demonstrated impact on in-scope systems.\n12. Non-trivial or volumetric DoS attacks mitigated by gas, fees, or operational controls.\n13. Architectural critiques without immediate exploitability.\n14. Issues fixed upstream less than 90 days prior.\n15. Downstream effects of previously resolved bounty issues.\n16. Following https://github.com/cosmos/cosmos-sdk/pull/25090, the `x/group`, `x/circuit`, `x/crisis`, and `x/nft` modules are no longer in scope.\n\n---\n\n## A Note on Gaia\n\nGaia is included only as a **reference implementation** of the Cosmos Stack.\n\nAll Hub-specific features, third-party modules, or non-core functionality in the Gaia repository are **out of scope** for bounty rewards.\n\n---\n\n## Program Policies\n\nAll submissions **must include a Proof of Concept** demonstrating real-world impact and exploitability.  The proof of concept must be code that can be read and run by the security team.  Descriptions of attacks do not count as valid PoCs and will result in submissions being closed as \"Not Applicable\".\n\n- PoCs must demonstrate real user flows\n- Mock-only or database-only calls are insufficient\n- Reports without adequate detail may be closed or returned\n\nSubmissions must be original work authored by humans. Reports generated or significantly assisted by AI tools (including but not limited to ChatGPT, Claude, Copilot, etc.) are prohibited and will result in immediate closure and potential program ban. All submissions must demonstrate genuine human understanding, manual testing, and original analysis.\n\nTo be eligible for consideration under our bug bounty program, researchers must meet the following criteria:\n\n- Maintain a HackerOne reputation score above 25.\n- Have a HackerOne profile that is at least 6 months old.\n- If the researcher has previously submitted to our program, they must maintain a valid-to-closed report ratio above 50%.\n\nSubmissions from researchers who do not meet these requirements will be closed as Spam. Repeated submissions that fail to meet these criteria may result in removal from the program and/or a platform ban.\n\n---\n\n## Eligibility for Bounty\n\nTo be eligible for a bounty reward:\n\n- You must not have been employed by or contracted to the team maintaining the affected code within the last **12 months**\n- You must submit exclusively through **HackerOne**\n- Email submissions are **not eligible** for bounty rewards\n\n---\n\n## Confidentiality\n\nAll communication regarding submitted issues must occur **exclusively on HackerOne**.\n\nExternal communication, out-of-band disclosures, or premature publication may void eligibility for bounty rewards and future participation.\n\n---\n\n## Official Channels\n\n- HackerOne: official vulnerability reporting platform\n- Email (non-bounty): [security@cosmoslabs.io](mailto:security@cosmoslabs.io)\n\nEmail reports are accepted for disclosure purposes only and are not eligible for bounty rewards.\n\n---\n\n## Disclosure\n\nPublic disclosure is supported **only after** an issue is marked **Resolved** on HackerOne.\n\nResearchers may request attribution in advisories or release documentation once disclosure is approved.\n\n---\n\n## Good Faith\n\nResearchers must act respectfully and in good faith at all times. Misconduct—including threats, harassment, extortion, or false accusations—will result in report closure and permanent exclusion from the program.\n\n---\n\n## Safe Harbor\n\nResearch conducted in accordance with this policy is considered:\n\n- Authorized under applicable anti-hacking and anti-circumvention laws\n- Exempt from relevant TOS/AUP restrictions\n- Conducted lawfully and in good faith\n\nSafe Harbor applies only to claims under the control of participating organizations.\n","has_open_scope":null,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"SDK modules that are not maintained\",\"details\":\"Following https://github.com/cosmos/cosmos-sdk/pull/25090, we are no longer convering the following SDK modules in our bug bounty program as they are not being maintained:\\n\\n- `x/group`\\n- `x/circuit`\\n- `x/crisis`\\n- `x/nft`\"}"],"timestamp":"2026-03-02T18:52:23.893Z"},{"id":3770369,"new_policy":"# Cosmos Stack Bug Bounty Program\n\nWithin the Cosmos ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Cosmos Stack that is built by decentralized development teams.\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol. As such, this program **is not** the right place to search for web application vulnerabilities like XSS, CSRF, and header misconfigurations.\n\nThe focus of this program is on surfacing vulnerabilities in the **protocols, modules, and infrastructure** that make up the Cosmos Stack. Assets in scope include source code for integral components of Cosmos, and **do not** include third-party services or IT assets.\n\nBounty rewards are based on multiple factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality, available [here](https://github.com/cosmos/security/blob/main/resources/CLASSIFICATION_MATRIX.md).\n\n---\n\n## Program Rewards\n\nWhile there is no maximum program reward at this time, we value creative findings and high-severity bugs, and we maintain a robust program budget to reward them accordingly.\n\nWe evaluate each report and are responsible for rating the severity of submitted issues. At our discretion, we may reward exceptionally high-quality reports or creative lower-severity findings at a higher tier.\n\n**Informational reports are not eligible for bounty rewards.**\n\nRewards for eligible bugs are paid out according to issue severity:\n\n- **Critical:** starting at $50,000  \n- **High:** starting at $25,000  \n- **Medium:** starting at $5,000  \n- **Low:** starting at $2,000  \n\nIf duplicate reports are received, a bounty (if applicable) will be awarded to the **first valid reporter**.\n\nWhen an issue is on track to be mitigated or remediated, we will coordinate with researchers to credit the finding in advisories and release notes, and to support disclosure of valid issues reported through this program.\n\n---\n\n## Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes they have discovered a vulnerability in the Cosmos Stack.\n\nThis policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Cosmos Stack and the teams and infrastructure it supports. It supersedes all previous security policies used by individual teams or projects within scope.\n\nFor the most up-to-date version of this policy, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true).\n\n---\n\n## Our Commitments\n\nWhen working with us under this policy, you can expect us to:\n\n- Respond promptly and work with you to understand and validate reports\n- Keep you informed about vulnerability status and progress\n- Remediate valid vulnerabilities in a timely manner, within operational constraints\n- Extend Safe Harbor for security research conducted in accordance with this policy\n\n---\n\n## Our Expectations\n\nWhen participating in this program in good faith, we ask that you:\n\n- Follow this policy and all relevant agreements\n- Report vulnerabilities promptly\n- Avoid violating privacy, disrupting systems, destroying data, or harming user experience\n- Use only **Official Channels** to discuss vulnerability information\n- Allow **at least 90 days** from initial report before public disclosure\n- Perform testing only on **in-scope systems**\n- Limit data access strictly to what is required for proof of concept\n- Cease testing immediately and submit a report if any sensitive user data is encountered (PII, PHI, financial data, proprietary information)\n- Use only test accounts you own or have explicit permission to use\n- Not engage in extortion or coercive behavior\n\n**Repeated submissions that do not meet program guidelines may result in a ban from the program.**\n\nParticipants who violate these expectations may have their reports closed, deemed ineligible for bounty rewards, or be permanently banned from the program.\n\n---\n\n## Program Scope\n\nWe are interested in a full range of vulnerabilities with demonstrable security impact, ranging from issues proven with unit tests to those requiring full cluster deployments and complex transaction flows.\n\nExamples include (but are not limited to):\n\n- Memory allocation and safety issues  \n- Race conditions and concurrency bugs  \n- Timing attacks  \n- Information leaks  \n- Authentication or authorization bypasses  \n- Incorrect block or state validation  \n- Trivial denial-of-service issues  \n- Lost writes or state corruption  \n- Business logic flaws  \n- Transactions or payloads that cause unhandled panics  \n\n### Release Policy Requirement\n\n**Only released code is eligible for bounty rewards.**\n\nTo be considered valid and in scope:\n- The issue **must exist in released code** that is tagged and actively maintained under the Cosmos **Release Family Policy**\n- Code that exists only on `main`, `master`, or other development branches **is not in scope**\n\nThe Release Family Policy is defined here:  \nhttps://github.com/cosmos/security/blob/main/POLICY.md\n\n---\n\n## In Scope\n\n1. The issue must be exploitable in an intended deployed environment and configuration.\n2. Exploitation must not require a previously compromised environment (e.g., compromised node, majority-compromised consensus).\n3. The issue must exist in a supported release according to the Release Family Policy.\n\n---\n\n## Out of Scope\n\n1. Issues requiring a compromised environment to exploit.\n2. Assets not explicitly listed as in scope, including those not owned by participating teams.\n3. Issues already publicly or privately addressed.\n4. Third-party services and websites.\n5. Web vulnerabilities (including but not limited to XSS, CSRF, CORS, cookie flags, TLS config, headers, email configuration).\n6. Documented configuration behaviors in expected deployment scenarios.\n7. Governance misconfiguration-specific issues.\n8. Package registry or dependency management issues without Cosmos-specific exploit PoCs.\n9. Social engineering attacks.\n10. Scanner-generated or informational-only reports.\n11. Dependency vulnerability reports without demonstrated impact on in-scope systems.\n12. Non-trivial or volumetric DoS attacks mitigated by gas, fees, or operational controls.\n13. Architectural critiques without immediate exploitability.\n14. Issues fixed upstream less than 90 days prior.\n15. Downstream effects of previously resolved bounty issues.\n16. Following https://github.com/cosmos/cosmos-sdk/pull/25090, the `x/group`, `x/circuit`, `x/crisis`, and `x/nft` modules are no longer in scope.\n\n---\n\n## A Note on Gaia\n\nGaia is included only as a **reference implementation** of the Cosmos Stack.\n\nAll Hub-specific features, third-party modules, or non-core functionality in the Gaia repository are **out of scope** for bounty rewards.\n\n---\n\n## Program Policies\n\nAll submissions **must include a Proof of Concept** demonstrating real-world impact and exploitability.  The proof of concept must be code that can be read and run by the security team.  Descriptions of attacks do not count as valid PoCs and will result in submissions being closed as \"Not Applicable\".\n\n- PoCs must demonstrate real user flows\n- Mock-only or database-only calls are insufficient\n- Reports without adequate detail may be closed or returned\n\nSubmissions must be original work authored by humans. Reports generated or significantly assisted by AI tools (including but not limited to ChatGPT, Claude, Copilot, etc.) are prohibited and will result in immediate closure and potential program ban. All submissions must demonstrate genuine human understanding, manual testing, and original analysis.\n\n---\n\n## Eligibility for Bounty\n\nTo be eligible for a bounty reward:\n\n- You must not have been employed by or contracted to the team maintaining the affected code within the last **12 months**\n- You must submit exclusively through **HackerOne**\n- Email submissions are **not eligible** for bounty rewards\n\n---\n\n## Confidentiality\n\nAll communication regarding submitted issues must occur **exclusively on HackerOne**.\n\nExternal communication, out-of-band disclosures, or premature publication may void eligibility for bounty rewards and future participation.\n\n---\n\n## Official Channels\n\n- HackerOne: official vulnerability reporting platform\n- Email (non-bounty): [security@cosmoslabs.io](mailto:security@cosmoslabs.io)\n\nEmail reports are accepted for disclosure purposes only and are not eligible for bounty rewards.\n\n---\n\n## Disclosure\n\nPublic disclosure is supported **only after** an issue is marked **Resolved** on HackerOne.\n\nResearchers may request attribution in advisories or release documentation once disclosure is approved.\n\n---\n\n## Good Faith\n\nResearchers must act respectfully and in good faith at all times. Misconduct—including threats, harassment, extortion, or false accusations—will result in report closure and permanent exclusion from the program.\n\n---\n\n## Safe Harbor\n\nResearch conducted in accordance with this policy is considered:\n\n- Authorized under applicable anti-hacking and anti-circumvention laws\n- Exempt from relevant TOS/AUP restrictions\n- Conducted lawfully and in good faith\n\nSafe Harbor applies only to claims under the control of participating organizations.\n","has_open_scope":null,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"SDK modules that are not maintained\",\"details\":\"Following https://github.com/cosmos/cosmos-sdk/pull/25090, we are no longer convering the following SDK modules in our bug bounty program as they are not being maintained:\\n\\n- `x/group`\\n- `x/circuit`\\n- `x/crisis`\\n- `x/nft`\"}"],"timestamp":"2026-02-27T22:19:25.402Z"},{"id":3769126,"new_policy":"# Cosmos Stack Bug Bounty Program\n\nWithin the Cosmos ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Cosmos Stack that is built by decentralized development teams.\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol. As such, this program **is not** the right place to search for web application vulnerabilities like XSS, CSRF, and header misconfigurations.\n\nThe focus of this program is on surfacing vulnerabilities in the **protocols, modules, and infrastructure** that make up the Cosmos Stack. Assets in scope include source code for integral components of Cosmos, and **do not** include third-party services or IT assets.\n\nBounty rewards are based on multiple factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality, available [here](https://github.com/cosmos/security/blob/main/resources/CLASSIFICATION_MATRIX.md).\n\n---\n\n## Program Rewards\n\nWhile there is no maximum program reward at this time, we value creative findings and high-severity bugs, and we maintain a robust program budget to reward them accordingly.\n\nWe evaluate each report and are responsible for rating the severity of submitted issues. At our discretion, we may reward exceptionally high-quality reports or creative lower-severity findings at a higher tier.\n\n**Informational reports are not eligible for bounty rewards.**\n\nRewards for eligible bugs are paid out according to issue severity:\n\n- **Critical:** starting at $50,000  \n- **High:** starting at $25,000  \n- **Medium:** starting at $5,000  \n- **Low:** starting at $2,000  \n\nIf duplicate reports are received, a bounty (if applicable) will be awarded to the **first valid reporter**.\n\nWhen an issue is on track to be mitigated or remediated, we will coordinate with researchers to credit the finding in advisories and release notes, and to support disclosure of valid issues reported through this program.\n\n---\n\n## Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes they have discovered a vulnerability in the Cosmos Stack.\n\nThis policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Cosmos Stack and the teams and infrastructure it supports. It supersedes all previous security policies used by individual teams or projects within scope.\n\nFor the most up-to-date version of this policy, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true).\n\n---\n\n## Our Commitments\n\nWhen working with us under this policy, you can expect us to:\n\n- Respond promptly and work with you to understand and validate reports\n- Keep you informed about vulnerability status and progress\n- Remediate valid vulnerabilities in a timely manner, within operational constraints\n- Extend Safe Harbor for security research conducted in accordance with this policy\n\n---\n\n## Our Expectations\n\nWhen participating in this program in good faith, we ask that you:\n\n- Follow this policy and all relevant agreements\n- Report vulnerabilities promptly\n- Avoid violating privacy, disrupting systems, destroying data, or harming user experience\n- Use only **Official Channels** to discuss vulnerability information\n- Allow **at least 90 days** from initial report before public disclosure\n- Perform testing only on **in-scope systems**\n- Limit data access strictly to what is required for proof of concept\n- Cease testing immediately and submit a report if any sensitive user data is encountered (PII, PHI, financial data, proprietary information)\n- Use only test accounts you own or have explicit permission to use\n- Not engage in extortion or coercive behavior\n\n**Repeated submissions that do not meet program guidelines may result in a ban from the program.**\n\nParticipants who violate these expectations may have their reports closed, deemed ineligible for bounty rewards, or be permanently banned from the program.\n\n---\n\n## Program Scope\n\nWe are interested in a full range of vulnerabilities with demonstrable security impact, ranging from issues proven with unit tests to those requiring full cluster deployments and complex transaction flows.\n\nExamples include (but are not limited to):\n\n- Memory allocation and safety issues  \n- Race conditions and concurrency bugs  \n- Timing attacks  \n- Information leaks  \n- Authentication or authorization bypasses  \n- Incorrect block or state validation  \n- Trivial denial-of-service issues  \n- Lost writes or state corruption  \n- Business logic flaws  \n- Transactions or payloads that cause unhandled panics  \n\n### Release Policy Requirement\n\n**Only released code is eligible for bounty rewards.**\n\nTo be considered valid and in scope:\n- The issue **must exist in released code** that is tagged and actively maintained under the Cosmos **Release Family Policy**\n- Code that exists only on `main`, `master`, or other development branches **is not in scope**\n\nThe Release Family Policy is defined here:  \nhttps://github.com/cosmos/security/blob/main/POLICY.md\n\n---\n\n## In Scope\n\n1. The issue must be exploitable in an intended deployed environment and configuration.\n2. Exploitation must not require a previously compromised environment (e.g., compromised node, majority-compromised consensus).\n3. The issue must exist in a supported release according to the Release Family Policy.\n\n---\n\n## Out of Scope\n\n1. Issues requiring a compromised environment to exploit.\n2. Assets not explicitly listed as in scope, including those not owned by participating teams.\n3. Issues already publicly or privately addressed.\n4. Third-party services and websites.\n5. Web vulnerabilities (including but not limited to XSS, CSRF, CORS, cookie flags, TLS config, headers, email configuration).\n6. Documented configuration behaviors in expected deployment scenarios.\n7. Governance misconfiguration-specific issues.\n8. Package registry or dependency management issues without Cosmos-specific exploit PoCs.\n9. Social engineering attacks.\n10. Scanner-generated or informational-only reports.\n11. Dependency vulnerability reports without demonstrated impact on in-scope systems.\n12. Non-trivial or volumetric DoS attacks mitigated by gas, fees, or operational controls.\n13. Architectural critiques without immediate exploitability.\n14. Issues fixed upstream less than 90 days prior.\n15. Downstream effects of previously resolved bounty issues.\n16. Following https://github.com/cosmos/cosmos-sdk/pull/25090, the `x/group`, `x/circuit`, `x/crisis`, and `x/nft` modules are no longer in scope.\n\n---\n\n## A Note on Gaia\n\nGaia is included only as a **reference implementation** of the Cosmos Stack.\n\nAll Hub-specific features, third-party modules, or non-core functionality in the Gaia repository are **out of scope** for bounty rewards.\n\n---\n\n## Program Policies\n\nAll submissions **must include a Proof of Concept** demonstrating real-world impact and exploitability.  The proof of concept must be code that can be read and run by the security team.  Descriptions of attacks do not count as valid PoCs and will result in submissions being closed as \"Not Applicable\".\n\n- PoCs must demonstrate real user flows\n- Mock-only or database-only calls are insufficient\n- Reports without adequate detail may be closed or returned\n\n---\n\n## Eligibility for Bounty\n\nTo be eligible for a bounty reward:\n\n- You must not have been employed by or contracted to the team maintaining the affected code within the last **12 months**\n- You must submit exclusively through **HackerOne**\n- Email submissions are **not eligible** for bounty rewards\n\n---\n\n## Confidentiality\n\nAll communication regarding submitted issues must occur **exclusively on HackerOne**.\n\nExternal communication, out-of-band disclosures, or premature publication may void eligibility for bounty rewards and future participation.\n\n---\n\n## Official Channels\n\n- HackerOne: official vulnerability reporting platform\n- Email (non-bounty): [security@cosmoslabs.io](mailto:security@cosmoslabs.io)\n\nEmail reports are accepted for disclosure purposes only and are not eligible for bounty rewards.\n\n---\n\n## Disclosure\n\nPublic disclosure is supported **only after** an issue is marked **Resolved** on HackerOne.\n\nResearchers may request attribution in advisories or release documentation once disclosure is approved.\n\n---\n\n## Good Faith\n\nResearchers must act respectfully and in good faith at all times. Misconduct—including threats, harassment, extortion, or false accusations—will result in report closure and permanent exclusion from the program.\n\n---\n\n## Safe Harbor\n\nResearch conducted in accordance with this policy is considered:\n\n- Authorized under applicable anti-hacking and anti-circumvention laws\n- Exempt from relevant TOS/AUP restrictions\n- Conducted lawfully and in good faith\n\nSafe Harbor applies only to claims under the control of participating organizations.\n","has_open_scope":null,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"SDK modules that are not maintained\",\"details\":\"Following https://github.com/cosmos/cosmos-sdk/pull/25090, we are no longer convering the following SDK modules in our bug bounty program as they are not being maintained:\\n\\n- `x/group`\\n- `x/circuit`\\n- `x/crisis`\\n- `x/nft`\"}"],"timestamp":"2026-02-02T18:10:37.010Z"},{"id":3769045,"new_policy":"# Cosmos Stack Bug Bounty Program\n\nWithin the Cosmos ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Cosmos Stack that is built by decentralized development teams.\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol. As such, this program **is not** the right place to search for web application vulnerabilities like XSS, CSRF, and header misconfigurations.\n\nThe focus of this program is on surfacing vulnerabilities in the **protocols, modules, and infrastructure** that make up the Cosmos Stack. Assets in scope include source code for integral components of Cosmos, and **do not** include third-party services or IT assets.\n\nBounty rewards are based on multiple factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality, available [here](https://github.com/cosmos/security/blob/main/resources/CLASSIFICATION_MATRIX.md).\n\n---\n\n## Program Rewards\n\nWhile there is no maximum program reward at this time, we value creative findings and high-severity bugs, and we maintain a robust program budget to reward them accordingly.\n\nWe evaluate each report and are responsible for rating the severity of submitted issues. At our discretion, we may reward exceptionally high-quality reports or creative lower-severity findings at a higher tier.\n\n**Informational reports are not eligible for bounty rewards.**\n\nRewards for eligible bugs are paid out according to issue severity:\n\n- **Critical:** starting at $50,000  \n- **High:** starting at $25,000  \n- **Medium:** starting at $5,000  \n- **Low:** starting at $2,000  \n\nIf duplicate reports are received, a bounty (if applicable) will be awarded to the **first valid reporter**.\n\nWhen an issue is on track to be mitigated or remediated, we will coordinate with researchers to credit the finding in advisories and release notes, and to support disclosure of valid issues reported through this program.\n\n---\n\n## Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes they have discovered a vulnerability in the Cosmos Stack.\n\nThis policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Cosmos Stack and the teams and infrastructure it supports. It supersedes all previous security policies used by individual teams or projects within scope.\n\nFor the most up-to-date version of this policy, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true).\n\n---\n\n## Our Commitments\n\nWhen working with us under this policy, you can expect us to:\n\n- Respond promptly and work with you to understand and validate reports\n- Keep you informed about vulnerability status and progress\n- Remediate valid vulnerabilities in a timely manner, within operational constraints\n- Extend Safe Harbor for security research conducted in accordance with this policy\n\n---\n\n## Our Expectations\n\nWhen participating in this program in good faith, we ask that you:\n\n- Follow this policy and all relevant agreements\n- Report vulnerabilities promptly\n- Avoid violating privacy, disrupting systems, destroying data, or harming user experience\n- Use only **Official Channels** to discuss vulnerability information\n- Allow **at least 90 days** from initial report before public disclosure\n- Perform testing only on **in-scope systems**\n- Limit data access strictly to what is required for proof of concept\n- Cease testing immediately and submit a report if any sensitive user data is encountered (PII, PHI, financial data, proprietary information)\n- Use only test accounts you own or have explicit permission to use\n- Not engage in extortion or coercive behavior\n\n**Repeated submissions that do not meet program guidelines may result in a ban from the program.**\n\nParticipants who violate these expectations may have their reports closed, deemed ineligible for bounty rewards, or be permanently banned from the program.\n\n---\n\n## Program Scope\n\nWe are interested in a full range of vulnerabilities with demonstrable security impact, ranging from issues proven with unit tests to those requiring full cluster deployments and complex transaction flows.\n\nExamples include (but are not limited to):\n\n- Memory allocation and safety issues  \n- Race conditions and concurrency bugs  \n- Timing attacks  \n- Information leaks  \n- Authentication or authorization bypasses  \n- Incorrect block or state validation  \n- Trivial denial-of-service issues  \n- Lost writes or state corruption  \n- Business logic flaws  \n- Transactions or payloads that cause unhandled panics  \n\n### Release Policy Requirement\n\n**Only released code is eligible for bounty rewards.**\n\nTo be considered valid and in scope:\n- The issue **must exist in released code** that is tagged and actively maintained under the Cosmos **Release Family Policy**\n- Code that exists only on `main`, `master`, or other development branches **is not in scope**\n\nThe Release Family Policy is defined here:  \nhttps://github.com/cosmos/security/blob/main/POLICY.md\n\n---\n\n## In Scope\n\n1. The issue must be exploitable in an intended deployed environment and configuration.\n2. Exploitation must not require a previously compromised environment (e.g., compromised node, majority-compromised consensus).\n3. The issue must exist in a supported release according to the Release Family Policy.\n\n---\n\n## Out of Scope\n\n1. Issues requiring a compromised environment to exploit.\n2. Assets not explicitly listed as in scope, including those not owned by participating teams.\n3. Issues already publicly or privately addressed.\n4. Third-party services and websites.\n5. Web vulnerabilities (including but not limited to XSS, CSRF, CORS, cookie flags, TLS config, headers, email configuration).\n6. Documented configuration behaviors in expected deployment scenarios.\n7. Governance misconfiguration-specific issues.\n8. Package registry or dependency management issues without Cosmos-specific exploit PoCs.\n9. Social engineering attacks.\n10. Scanner-generated or informational-only reports.\n11. Dependency vulnerability reports without demonstrated impact on in-scope systems.\n12. Non-trivial or volumetric DoS attacks mitigated by gas, fees, or operational controls.\n13. Architectural critiques without immediate exploitability.\n14. Issues fixed upstream less than 90 days prior.\n15. Downstream effects of previously resolved bounty issues.\n16. Following https://github.com/cosmos/cosmos-sdk/pull/25090, the `x/group`, `x/circuit`, `x/crisis`, and `x/nft` modules are no longer in scope.\n\n---\n\n## A Note on Gaia\n\nGaia is included only as a **reference implementation** of the Cosmos Stack.\n\nAll Hub-specific features, third-party modules, or non-core functionality in the Gaia repository are **out of scope** for bounty rewards.\n\n---\n\n## Program Policies\n\nAll submissions **must include a Proof of Concept** demonstrating real-world impact and exploitability.\n\n- PoCs must demonstrate real user flows\n- Mock-only or database-only calls are insufficient\n- Reports without adequate detail may be closed or returned\n\n---\n\n## Eligibility for Bounty\n\nTo be eligible for a bounty reward:\n\n- You must not have been employed by or contracted to the team maintaining the affected code within the last **12 months**\n- You must submit exclusively through **HackerOne**\n- Email submissions are **not eligible** for bounty rewards\n\n---\n\n## Confidentiality\n\nAll communication regarding submitted issues must occur **exclusively on HackerOne**.\n\nExternal communication, out-of-band disclosures, or premature publication may void eligibility for bounty rewards and future participation.\n\n---\n\n## Official Channels\n\n- HackerOne: official vulnerability reporting platform\n- Email (non-bounty): [security@cosmoslabs.io](mailto:security@cosmoslabs.io)\n\nEmail reports are accepted for disclosure purposes only and are not eligible for bounty rewards.\n\n---\n\n## Disclosure\n\nPublic disclosure is supported **only after** an issue is marked **Resolved** on HackerOne.\n\nResearchers may request attribution in advisories or release documentation once disclosure is approved.\n\n---\n\n## Good Faith\n\nResearchers must act respectfully and in good faith at all times. Misconduct—including threats, harassment, extortion, or false accusations—will result in report closure and permanent exclusion from the program.\n\n---\n\n## Safe Harbor\n\nResearch conducted in accordance with this policy is considered:\n\n- Authorized under applicable anti-hacking and anti-circumvention laws\n- Exempt from relevant TOS/AUP restrictions\n- Conducted lawfully and in good faith\n\nSafe Harbor applies only to claims under the control of participating organizations.\n","has_open_scope":null,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"SDK modules that are not maintained\",\"details\":\"Following https://github.com/cosmos/cosmos-sdk/pull/25090, we are no longer convering the following SDK modules in our bug bounty program as they are not being maintained:\\n\\n- `x/group`\\n- `x/circuit`\\n- `x/crisis`\\n- `x/nft`\"}"],"timestamp":"2026-01-30T16:46:11.088Z"},{"id":3766289,"new_policy":"# Cosmos Stack Bug Bounty Program\n\nWithin the Cosmos ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Cosmos Stack that is built by decentralized development teams. \u2028\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol, which means that this program isn’t the right place to go searching for web application vulnerabilities like XSS, CSRF, and header misconfigurations. As the focus of this program is on surfacing vulnerabilities in the protocols, modules, and infrastructure that makes up the Cosmos Stack, its assets include source code for integral components of the Cosmos, and not third-party services or IT assets. \n \nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality that is available [here](https://github.com/cosmos/security/blob/main/resources/CLASSIFICATION_MATRIX.md). \n\n# Program Rewards\n\nWhile there is no maximum program reward in place at this time, we value creative finds and high severity bugs, and we have a robust program budget that allows us to reward them accordingly. We will evaluate each report and are responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high quality reports or creative lower-tier bugs at a higher-tier level at any time.\u2028\n\nRewards for bugs will be paid out according to issue severity:\n\n* Critical: starting at $50,000\n* High: starting at $25,000\n* Medium: starting at $5,000\n* Low/Informational: Starting at $2,000\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. When an issue is on track to be mitigated or remediated, we will coordinate with hackers to credit the find in advisories and release notes, and to support the disclosure of valid issues reported to this program.\n\n# Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes that they have found a vulnerability in the Cosmos Stack. This policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Cosmos Stack and the teams and infrastructure it supports, and it supersedes previous security policies that have been used in the past by individual teams and projects with targets in scope of this program. For the most up to date version of this policy, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true).\n\n## Our Commitments\n\nWhen working with us, according to this policy, you can expect us to:\u2028\n* Respond to your report promptly, and work with you to understand and validate your report;\n* Strive to keep you informed about the progress of a vulnerability as it is processed;\n* Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and\n* Extend Safe Harbor for your vulnerability research that is related to this policy.\n\n## Our Expectations\n\nIn participating in our vulnerability disclosure program in good faith, we ask that you:\u2028\n\n* Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;\n* Report any vulnerability you’ve discovered promptly;\n* Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;\n* Use only the Official Channels to discuss vulnerability information with us;\n* Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly;\n* Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;\n* If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;\n* You should only interact with test accounts you own or with explicit permission from the account holder; and\n* Do not engage in extortion.\n\nParticipants whose actions violate these expectations may have their reports closed or may be banned from the program altogether. \n\n# Program Scope\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities in the Cosmos Stack that we’re interested in include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, trivial denial of service issues, lost write bugs, business logic errors, and payloads/transactions that cause unhandled panics. \n\nTo be considered valid, an issue must be present in the main/`master` branch of a repository or included in the latest release unless a development team specifies otherwise in their Long Term Support policy. \n\n## In Scope\n\n1. An issue must be to be exploitable in an intended deployed environment and configuration.\n2. Successful exploitation of an issue must not require an already compromised environment, whether the context is a single node, machine, or a decentralized network environment.\n3. Generally, issues reported in the latest release and in development will be considered in scope, though long term support commitments may vary from component to component. \n\n## Out of Scope\n\n1. Issues that require a compromised environment to exploit, e.g. a majority-compromised consensus configuration, already compromised node, etc. \n2. Items that are not explicitly listed in scope, especially assets not owned by parties participating in this policy. \n3. Issues that are already being addressed publicly or privately by the responsible teams.\n4. Services and websites operated by third parties.\n5. Phishing, clickjacking, tab-nabbing, HTTP header configurations, CORS configurations, cookie flags, Captcha issues, logout CSRF, account lockout issues, mixed content, TLS configuration, email configuration issues, any issues involving server banner or version information.\n6. Configuration issues in which there exists documentation explaining the functionality of the configuration for an expected deployment scenario.\n7. Issues in which a network is specifically vulnerable to an issue due to governance misconfiguration by that network.\n8. Issues involving public package repository and registry configurations, javascript package management, or package management issues requiring non-standard installation scenarios.\n9. Social engineering, e.g. a target needs to open a web inspector, target needs to run a malicious command on host, unicode ambiguity, DNS misconfigurations, target needs to compile code locally with modifications to exploit, etc. \n10. Scanner-generated reports, and “Advisory” or “Informational” reports that do not include any testing specific to in-scope components of the Cosmos Stack such as BurpSuite Scanner, AppScan, DNS Bruteforcers, Nessus, Nexpose, Metasploit, etc.\n11. \"Vulnerable Library\" or dependency reports highlighting known framework, dependency, or project vulnerabilities, without a specific proof of concept demonstrating the security impact to the in-scope items running in expected configurations.\n12. Non-trivial DOS attacks or DOS attacks that may be mitigated by existing operational controls e.g. gas, fees, etc. An example of a trivial DOS attack would be a single request or message that could halt or cause significant disruption for all users of the Cosmos Stack.  DOS scenarios requiring volumetric traffic are not in scope.\n13. Issues raised around product or architecture deficiencies that are not immediately exploitable.\n14. Issues on in-scope networks running software on in-scope frameworks where the issue was addressed in the framework and less than 90 days have passed.\u2028\n15. Issues that are downstream of an issue that was previously resolved as part of a bounty report or advisory (e.g. delayed adoption of a patch that was released through this process).\n16. Following https://github.com/cosmos/cosmos-sdk/pull/25090, the `x/group`, `x/circuit`, `x/crisis`, and `x/nft` modules will not be in scope of the program anymore.\n\n### A note on Gaia\n\nIn 2018 when Gaia was added to the Cosmos Bug Bounty program, the scope covered Gaia as a reference implementation of the Cosmos Stack.  Since then, the Hub has grown Gaia past a reference implementation through governance and product development to include features and functionality that are not included in the core Cosmos Stack components.  Due to this, all third-party code, third-party modules, Hub-specific features, or Hub-specific implementation in the Gaia repository are not in-scope for rewards payout in this Bug Bounty program.  \n\n# Program Policies\n\nAll issues must include a Proof of Concept that demonstrates the impact and exploitability of the issue. Reports that do not include this information may be closed or sent back to the reporter for more information.   PoCs must demonstrate real user flows and not use arbitrary calls to mocks or DB methods.\n\n### Eligibility for Bounty\n\nTo be eligible for a bounty reward, you must not have been employed or contracted to work for a development team maintaining the code a bug is reported for in the last 12 months. You must also use HackerOne exclusively for submitting your issue to the Bug Bounty program.  Email submissions are not eligible for bounties.\n\n### Confidentiality\n\nTo be eligible for a bounty, all communication about an issue reported to the program must occur within the HackerOne site exclusively.  Any external communication, out-of-band communications with the development teams, full or premature disclosure before the issue is marked as resolved on the HackerOne platform may void your eligibility for a bounty reward. Repeated violations may result in ineligibility for future rewards. \n\n### Official Channels\n\nThe Cosmos Bug Bounty program and [security@cosmoslabs.io](mailto:security@cosmoslabs.io) are the official channels for reporting security vulnerabilities.  If you do not want to report an issue via the HackerOne platform, you may send a bug report to [security@cosmoslabs.io](mailto:security@cosmoslabs.io) with the issue details, reproduction, impact, and other information. Artifacts from an email report are saved at the time the email is triaged. Please note: our team is not able to monitor dynamic content (e.g. a Google Docs link that is edited after receipt) throughout the lifecycle of a report. If you would like to share additional information or modify previous information, please include it in an additional reply as an additional attachment. \n\n### Third Party Services\n\nThough bugs in the services that we use are important, they are ineligible for Cosmos bounty program rewards. Any bugs that are found in services in use by teams building and stewarding the Cosmos Stack (e.g. Discord, Discourse, Telegram, Signal, Meetup, etc.) should be disclosed directly to those services. \n\n### Disclosure\n\nOur program supports public disclosure of issues only after the issue has been marked as Resolved on HackerOne.  This includes limited disclosure on the HackerOne platform itself if a reporter desires to utilize it. If security notifications or code changes are required, reporters may request for their name and social media handles to be included in the corresponding documentation. \n\n### Report Format\n\nAll reports submitted to the bounty program are triaged expeditiously.  If you are not ready to submit a fully-completed initial report, please complete your report before submitting it to our program to prevent us from triaging an incomplete report.  Your report must fully describe the issue in the text body of the report, and can include additional attachments of proof of concepts, videos, supporting files, etc, however they *must* be attached through the HackerOne platform. The triage team for this program will not follow external links provided in the body of any report, or triage \"attachment-only\" reports with no text body.\n\n### Good Faith\n\nTo be eligible to participate in the Cosmos Bug Bounty program, we ask that all researchers act in good faith, which means: \u2028\n* Don’t publicly disclose information about a vulnerability without explicit consent from the team operating this program. \n* Don’t discuss vulnerability details with anyone other than the team operating this program, especially before we can patch the vulnerability with Cosmos Stack developers. \n* Don’t exploit or attack a production environment while conducting security research, e.g. mainnet. \n* Be respectful of our team. [Misconduct](https://docs.hackerone.com/hackers/misconduct.html) like making threats (direct, indirect, veiled, or conditional), demanding access to members of our team to report an issue, engaging in extortion tactics, making false accusations of misconduct or illegal behavior, and engaging in harassment and/or a coordinated campaign to attack our team is disrespectful and damages decades of hard work that security researchers and organizations have invested to coordinate disclosure of security issues.  \n\nFailure to respect these rules will result in your reports being ineligible for bounty rewards and eventual banning from the program.\n\n# Safe Harbor\n\nWhen conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:\u2028\n* Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;\n* Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;\n* Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and\n* Lawful, helpful to the overall security of the Internet (and Cosmos Ecosystem!), and conducted in good faith.\n\nYou are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\u2028\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.\u2028\n\nNote that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.\u2028\u2028\n\n*The Coordinated Vulnerability Disclosure Policy and Safe Harbor Policy included in this program are based on v. 2021.1 of each respective policy from [disclose.io](http://disclose.io/).* \n","has_open_scope":null,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"SDK modules that are not maintained\",\"details\":\"Following https://github.com/cosmos/cosmos-sdk/pull/25090, we are no longer convering the following SDK modules in our bug bounty program as they are not being maintained:\\n\\n- `x/group`\\n- `x/circuit`\\n- `x/crisis`\\n- `x/nft`\"}"],"timestamp":"2025-11-18T15:17:43.395Z"},{"id":3764991,"new_policy":"# Cosmos Stack Bug Bounty Program\n\nWithin the Cosmos ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Cosmos Stack that is built by decentralized development teams. \u2028\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol, which means that this program isn’t the right place to go searching for web application vulnerabilities like XSS, CSRF, and header misconfigurations. As the focus of this program is on surfacing vulnerabilities in the protocols, modules, and infrastructure that makes up the Cosmos Stack, its assets include source code for integral components of the Cosmos, and not third-party services or IT assets. \n \nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality that is available [here](https://github.com/cosmos/security/blob/main/resources/CLASSIFICATION_MATRIX.md). \n\n# Program Rewards\n\nWhile there is no maximum program reward in place at this time, we value creative finds and high severity bugs, and we have a robust program budget that allows us to reward them accordingly. We will evaluate each report and are responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high quality reports or creative lower-tier bugs at a higher-tier level at any time.\u2028\n\nRewards for bugs will be paid out according to issue severity:\n\n* Critical: starting at $50,000\n* High: starting at $25,000\n* Medium: starting at $5,000\n* Low/Informational: Starting at $2,000\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. When an issue is on track to be mitigated or remediated, we will coordinate with hackers to credit the find in advisories and release notes, and to support the disclosure of valid issues reported to this program.\n\n# Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes that they have found a vulnerability in the Cosmos Stack. This policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Cosmos Stack and the teams and infrastructure it supports, and it supersedes previous security policies that have been used in the past by individual teams and projects with targets in scope of this program. For the most up to date version of this policy, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true).\n\n## Our Commitments\nWhen working with us, according to this policy, you can expect us to:\u2028\n* Respond to your report promptly, and work with you to understand and validate your report;\n* Strive to keep you informed about the progress of a vulnerability as it is processed;\n* Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and\n* Extend Safe Harbor for your vulnerability research that is related to this policy.\n\n## Our Expectations\nIn participating in our vulnerability disclosure program in good faith, we ask that you:\u2028\n\n* Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;\n* Report any vulnerability you’ve discovered promptly;\n* Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;\n* Use only the Official Channels to discuss vulnerability information with us;\n* Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly;\n* Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;\n* If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;\n* You should only interact with test accounts you own or with explicit permission from the account holder; and\n* Do not engage in extortion.\n\n\n# Program Scope\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities in the Cosmos Stack that we’re interested in include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, trivial denial of service issues, lost write bugs, business logic errors, and payloads/transactions that cause unhandled panics. \n\nTo be considered valid, an issue must be present in the main/`master` branch of a repository or included in the latest release unless a development team specifies otherwise in their Long Term Support policy. \n\n## In Scope\n\n1. An issue must be to be exploitable in an intended deployed environment and configuration.\n2. Successful exploitation of an issue must not require an already compromised environment, whether the context is a single node, machine, or a decentralized network environment.\n3. Generally, issues reported in the latest release and in development will be considered in scope, though long term support commitments may vary from component to component. \n\n\n## Out of Scope\n1. Issues that require a compromised environment to exploit, e.g. a majority-compromised consensus configuration, already compromised node, etc. \n2. Items that are not explicitly listed in scope, especially assets not owned by parties participating in this policy. \n3. Issues that are already being addressed publicly or privately by the responsible teams.\n4. Services and websites operated by third parties.\n5. Phishing, clickjacking, tab-nabbing, HTTP header configurations, CORS configurations, cookie flags, Captcha issues, logout CSRF, account lockout issues, mixed content, TLS configuration, email configuration issues, any issues involving server banner or version information.\n6. Configuration issues in which there exists documentation explaining the functionality of the configuration for an expected deployment scenario.\n7. Issues in which a network is specifically vulnerable to an issue due to governance misconfiguration by that network.\n8. Issues involving public package repository and registry configurations, javascript package management, or package management issues requiring non-standard installation scenarios.\n9. Social engineering, e.g. a target needs to open a web inspector, target needs to run a malicious command on host, unicode ambiguity, DNS misconfigurations, target needs to compile code locally with modifications to exploit, etc. \n10. Scanner-generated reports, and “Advisory” or “Informational” reports that do not include any testing specific to in-scope components of the Cosmos Stack such as BurpSuite Scanner, AppScan, DNS Bruteforcers, Nessus, Nexpose, Metasploit, etc.\n11. \"Vulnerable Library\" or dependency reports highlighting known framework, dependency, or project vulnerabilities, without a specific proof of concept demonstrating the security impact to the in-scope items running in expected configurations.\n12. Non-trivial DOS attacks or DOS attacks that may be mitigated by existing operational controls e.g. gas, fees, etc. An example of a trivial DOS attack would be a single request or message that could halt or cause significant disruption for all users of the Cosmos Stack.  DOS scenarios requiring volumetric traffic are not in scope.\n13. Issues raised around product or architecture deficiencies that are not immediately exploitable.\n14. Issues on in-scope networks running software on in-scope frameworks where the issue was addressed in the framework and less than 90 days have passed.\u2028\n15. Issues that are downstream of an issue that was previously resolved as part of a bounty report or advisory (e.g. delayed adoption of a patch that was released through this process).\n16. Following https://github.com/cosmos/cosmos-sdk/pull/25090, the `x/group`, `x/circuit`, `x/crisis`, and `x/nft` modules will not be in scope of the program anymore.\n\n### A note on Gaia\n\nIn 2018 when Gaia was added to the Cosmos Bug Bounty program, the scope covered Gaia as a reference implementation of the Cosmos Stack.  Since then, the Hub has grown Gaia past a reference implementation through governance and product development to include features and functionality that are not included in the core Cosmos Stack components.  Due to this, all third-party code, third-party modules, Hub-specific features, or Hub-specific implementation in the Gaia repository are not in-scope for rewards payout in this Bug Bounty program.  \n\n# Program Policies\nAll issues must include a Proof of Concept that demonstrates the impact and exploitability of the issue. Reports that do not include this information may be closed or sent back to the reporter for more information. \n\n### Eligibility for Bounty\n\nTo be eligible for a bounty reward, you must not have been employed or contracted to work for a development team maintaining the code a bug is reported for in the last 12 months. You must also use HackerOne exclusively for submitting your issue to the Bug Bounty program.  Email submissions are not eligible for bounties.\n\n\n### Confidentiality\n\nTo be eligible for a bounty, all communication about an issue reported to the program must occur within the HackerOne site exclusively.  Any external communication, out-of-band communications with the development teams, full or premature disclosure before the issue is marked as resolved on the HackerOne platform may void your eligibility for a bounty reward. Repeated violations may result in ineligibility for future rewards. \n\n\n### Official Channels\n\nThe Cosmos Bug Bounty program and [security@cosmoslabs.io](mailto:security@cosmoslabs.io) are the official channels for reporting security vulnerabilities.  If you do not want to report an issue via the HackerOne platform, you may send a bug report to [security@cosmoslabs.io](mailto:security@cosmoslabs.io) with the issue details, reproduction, impact, and other information. Artifacts from an email report are saved at the time the email is triaged. Please note: our team is not able to monitor dynamic content (e.g. a Google Docs link that is edited after receipt) throughout the lifecycle of a report. If you would like to share additional information or modify previous information, please include it in an additional reply as an additional attachment. \n\n\n### Third Party Services\n\nThough bugs in the services that we use are important, they are ineligible for Cosmos bounty program rewards. Any bugs that are found in services in use by teams building and stewarding the Cosmos Stack (e.g. Discord, Discourse, Telegram, Signal, Meetup, etc.) should be disclosed directly to those services. \n\n\n### Disclosure\n\nOur program supports public disclosure of issues only after the issue has been marked as Resolved on HackerOne.  This includes limited disclosure on the HackerOne platform itself if a reporter desires to utilize it. If security notifications or code changes are required, reporters may request for their name and social media handles to be included in the corresponding documentation. \n\n### Report Format\n\nAll reports submitted to the bounty program are triaged expeditiously.  If you are not ready to submit a fully-completed initial report, please complete your report before submitting it to our program to prevent us from triaging an incomplete report.  Your report must fully describe the issue in the text body of the report, and can include additional attachments of proof of concepts, videos, supporting files, etc, however they *must* be attached through the HackerOne platform. The triage team for this program will not follow external links provided in the body of any report, or triage \"attachment-only\" reports with no text body.\n\n### Good Faith\n\nTo be eligible to participate in the Cosmos Bug Bounty program, we ask that all researchers act in good faith, which means: \u2028\n* Don’t publicly disclose information about a vulnerability without explicit consent from the team operating this program. \n* Don’t discuss vulnerability details with anyone other than the team operating this program, especially before we can patch the vulnerability with Cosmos Stack developers. \n* Don’t exploit or attack a production environment while conducting security research, e.g. mainnet. \n* Be respectful of our team. [Misconduct](https://docs.hackerone.com/hackers/misconduct.html) like making threats (direct, indirect, veiled, or conditional), demanding access to members of our team to report an issue, engaging in extortion tactics, making false accusations of misconduct or illegal behavior, and engaging in harassment and/or a coordinated campaign to attack our team is disrespectful and damages decades of hard work that security researchers and organizations have invested to coordinate disclosure of security issues.  \n\nFailure to respect these rules will result in your reports being ineligible for bounty rewards.\n\n\n\n# Safe Harbor\nWhen conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:\u2028\n* Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;\n* Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;\n* Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and\n* Lawful, helpful to the overall security of the Internet (and Cosmos Ecosystem!), and conducted in good faith.\n\nYou are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\u2028\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.\u2028\n\nNote that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.\u2028\u2028\n\n*The Coordinated Vulnerability Disclosure Policy and Safe Harbor Policy included in this program are based on v. 2021.1 of each respective policy from [disclose.io](http://disclose.io/).* \n","has_open_scope":null,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"SDK modules that are not maintained\",\"details\":\"Following https://github.com/cosmos/cosmos-sdk/pull/25090, we are no longer convering the following SDK modules in our bug bounty program as they are not being maintained:\\n\\n- `x/group`\\n- `x/circuit`\\n- `x/crisis`\\n- `x/nft`\"}"],"timestamp":"2025-10-22T16:30:56.835Z"},{"id":3761398,"new_policy":"# Cosmos: the Interchain Stack Bug Bounty Program\n\nWithin the Interchain ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Interchain Stack that is built by decentralized development teams. \u2028\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol, which means that this program isn’t the right place to go searching for web application vulnerabilities like XSS, CSRF, and header misconfigurations. As the focus of this program is on surfacing vulnerabilities in the protocols, modules, and infrastructure that makes up the Interchain Stack, its assets include source code for integral components of the Interchain, and not third-party services or IT assets. \n \nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality that is available [here](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md). \n\n# Program Rewards\n\nWhile there is no maximum program reward in place at this time, we value creative finds and high severity bugs, and we have a robust program budget that allows us to reward them accordingly. We will evaluate each report and are responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high quality reports or creative lower-tier bugs at a higher-tier level at any time.\u2028\n\nRewards for bugs will be paid out according to issue severity:\n\n* Critical: starting at $50,000\n* High: starting at $25,000\n* Medium: starting at $5,000\n* Low/Informational: Starting at $2,000\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. When an issue is on track to be mitigated or remediated, we will coordinate with hackers to credit the find in advisories and release notes, and to support the disclosure of valid issues reported to this program.\n\n# Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes that they have found a vulnerability in the Interchain Stack. This policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Interchain Stack and the teams and infrastructure it supports, and it supersedes previous security policies that have been used in the past by individual teams and projects with targets in scope of this program. For the most up to date version of this policy, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true).\n\n## Our Commitments\nWhen working with us, according to this policy, you can expect us to:\u2028\n* Respond to your report promptly, and work with you to understand and validate your report;\n* Strive to keep you informed about the progress of a vulnerability as it is processed;\n* Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and\n* Extend Safe Harbor for your vulnerability research that is related to this policy.\n\n## Our Expectations\nIn participating in our vulnerability disclosure program in good faith, we ask that you:\u2028\n\n* Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;\n* Report any vulnerability you’ve discovered promptly;\n* Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;\n* Use only the Official Channels to discuss vulnerability information with us;\n* Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly;\n* Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;\n* If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;\n* You should only interact with test accounts you own or with explicit permission from the account holder; and\n* Do not engage in extortion.\n\n\n# Program Scope\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities in the Interchain Stack that we’re interested in include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, trivial denial of service issues, lost write bugs, business logic errors, and payloads/transactions that cause unhandled panics. \n\nTo be considered valid, an issue must be present in the main/`master` branch of a repository or included in the latest release unless a development team specifies otherwise in their Long Term Support policy. \n\n## In Scope\n\n1. An issue must be to be exploitable in an intended deployed environment and configuration.\n2. Successful exploitation of an issue must not require an already compromised environment, whether the context is a single node, machine, or a decentralized network environment.\n3. Generally, issues reported in the latest release and in development will be considered in scope, though long term support commitments may vary from component to component. \n\n\n## Out of Scope\n1. Issues that require a compromised environment to exploit, e.g. a majority-compromised consensus configuration, already compromised node, etc. \n2. Items that are not explicitly listed in scope, especially assets not owned by parties participating in this policy. \n3. Issues that are already being addressed publicly or privately by the responsible teams.\n4. Services and websites operated by third parties.\n5. Phishing, clickjacking, tab-nabbing, HTTP header configurations, CORS configurations, cookie flags, Captcha issues, logout CSRF, account lockout issues, mixed content, TLS configuration, email configuration issues, any issues involving server banner or version information.\n6. Configuration issues in which there exists documentation explaining the functionality of the configuration for an expected deployment scenario.\n7. Issues in which a network is specifically vulnerable to an issue due to governance misconfiguration by that network.\n8. Issues involving public package repository and registry configurations, javascript package management, or package management issues requiring non-standard installation scenarios.\n9. Social engineering, e.g. a target needs to open a web inspector, target needs to run a malicious command on host, unicode ambiguity, DNS misconfigurations, target needs to compile code locally with modifications to exploit, etc. \n10. Scanner-generated reports, and “Advisory” or “Informational” reports that do not include any testing specific to in-scope components of the Interchain Stack such as BurpSuite Scanner, AppScan, DNS Bruteforcers, Nessus, Nexpose, Metasploit, etc.\n11. \"Vulnerable Library\" or dependency reports highlighting known framework, dependency, or project vulnerabilities, without a specific proof of concept demonstrating the security impact to the in-scope items running in expected configurations.\n12. Non-trivial DOS attacks or DOS attacks that may be mitigated by existing operational controls e.g. gas, fees, etc. An example of a trivial DOS attack would be a single request or message that could halt or cause significant disruption for all users of the Interchain stack.  DOS scenarios requiring volumetric traffic are not in scope.\n13. Issues raised around product or architecture deficiencies that are not immediately exploitable.\n14. Issues on in-scope networks running software on in-scope frameworks where the issue was addressed in the framework and less than 90 days have passed.\u2028\n15. Issues that are downstream of an issue that was previously resolved as part of a bounty report or advisory (e.g. delayed adoption of a patch that was released through this process).\n16. Following https://github.com/cosmos/cosmos-sdk/pull/25090, the `x/group`, `x/circuit`, `x/crisis`, and `x/nft` modules will not be in scope of the program anymore.\n\n### A note on Gaia\n\nIn 2018 when Gaia was added to the Cosmos Bug Bounty program, the scope covered Gaia as a reference implementation of the Interchain Stack.  Since then, the Hub has grown Gaia past a reference implementation through governance and product development to include features and functionality that are not included in the core Interchain Stack components.  Due to this, all third-party code, third-party modules, Hub-specific features, or Hub-specific implementation in the Gaia repository are not in-scope for rewards payout in this Bug Bounty program.  \n\n# Program Policies\nAll issues must include a Proof of Concept that demonstrates the impact and exploitability of the issue. Reports that do not include this information may be closed or sent back to the reporter for more information. \n\n### Eligibility for Bounty\n\nTo be eligible for a bounty reward, you must not have been employed or contracted to work for a development team maintaining the code a bug is reported for in the last 12 months. You must also use HackerOne exclusively for submitting your issue to the Bug Bounty program.  Email submissions are not eligible for bounties.\n\n\n### Confidentiality\n\nTo be eligible for a bounty, all communication about an issue reported to the program must occur within the HackerOne site exclusively.  Any external communication, out-of-band communications with the development teams, full or premature disclosure before the issue is marked as resolved on the HackerOne platform may void your eligibility for a bounty reward. Repeated violations may result in ineligibility for future rewards. \n\n\n### Official Channels\n\nThe Cosmos Bug Bounty program and [security@interchain.io](mailto:security@interchain.io) are the official channels for reporting security vulnerabilities.  If you do not want to report an issue via the HackerOne platform, you may send a bug report to [security@interchain.io](mailto:security@interchain.io) with the issue details, reproduction, impact, and other information. Artifacts from an email report are saved at the time the email is triaged. Please note: our team is not able to monitor dynamic content (e.g. a Google Docs link that is edited after receipt) throughout the lifecycle of a report. If you would like to share additional information or modify previous information, please include it in an additional reply as an additional attachment. \n\n\n### Third Party Services\n\nThough bugs in the services that we use are important, they are ineligible for Cosmos bounty program rewards. Any bugs that are found in services in use by teams building and stewarding the Interchain Stack (e.g. Discord, Discourse, Telegram, Signal, Meetup, etc.) should be disclosed directly to those services. \n\n\n### Disclosure\n\nOur program supports public disclosure of issues only after the issue has been marked as Resolved on HackerOne.  This includes limited disclosure on the HackerOne platform itself if a reporter desires to utilize it. If security notifications or code changes are required, reporters may request for their name and social media handles to be included in the corresponding documentation. \n\n### Report Format\n\nAll reports submitted to the bounty program are triaged expeditiously.  If you are not ready to submit a fully-completed initial report, please complete your report before submitting it to our program to prevent us from triaging an incomplete report.  Your report must fully describe the issue in the text body of the report, and can include additional attachments of proof of concepts, videos, supporting files, etc, however they *must* be attached through the HackerOne platform. The triage team for this program will not follow external links provided in the body of any report, or triage \"attachment-only\" reports with no text body.\n\n### Good Faith\n\nTo be eligible to participate in the Cosmos Bug Bounty program, we ask that all researchers act in good faith, which means: \u2028\n* Don’t publicly disclose information about a vulnerability without explicit consent from the team operating this program. \n* Don’t discuss vulnerability details with anyone other than the team operating this program, especially before we can patch the vulnerability with Interchain Stack developers. \n* Don’t exploit or attack a production environment while conducting security research, e.g. mainnet. \n* Be respectful of our team. [Misconduct](https://docs.hackerone.com/hackers/misconduct.html) like making threats (direct, indirect, veiled, or conditional), demanding access to members of our team to report an issue, engaging in extortion tactics, making false accusations of misconduct or illegal behavior, and engaging in harassment and/or a coordinated campaign to attack our team is disrespectful and damages decades of hard work that security researchers and organizations have invested to coordinate disclosure of security issues.  \n\nFailure to respect these rules will result in your reports being ineligible for bounty rewards.\n\n\n\n# Safe Harbor\nWhen conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:\u2028\n* Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;\n* Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;\n* Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and\n* Lawful, helpful to the overall security of the Internet (and Interchain!), and conducted in good faith.\n\nYou are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\u2028\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.\u2028\n\nNote that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.\u2028\u2028\n\n*The Coordinated Vulnerability Disclosure Policy and Safe Harbor Policy included in this program are based on v. 2021.1 of each respective policy from [disclose.io](http://disclose.io/).* \n","has_open_scope":null,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"SDK modules that are not maintained\",\"details\":\"Following https://github.com/cosmos/cosmos-sdk/pull/25090, we are no longer convering the following SDK modules in our bug bounty program as they are not being maintained:\\n\\n- `x/group`\\n- `x/circuit`\\n- `x/crisis`\\n- `x/nft`\"}"],"timestamp":"2025-08-20T04:25:55.982Z"},{"id":3759168,"new_policy":"# Cosmos: the Interchain Stack Bug Bounty Program\n\nWithin the Interchain ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Interchain Stack that is built by decentralized development teams. \u2028\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol, which means that this program isn’t the right place to go searching for web application vulnerabilities like XSS, CSRF, and header misconfigurations. As the focus of this program is on surfacing vulnerabilities in the protocols, modules, and infrastructure that makes up the Interchain Stack, its assets include source code for integral components of the Interchain, and not third-party services or IT assets. \n \nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality that is available [here](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md). \n\n# Program Rewards\n\nWhile there is no maximum program reward in place at this time, we value creative finds and high severity bugs, and we have a robust program budget that allows us to reward them accordingly. We will evaluate each report and are responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high quality reports or creative lower-tier bugs at a higher-tier level at any time.\u2028\n\nRewards for bugs will be paid out according to issue severity:\n\n* Critical: starting at $50,000\n* High: starting at $25,000\n* Medium: starting at $5,000\n* Low/Informational: Starting at $2,000\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. When an issue is on track to be mitigated or remediated, we will coordinate with hackers to credit the find in advisories and release notes, and to support the disclosure of valid issues reported to this program.\n\n# Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes that they have found a vulnerability in the Interchain Stack. This policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Interchain Stack and the teams and infrastructure it supports, and it supersedes previous security policies that have been used in the past by individual teams and projects with targets in scope of this program. For the most up to date version of this policy, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true).\n\n## Our Commitments\nWhen working with us, according to this policy, you can expect us to:\u2028\n* Respond to your report promptly, and work with you to understand and validate your report;\n* Strive to keep you informed about the progress of a vulnerability as it is processed;\n* Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and\n* Extend Safe Harbor for your vulnerability research that is related to this policy.\n\n## Our Expectations\nIn participating in our vulnerability disclosure program in good faith, we ask that you:\u2028\n\n* Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;\n* Report any vulnerability you’ve discovered promptly;\n* Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;\n* Use only the Official Channels to discuss vulnerability information with us;\n* Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly;\n* Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;\n* If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;\n* You should only interact with test accounts you own or with explicit permission from the account holder; and\n* Do not engage in extortion.\n\n\n# Program Scope\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities in the Interchain Stack that we’re interested in include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, trivial denial of service issues, lost write bugs, business logic errors, and payloads/transactions that cause unhandled panics. \n\nTo be considered valid, an issue must be present in the main/`master` branch of a repository or included in the latest release unless a development team specifies otherwise in their Long Term Support policy. \n\n## In Scope\n\n1. An issue must be to be exploitable in an intended deployed environment and configuration.\n2. Successful exploitation of an issue must not require an already compromised environment, whether the context is a single node, machine, or a decentralized network environment.\n3. Generally, issues reported in the latest release and in development will be considered in scope, though long term support commitments may vary from component to component. \n\n\n## Out of Scope\n1. Issues that require a compromised environment to exploit, e.g. a majority-compromised consensus configuration, already compromised node, etc. \n2. Items that are not explicitly listed in scope, especially assets not owned by parties participating in this policy. \n3. Issues that are already being addressed publicly or privately by the responsible teams.\n4. Services and websites operated by third parties.\n5. Phishing, clickjacking, tab-nabbing, HTTP header configurations, CORS configurations, cookie flags, Captcha issues, logout CSRF, account lockout issues, mixed content, TLS configuration, email configuration issues, any issues involving server banner or version information.\n6. Configuration issues in which there exists documentation explaining the functionality of the configuration for an expected deployment scenario.\n7. Issues in which a network is specifically vulnerable to an issue due to governance misconfiguration by that network.\n8. Issues involving public package repository and registry configurations, javascript package management, or package management issues requiring non-standard installation scenarios.\n9. Social engineering, e.g. a target needs to open a web inspector, target needs to run a malicious command on host, unicode ambiguity, DNS misconfigurations, target needs to compile code locally with modifications to exploit, etc. \n10. Scanner-generated reports, and “Advisory” or “Informational” reports that do not include any testing specific to in-scope components of the Interchain Stack such as BurpSuite Scanner, AppScan, DNS Bruteforcers, Nessus, Nexpose, Metasploit, etc.\n11. \"Vulnerable Library\" or dependency reports highlighting known framework, dependency, or project vulnerabilities, without a specific proof of concept demonstrating the security impact to the in-scope items running in expected configurations.\n12. Non-trivial DOS attacks or DOS attacks that may be mitigated by existing operational controls e.g. gas, fees, etc. An example of a trivial DOS attack would be a single request or message that could halt or cause significant disruption for all users of the Interchain stack.  DOS scenarios requiring volumetric traffic are not in scope.\n13. Issues raised around product or architecture deficiencies that are not immediately exploitable.\n14. Issues on in-scope networks running software on in-scope frameworks where the issue was addressed in the framework and less than 90 days have passed.\u2028\n15. Issues that are downstream of an issue that was previously resolved as part of a bounty report or advisory (e.g. delayed adoption of a patch that was released through this process).\n\n### A note on Gaia\n\nIn 2018 when Gaia was added to the Cosmos Bug Bounty program, the scope covered Gaia as a reference implementation of the Interchain Stack.  Since then, the Hub has grown Gaia past a reference implementation through governance and product development to include features and functionality that are not included in the core Interchain Stack components.  Due to this, all third-party code, third-party modules, Hub-specific features, or Hub-specific implementation in the Gaia repository are not in-scope for rewards payout in this Bug Bounty program.  \n\n# Program Policies\nAll issues must include a Proof of Concept that demonstrates the impact and exploitability of the issue. Reports that do not include this information may be closed or sent back to the reporter for more information. \n\n### Eligibility for Bounty\n\nTo be eligible for a bounty reward, you must not have been employed or contracted to work for a development team maintaining the code a bug is reported for in the last 12 months. You must also use HackerOne exclusively for submitting your issue to the Bug Bounty program.  Email submissions are not eligible for bounties.\n\n\n### Confidentiality\n\nTo be eligible for a bounty, all communication about an issue reported to the program must occur within the HackerOne site exclusively.  Any external communication, out-of-band communications with the development teams, full or premature disclosure before the issue is marked as resolved on the HackerOne platform may void your eligibility for a bounty reward. Repeated violations may result in ineligibility for future rewards. \n\n\n### Official Channels\n\nThe Cosmos Bug Bounty program and [security@interchain.io](mailto:security@interchain.io) are the official channels for reporting security vulnerabilities.  If you do not want to report an issue via the HackerOne platform, you may send a bug report to [security@interchain.io](mailto:security@interchain.io) with the issue details, reproduction, impact, and other information. Artifacts from an email report are saved at the time the email is triaged. Please note: our team is not able to monitor dynamic content (e.g. a Google Docs link that is edited after receipt) throughout the lifecycle of a report. If you would like to share additional information or modify previous information, please include it in an additional reply as an additional attachment. \n\n\n### Third Party Services\n\nThough bugs in the services that we use are important, they are ineligible for Cosmos bounty program rewards. Any bugs that are found in services in use by teams building and stewarding the Interchain Stack (e.g. Discord, Discourse, Telegram, Signal, Meetup, etc.) should be disclosed directly to those services. \n\n\n### Disclosure\n\nOur program supports public disclosure of issues only after the issue has been marked as Resolved on HackerOne.  This includes limited disclosure on the HackerOne platform itself if a reporter desires to utilize it. If security notifications or code changes are required, reporters may request for their name and social media handles to be included in the corresponding documentation. \n\n### Report Format\n\nAll reports submitted to the bounty program are triaged expeditiously.  If you are not ready to submit a fully-completed initial report, please complete your report before submitting it to our program to prevent us from triaging an incomplete report.  Your report must fully describe the issue in the text body of the report, and can include additional attachments of proof of concepts, videos, supporting files, etc, however they *must* be attached through the HackerOne platform. The triage team for this program will not follow external links provided in the body of any report, or triage \"attachment-only\" reports with no text body.\n\n### Good Faith\n\nTo be eligible to participate in the Cosmos Bug Bounty program, we ask that all researchers act in good faith, which means: \u2028\n* Don’t publicly disclose information about a vulnerability without explicit consent from the team operating this program. \n* Don’t discuss vulnerability details with anyone other than the team operating this program, especially before we can patch the vulnerability with Interchain Stack developers. \n* Don’t exploit or attack a production environment while conducting security research, e.g. mainnet. \n* Be respectful of our team. [Misconduct](https://docs.hackerone.com/hackers/misconduct.html) like making threats (direct, indirect, veiled, or conditional), demanding access to members of our team to report an issue, engaging in extortion tactics, making false accusations of misconduct or illegal behavior, and engaging in harassment and/or a coordinated campaign to attack our team is disrespectful and damages decades of hard work that security researchers and organizations have invested to coordinate disclosure of security issues.  \n\nFailure to respect these rules will result in your reports being ineligible for bounty rewards.\n\n\n\n# Safe Harbor\nWhen conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:\u2028\n* Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;\n* Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;\n* Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and\n* Lawful, helpful to the overall security of the Internet (and Interchain!), and conducted in good faith.\n\nYou are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\u2028\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.\u2028\n\nNote that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.\u2028\u2028\n\n*The Coordinated Vulnerability Disclosure Policy and Safe Harbor Policy included in this program are based on v. 2021.1 of each respective policy from [disclose.io](http://disclose.io/).* \n","has_open_scope":null,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-16T13:22:27.902Z"},{"id":3757586,"new_policy":"# Cosmos: the Interchain Stack Bug Bounty Program\n\nWithin the Interchain ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Interchain Stack that is built by decentralized development teams. \u2028\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol, which means that this program isn’t the right place to go searching for web application vulnerabilities like XSS, CSRF, and header misconfigurations. As the focus of this program is on surfacing vulnerabilities in the protocols, modules, and infrastructure that makes up the Interchain Stack, its assets include source code for integral components of the Interchain, and not third-party services or IT assets. \n \nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality that is available [here](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md). \n\n# Program Rewards\n\nWhile there is no maximum program reward in place at this time, we value creative finds and high severity bugs, and we have a robust program budget that allows us to reward them accordingly. We will evaluate each report and are responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high quality reports or creative lower-tier bugs at a higher-tier level at any time.\u2028\n\nRewards for bugs will be paid out according to issue severity:\n\n* Critical: starting at $50,000\n* High: starting at $25,000\n* Medium: starting at $5,000\n* Low/Informational: Starting at $2,000\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. When an issue is on track to be mitigated or remediated, we will coordinate with hackers to credit the find in advisories and release notes, and to support the disclosure of valid issues reported to this program.\n\nIn response to the recent Interchain Labs security report, we are reaffirming our commitment to the security of our platform. To that end, we are doubling the bounty rewards for any qualifying security issues linked to contributions from the account \"cool-develope\" for one month (16.06.2025 - 16.07.2025). To be eligible for this increased bounty, please ensure your report clearly demonstrates that the vulnerability was introduced by a change from this specific account.\n\n# Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes that they have found a vulnerability in the Interchain Stack. This policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Interchain Stack and the teams and infrastructure it supports, and it supersedes previous security policies that have been used in the past by individual teams and projects with targets in scope of this program. For the most up to date version of this policy, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true).\n\n## Our Commitments\nWhen working with us, according to this policy, you can expect us to:\u2028\n* Respond to your report promptly, and work with you to understand and validate your report;\n* Strive to keep you informed about the progress of a vulnerability as it is processed;\n* Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and\n* Extend Safe Harbor for your vulnerability research that is related to this policy.\n\n## Our Expectations\nIn participating in our vulnerability disclosure program in good faith, we ask that you:\u2028\n\n* Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;\n* Report any vulnerability you’ve discovered promptly;\n* Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;\n* Use only the Official Channels to discuss vulnerability information with us;\n* Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly;\n* Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;\n* If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;\n* You should only interact with test accounts you own or with explicit permission from the account holder; and\n* Do not engage in extortion.\n\n\n# Program Scope\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities in the Interchain Stack that we’re interested in include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, trivial denial of service issues, lost write bugs, business logic errors, and payloads/transactions that cause unhandled panics. \n\nTo be considered valid, an issue must be present in the main/`master` branch of a repository or included in the latest release unless a development team specifies otherwise in their Long Term Support policy. \n\n## In Scope\n\n1. An issue must be to be exploitable in an intended deployed environment and configuration.\n2. Successful exploitation of an issue must not require an already compromised environment, whether the context is a single node, machine, or a decentralized network environment.\n3. Generally, issues reported in the latest release and in development will be considered in scope, though long term support commitments may vary from component to component. \n\n\n## Out of Scope\n1. Issues that require a compromised environment to exploit, e.g. a majority-compromised consensus configuration, already compromised node, etc. \n2. Items that are not explicitly listed in scope, especially assets not owned by parties participating in this policy. \n3. Issues that are already being addressed publicly or privately by the responsible teams.\n4. Services and websites operated by third parties.\n5. Phishing, clickjacking, tab-nabbing, HTTP header configurations, CORS configurations, cookie flags, Captcha issues, logout CSRF, account lockout issues, mixed content, TLS configuration, email configuration issues, any issues involving server banner or version information.\n6. Configuration issues in which there exists documentation explaining the functionality of the configuration for an expected deployment scenario.\n7. Issues in which a network is specifically vulnerable to an issue due to governance misconfiguration by that network.\n8. Issues involving public package repository and registry configurations, javascript package management, or package management issues requiring non-standard installation scenarios.\n9. Social engineering, e.g. a target needs to open a web inspector, target needs to run a malicious command on host, unicode ambiguity, DNS misconfigurations, target needs to compile code locally with modifications to exploit, etc. \n10. Scanner-generated reports, and “Advisory” or “Informational” reports that do not include any testing specific to in-scope components of the Interchain Stack such as BurpSuite Scanner, AppScan, DNS Bruteforcers, Nessus, Nexpose, Metasploit, etc.\n11. \"Vulnerable Library\" or dependency reports highlighting known framework, dependency, or project vulnerabilities, without a specific proof of concept demonstrating the security impact to the in-scope items running in expected configurations.\n12. Non-trivial DOS attacks or DOS attacks that may be mitigated by existing operational controls e.g. gas, fees, etc. An example of a trivial DOS attack would be a single request or message that could halt or cause significant disruption for all users of the Interchain stack.  DOS scenarios requiring volumetric traffic are not in scope.\n13. Issues raised around product or architecture deficiencies that are not immediately exploitable.\n14. Issues on in-scope networks running software on in-scope frameworks where the issue was addressed in the framework and less than 90 days have passed.\u2028\n15. Issues that are downstream of an issue that was previously resolved as part of a bounty report or advisory (e.g. delayed adoption of a patch that was released through this process).\n\n### A note on Gaia\n\nIn 2018 when Gaia was added to the Cosmos Bug Bounty program, the scope covered Gaia as a reference implementation of the Interchain Stack.  Since then, the Hub has grown Gaia past a reference implementation through governance and product development to include features and functionality that are not included in the core Interchain Stack components.  Due to this, all third-party code, third-party modules, Hub-specific features, or Hub-specific implementation in the Gaia repository are not in-scope for rewards payout in this Bug Bounty program.  \n\n# Program Policies\nAll issues must include a Proof of Concept that demonstrates the impact and exploitability of the issue. Reports that do not include this information may be closed or sent back to the reporter for more information. \n\n### Eligibility for Bounty\n\nTo be eligible for a bounty reward, you must not have been employed or contracted to work for a development team maintaining the code a bug is reported for in the last 12 months. You must also use HackerOne exclusively for submitting your issue to the Bug Bounty program.  Email submissions are not eligible for bounties.\n\n\n### Confidentiality\n\nTo be eligible for a bounty, all communication about an issue reported to the program must occur within the HackerOne site exclusively.  Any external communication, out-of-band communications with the development teams, full or premature disclosure before the issue is marked as resolved on the HackerOne platform may void your eligibility for a bounty reward. Repeated violations may result in ineligibility for future rewards. \n\n\n### Official Channels\n\nThe Cosmos Bug Bounty program and [security@interchain.io](mailto:security@interchain.io) are the official channels for reporting security vulnerabilities.  If you do not want to report an issue via the HackerOne platform, you may send a bug report to [security@interchain.io](mailto:security@interchain.io) with the issue details, reproduction, impact, and other information. Artifacts from an email report are saved at the time the email is triaged. Please note: our team is not able to monitor dynamic content (e.g. a Google Docs link that is edited after receipt) throughout the lifecycle of a report. If you would like to share additional information or modify previous information, please include it in an additional reply as an additional attachment. \n\n\n### Third Party Services\n\nThough bugs in the services that we use are important, they are ineligible for Cosmos bounty program rewards. Any bugs that are found in services in use by teams building and stewarding the Interchain Stack (e.g. Discord, Discourse, Telegram, Signal, Meetup, etc.) should be disclosed directly to those services. \n\n\n### Disclosure\n\nOur program supports public disclosure of issues only after the issue has been marked as Resolved on HackerOne.  This includes limited disclosure on the HackerOne platform itself if a reporter desires to utilize it. If security notifications or code changes are required, reporters may request for their name and social media handles to be included in the corresponding documentation. \n\n### Report Format\n\nAll reports submitted to the bounty program are triaged expeditiously.  If you are not ready to submit a fully-completed initial report, please complete your report before submitting it to our program to prevent us from triaging an incomplete report.  Your report must fully describe the issue in the text body of the report, and can include additional attachments of proof of concepts, videos, supporting files, etc, however they *must* be attached through the HackerOne platform. The triage team for this program will not follow external links provided in the body of any report, or triage \"attachment-only\" reports with no text body.\n\n### Good Faith\n\nTo be eligible to participate in the Cosmos Bug Bounty program, we ask that all researchers act in good faith, which means: \u2028\n* Don’t publicly disclose information about a vulnerability without explicit consent from the team operating this program. \n* Don’t discuss vulnerability details with anyone other than the team operating this program, especially before we can patch the vulnerability with Interchain Stack developers. \n* Don’t exploit or attack a production environment while conducting security research, e.g. mainnet. \n* Be respectful of our team. [Misconduct](https://docs.hackerone.com/hackers/misconduct.html) like making threats (direct, indirect, veiled, or conditional), demanding access to members of our team to report an issue, engaging in extortion tactics, making false accusations of misconduct or illegal behavior, and engaging in harassment and/or a coordinated campaign to attack our team is disrespectful and damages decades of hard work that security researchers and organizations have invested to coordinate disclosure of security issues.  \n\nFailure to respect these rules will result in your reports being ineligible for bounty rewards.\n\n\n\n# Safe Harbor\nWhen conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:\u2028\n* Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;\n* Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;\n* Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and\n* Lawful, helpful to the overall security of the Internet (and Interchain!), and conducted in good faith.\n\nYou are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\u2028\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.\u2028\n\nNote that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.\u2028\u2028\n\n*The Coordinated Vulnerability Disclosure Policy and Safe Harbor Policy included in this program are based on v. 2021.1 of each respective policy from [disclose.io](http://disclose.io/).* \n","has_open_scope":null,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-06-16T13:01:51.266Z"},{"id":3742936,"new_policy":"# Cosmos: the Interchain Stack Bug Bounty Program\n\nWithin the Interchain ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Interchain Stack that is built by decentralized development teams. \u2028\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol, which means that this program isn’t the right place to go searching for web application vulnerabilities like XSS, CSRF, and header misconfigurations. As the focus of this program is on surfacing vulnerabilities in the protocols, modules, and infrastructure that makes up the Interchain Stack, its assets include source code for integral components of the Interchain, and not third-party services or IT assets. \n \nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality that is available [here](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md). \n\n# Program Rewards\n\nWhile there is no maximum program reward in place at this time, we value creative finds and high severity bugs, and we have a robust program budget that allows us to reward them accordingly. We will evaluate each report and are responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high quality reports or creative lower-tier bugs at a higher-tier level at any time.\u2028\n\nRewards for bugs will be paid out according to issue severity:\n\n* Critical: starting at $50,000\n* High: starting at $25,000\n* Medium: starting at $5,000\n* Low/Informational: Starting at $2,000\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. When an issue is on track to be mitigated or remediated, we will coordinate with hackers to credit the find in advisories and release notes, and to support the disclosure of valid issues reported to this program.\n\n# Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes that they have found a vulnerability in the Interchain Stack. This policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Interchain Stack and the teams and infrastructure it supports, and it supersedes previous security policies that have been used in the past by individual teams and projects with targets in scope of this program. For the most up to date version of this policy, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true).\n\n## Our Commitments\nWhen working with us, according to this policy, you can expect us to:\u2028\n* Respond to your report promptly, and work with you to understand and validate your report;\n* Strive to keep you informed about the progress of a vulnerability as it is processed;\n* Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and\n* Extend Safe Harbor for your vulnerability research that is related to this policy.\n\n## Our Expectations\nIn participating in our vulnerability disclosure program in good faith, we ask that you:\u2028\n\n* Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;\n* Report any vulnerability you’ve discovered promptly;\n* Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;\n* Use only the Official Channels to discuss vulnerability information with us;\n* Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly;\n* Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;\n* If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;\n* You should only interact with test accounts you own or with explicit permission from the account holder; and\n* Do not engage in extortion.\n\n\n# Program Scope\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities in the Interchain Stack that we’re interested in include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, trivial denial of service issues, lost write bugs, business logic errors, and payloads/transactions that cause unhandled panics. \n\nTo be considered valid, an issue must be present in the main/`master` branch of a repository or included in the latest release unless a development team specifies otherwise in their Long Term Support policy. \n\n## In Scope\n\n1. An issue must be to be exploitable in an intended deployed environment and configuration.\n2. Successful exploitation of an issue must not require an already compromised environment, whether the context is a single node, machine, or a decentralized network environment.\n3. Generally, issues reported in the latest release and in development will be considered in scope, though long term support commitments may vary from component to component. \n\n\n## Out of Scope\n1. Issues that require a compromised environment to exploit, e.g. a majority-compromised consensus configuration, already compromised node, etc. \n2. Items that are not explicitly listed in scope, especially assets not owned by parties participating in this policy. \n3. Issues that are already being addressed publicly or privately by the responsible teams.\n4. Services and websites operated by third parties.\n5. Phishing, clickjacking, tab-nabbing, HTTP header configurations, CORS configurations, cookie flags, Captcha issues, logout CSRF, account lockout issues, mixed content, TLS configuration, email configuration issues, any issues involving server banner or version information.\n6. Configuration issues in which there exists documentation explaining the functionality of the configuration for an expected deployment scenario.\n7. Issues in which a network is specifically vulnerable to an issue due to governance misconfiguration by that network.\n8. Issues involving public package repository and registry configurations, javascript package management, or package management issues requiring non-standard installation scenarios.\n9. Social engineering, e.g. a target needs to open a web inspector, target needs to run a malicious command on host, unicode ambiguity, DNS misconfigurations, target needs to compile code locally with modifications to exploit, etc. \n10. Scanner-generated reports, and “Advisory” or “Informational” reports that do not include any testing specific to in-scope components of the Interchain Stack such as BurpSuite Scanner, AppScan, DNS Bruteforcers, Nessus, Nexpose, Metasploit, etc.\n11. \"Vulnerable Library\" or dependency reports highlighting known framework, dependency, or project vulnerabilities, without a specific proof of concept demonstrating the security impact to the in-scope items running in expected configurations.\n12. Non-trivial DOS attacks or DOS attacks that may be mitigated by existing operational controls e.g. gas, fees, etc. An example of a trivial DOS attack would be a single request or message that could halt or cause significant disruption for all users of the Interchain stack.  DOS scenarios requiring volumetric traffic are not in scope.\n13. Issues raised around product or architecture deficiencies that are not immediately exploitable.\n14. Issues on in-scope networks running software on in-scope frameworks where the issue was addressed in the framework and less than 90 days have passed.\u2028\n15. Issues that are downstream of an issue that was previously resolved as part of a bounty report or advisory (e.g. delayed adoption of a patch that was released through this process).\n\n### A note on Gaia\n\nIn 2018 when Gaia was added to the Cosmos Bug Bounty program, the scope covered Gaia as a reference implementation of the Interchain Stack.  Since then, the Hub has grown Gaia past a reference implementation through governance and product development to include features and functionality that are not included in the core Interchain Stack components.  Due to this, all third-party code, third-party modules, Hub-specific features, or Hub-specific implementation in the Gaia repository are not in-scope for rewards payout in this Bug Bounty program.  \n\n# Program Policies\nAll issues must include a Proof of Concept that demonstrates the impact and exploitability of the issue. Reports that do not include this information may be closed or sent back to the reporter for more information. \n\n### Eligibility for Bounty\n\nTo be eligible for a bounty reward, you must not have been employed or contracted to work for a development team maintaining the code a bug is reported for in the last 12 months. You must also use HackerOne exclusively for submitting your issue to the Bug Bounty program.  Email submissions are not eligible for bounties.\n\n\n### Confidentiality\n\nTo be eligible for a bounty, all communication about an issue reported to the program must occur within the HackerOne site exclusively.  Any external communication, out-of-band communications with the development teams, full or premature disclosure before the issue is marked as resolved on the HackerOne platform may void your eligibility for a bounty reward. Repeated violations may result in ineligibility for future rewards. \n\n\n### Official Channels\n\nThe Cosmos Bug Bounty program and [security@interchain.io](mailto:security@interchain.io) are the official channels for reporting security vulnerabilities.  If you do not want to report an issue via the HackerOne platform, you may send a bug report to [security@interchain.io](mailto:security@interchain.io) with the issue details, reproduction, impact, and other information. Artifacts from an email report are saved at the time the email is triaged. Please note: our team is not able to monitor dynamic content (e.g. a Google Docs link that is edited after receipt) throughout the lifecycle of a report. If you would like to share additional information or modify previous information, please include it in an additional reply as an additional attachment. \n\n\n### Third Party Services\n\nThough bugs in the services that we use are important, they are ineligible for Cosmos bounty program rewards. Any bugs that are found in services in use by teams building and stewarding the Interchain Stack (e.g. Discord, Discourse, Telegram, Signal, Meetup, etc.) should be disclosed directly to those services. \n\n\n### Disclosure\n\nOur program supports public disclosure of issues only after the issue has been marked as Resolved on HackerOne.  This includes limited disclosure on the HackerOne platform itself if a reporter desires to utilize it. If security notifications or code changes are required, reporters may request for their name and social media handles to be included in the corresponding documentation. \n\n### Report Format\n\nAll reports submitted to the bounty program are triaged expeditiously.  If you are not ready to submit a fully-completed initial report, please complete your report before submitting it to our program to prevent us from triaging an incomplete report.  Your report must fully describe the issue in the text body of the report, and can include additional attachments of proof of concepts, videos, supporting files, etc, however they *must* be attached through the HackerOne platform. The triage team for this program will not follow external links provided in the body of any report, or triage \"attachment-only\" reports with no text body.\n\n### Good Faith\n\nTo be eligible to participate in the Cosmos Bug Bounty program, we ask that all researchers act in good faith, which means: \u2028\n* Don’t publicly disclose information about a vulnerability without explicit consent from the team operating this program. \n* Don’t discuss vulnerability details with anyone other than the team operating this program, especially before we can patch the vulnerability with Interchain Stack developers. \n* Don’t exploit or attack a production environment while conducting security research, e.g. mainnet. \n* Be respectful of our team. [Misconduct](https://docs.hackerone.com/hackers/misconduct.html) like making threats (direct, indirect, veiled, or conditional), demanding access to members of our team to report an issue, engaging in extortion tactics, making false accusations of misconduct or illegal behavior, and engaging in harassment and/or a coordinated campaign to attack our team is disrespectful and damages decades of hard work that security researchers and organizations have invested to coordinate disclosure of security issues.  \n\nFailure to respect these rules will result in your reports being ineligible for bounty rewards.\n\n\n\n# Safe Harbor\nWhen conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:\u2028\n* Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;\n* Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;\n* Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and\n* Lawful, helpful to the overall security of the Internet (and Interchain!), and conducted in good faith.\n\nYou are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\u2028\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.\u2028\n\nNote that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.\u2028\u2028\n\n*The Coordinated Vulnerability Disclosure Policy and Safe Harbor Policy included in this program are based on v. 2021.1 of each respective policy from [disclose.io](http://disclose.io/).* \n","has_open_scope":null,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-24T22:09:15.466Z"},{"id":3742030,"new_policy":"# Cosmos: the Interchain Stack Bug Bounty Program\n\nWithin the Interchain ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Interchain Stack that is built by decentralized development teams. \u2028\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol, which means that this program isn’t the right place to go searching for web application vulnerabilities like XSS, CSRF, and header misconfigurations. As the focus of this program is on surfacing vulnerabilities in the protocols, modules, and infrastructure that makes up the Interchain Stack, its assets include source code for integral components of the Interchain, and not third-party services or IT assets. \n \nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality that is available [here](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md). \n\n# Program Rewards\n\nWhile there is no maximum program reward in place at this time, we value creative finds and high severity bugs, and we have a robust program budget that allows us to reward them accordingly. We will evaluate each report and are responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high quality reports or creative lower-tier bugs at a higher-tier level at any time.\u2028\n\nRewards for bugs will be paid out according to issue severity:\n\n* Critical: starting at $50,000\n* High: starting at $25,000\n* Medium: starting at $5,000\n* Low/Informational: Starting at $2,000\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. When an issue is on track to be mitigated or remediated, we will coordinate with hackers to credit the find in advisories and release notes, and to support the disclosure of valid issues reported to this program.\n\n# Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes that they have found a vulnerability in the Interchain Stack. This policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Interchain Stack and the teams and infrastructure it supports, and it supersedes previous security policies that have been used in the past by individual teams and projects with targets in scope of this program. For the most up to date version of this policy, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true).\n\n## Our Commitments\nWhen working with us, according to this policy, you can expect us to:\u2028\n* Respond to your report promptly, and work with you to understand and validate your report;\n* Strive to keep you informed about the progress of a vulnerability as it is processed;\n* Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and\n* Extend Safe Harbor for your vulnerability research that is related to this policy.\n\n## Our Expectations\nIn participating in our vulnerability disclosure program in good faith, we ask that you:\u2028\n\n* Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;\n* Report any vulnerability you’ve discovered promptly;\n* Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;\n* Use only the Official Channels to discuss vulnerability information with us;\n* Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly;\n* Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;\n* If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;\n* You should only interact with test accounts you own or with explicit permission from the account holder; and\n* Do not engage in extortion.\n\n\n# Program Scope\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities in the Interchain Stack that we’re interested in include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, trivial denial of service issues, lost write bugs, business logic errors, and payloads/transactions that cause unhandled panics. \n\nTo be considered valid, an issue must be present in the main/`master` branch of a repository or included in the latest release unless a development team specifies otherwise in their Long Term Support policy. \n\n## In Scope\n\n1. An issue must be to be exploitable in an intended deployed environment and configuration.\n2. Successful exploitation of an issue must not require an already compromised environment, whether the context is a single node, machine, or a decentralized network environment.\n3. Generally, issues reported in the latest release and in development will be considered in scope, though long term support commitments may vary from component to component. \n\n\n## Out of Scope\n1. Issues that require a compromised environment to exploit, e.g. a majority-compromised consensus configuration, already compromised node, etc. \n2. Items that are not explicitly listed in scope, especially assets not owned by parties participating in this policy. \n3. Issues that are already being addressed publicly or privately by the responsible teams.\n4. Services and websites operated by third parties.\n5. Phishing, clickjacking, tab-nabbing, HTTP header configurations, CORS configurations, cookie flags, Captcha issues, logout CSRF, account lockout issues, mixed content, TLS configuration, email configuration issues, any issues involving server banner or version information.\n6. Configuration issues in which there exists documentation explaining the functionality of the configuration for an expected deployment scenario.\n7. Issues in which a network is specifically vulnerable to an issue due to governance misconfiguration by that network.\n8. Issues involving public package repository and registry configurations, javascript package management, or package management issues requiring non-standard installation scenarios.\n9. Social engineering, e.g. a target needs to open a web inspector, target needs to run a malicious command on host, unicode ambiguity, DNS misconfigurations, target needs to compile code locally with modifications to exploit, etc. \n10. Scanner-generated reports, and “Advisory” or “Informational” reports that do not include any testing specific to in-scope components of the Interchain Stack such as BurpSuite Scanner, AppScan, DNS Bruteforcers, Nessus, Nexpose, Metasploit, etc.\n11. \"Vulnerable Library\" or dependency reports highlighting known framework, dependency, or project vulnerabilities, without a specific proof of concept demonstrating the security impact to the in-scope items running in expected configurations.\n12. Non-trivial DOS attacks or DOS attacks that may be mitigated by existing operational controls e.g. gas, fees, etc. An example of a trivial DOS attack would be a single request or message that could halt or cause significant disruption for all users of the Interchain stack.  DOS scenarios requiring volumetric traffic are not in scope.\n13. Issues raised around product or architecture deficiencies that are not immediately exploitable.\n14. Issues on in-scope networks running software on in-scope frameworks where the issue was addressed in the framework and less than 90 days have passed.\u2028\n15. Issues that are downstream of an issue that was previously resolved as part of a bounty report or advisory (e.g. delayed adoption of a patch that was released through this process).\n\n### A note on Gaia\n\nIn 2018 when Gaia was added to the Cosmos Bug Bounty program, the scope covered Gaia as a reference implementation of the Interchain Stack.  Since then, the Hub has grown Gaia past a reference implementation through governance and product development to include features and functionality that are not included in the core Interchain Stack components.  Due to this, all third-party code, third-party modules, Hub-specific features, or Hub-specific implementation in the Gaia repository are not in-scope for rewards payout in this Bug Bounty program.  \n\n# Program Policies\nAll issues must include a Proof of Concept that demonstrates the impact and exploitability of the issue. Reports that do not include this information may be closed or sent back to the reporter for more information. \n\n### Eligibility for Bounty\n\nTo be eligible for a bounty reward, you must not have been employed or contracted to work for a development team maintaining the code a bug is reported for in the last 12 months. You must also use HackerOne exclusively for submitting your issue to the Bug Bounty program.  Email submissions are not eligible for bounties.\n\n\n### Confidentiality\n\nTo be eligible for a bounty, all communication about an issue reported to the program must occur within the HackerOne site exclusively.  Any external communication, out-of-band communications with the development teams, full or premature disclosure before the issue is marked as resolved on the HackerOne platform may void your eligibility for a bounty reward. Repeated violations may result in ineligibility for future rewards. \n\n\n### Official Channels\n\nThe Cosmos Bug Bounty program and [security@interchain.io](mailto:security@interchain.io) are the official channels for reporting security vulnerabilities.  If you do not want to report an issue via the HackerOne platform, you may send a bug report to [security@interchain.io](mailto:security@interchain.io) with the issue details, reproduction, impact, and other information. Artifacts from an email report are saved at the time the email is triaged. Please note: our team is not able to monitor dynamic content (e.g. a Google Docs link that is edited after receipt) throughout the lifecycle of a report. If you would like to share additional information or modify previous information, please include it in an additional reply as an additional attachment. \n\n\n### Third Party Services\n\nThough bugs in the services that we use are important, they are ineligible for Cosmos bounty program rewards. Any bugs that are found in services in use by teams building and stewarding the Interchain Stack (e.g. Discord, Discourse, Telegram, Signal, Meetup, etc.) should be disclosed directly to those services. \n\n\n### Disclosure\n\nOur program supports public disclosure of issues only after the issue has been marked as Resolved on HackerOne.  This includes limited disclosure on the HackerOne platform itself if a reporter desires to utilize it. If security notifications or code changes are required, reporters may request for their name and social media handles to be included in the corresponding documentation. \n\n### Report Format\n\nAll reports submitted to the bounty program are triaged expeditiously.  If you are not ready to submit a fully-completed initial report, please complete your report before submitting it to our program to prevent us from triaging an incomplete report.  Your report must fully describe the issue in the text body of the report, and can include additional attachments of proof of concepts, videos, supporting files, etc, however they *must* be attached through the HackerOne platform. The triage team for this program will not follow external links provided in the body of any report, or triage \"attachment-only\" reports with no text body.\n\n### Good Faith\n\nTo be eligible to participate in the Cosmos Bug Bounty program, we ask that all researchers act in good faith, which means: \u2028\n* Don’t publicly disclose information about a vulnerability without explicit consent from the team operating this program. \n* Don’t discuss vulnerability details with anyone other than the team operating this program, especially before we can patch the vulnerability with Interchain Stack developers. \n* Don’t exploit or attack a production environment while conducting security research, e.g. mainnet. \n* Be respectful of our team. [Misconduct](https://docs.hackerone.com/hackers/misconduct.html) like making threats (direct, indirect, veiled, or conditional), demanding access to members of our team to report an issue, engaging in extortion tactics, making false accusations of misconduct or illegal behavior, and engaging in harassment and/or a coordinated campaign to attack our team is disrespectful and damages decades of hard work that security researchers and organizations have invested to coordinate disclosure of security issues.  \n\nFailure to respect these rules will result in your reports being ineligible for bounty rewards.\n\n\n\n# Safe Harbor\nWhen conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:\u2028\n* Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;\n* Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;\n* Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and\n* Lawful, helpful to the overall security of the Internet (and Interchain!), and conducted in good faith.\n\nYou are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\u2028\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.\u2028\n\nNote that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.\u2028\u2028\n\n*The Coordinated Vulnerability Disclosure Policy and Safe Harbor Policy included in this program are based on v. 2021.1 of each respective policy from [disclose.io](http://disclose.io/).* \n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-14T22:46:25.738Z"},{"id":3741491,"new_policy":"# Cosmos: the Interchain Stack Bug Bounty Program\n\nWithin the Interchain ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Interchain Stack that is built by decentralized development teams. \u2028\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol, which means that this program isn’t the right place to go searching for web application vulnerabilities like XSS, CSRF, and header misconfigurations. As the focus of this program is on surfacing vulnerabilities in the protocols, modules, and infrastructure that makes up the Interchain Stack, its assets include source code for integral components of the Interchain, and not third-party services or IT assets. \n \nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality that is available [here](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md). \n\n# Program Rewards\n\nWhile there is no maximum program reward in place at this time, we value creative finds and high severity bugs, and we have a robust program budget that allows us to reward them accordingly. We will evaluate each report and are responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high quality reports or creative lower-tier bugs at a higher-tier level at any time.\u2028\n\nRewards for bugs will be paid out according to issue severity:\n\n* Critical: starting at $50,000\n* High: starting at $25,000\n* Medium: starting at $5,000\n* Low/Informational: Starting at $2,000\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. When an issue is on track to be mitigated or remediated, we will coordinate with hackers to credit the find in advisories and release notes, and to support the disclosure of valid issues reported to this program.\n\n# Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes that they have found a vulnerability in the Interchain Stack. This policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Interchain Stack and the teams and infrastructure it supports, and it supersedes previous security policies that have been used in the past by individual teams and projects with targets in scope of this program. For the most up to date version of this policy, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true).\n\n## Our Commitments\nWhen working with us, according to this policy, you can expect us to:\u2028\n* Respond to your report promptly, and work with you to understand and validate your report;\n* Strive to keep you informed about the progress of a vulnerability as it is processed;\n* Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and\n* Extend Safe Harbor for your vulnerability research that is related to this policy.\n\n## Our Expectations\nIn participating in our vulnerability disclosure program in good faith, we ask that you:\u2028\n\n* Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;\n* Report any vulnerability you’ve discovered promptly;\n* Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;\n* Use only the Official Channels to discuss vulnerability information with us;\n* Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly;\n* Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;\n* If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;\n* You should only interact with test accounts you own or with explicit permission from the account holder; and\n* Do not engage in extortion.\n\n\n# Program Scope\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities in the Interchain Stack that we’re interested in include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, trivial denial of service issues, lost write bugs, business logic errors, and payloads/transactions that cause unhandled panics. \n\nTo be considered valid, an issue must be present in the main/`master` branch of a repository or included in the latest release unless a development team specifies otherwise in their Long Term Support policy. \n\n## In Scope\n\n1. An issue must be to be exploitable in an intended deployed environment and configuration.\n2. Successful exploitation of an issue must not require an already compromised environment, whether the context is a single node, machine, or a decentralized network environment.\n3. Generally, issues reported in the latest release and in development will be considered in scope, though long term support commitments may vary from component to component. \n\n\n## Out of Scope\n1. Issues that require a compromised environment to exploit, e.g. a majority-compromised consensus configuration, already compromised node, etc. \n2. Items that are not explicitly listed in scope, especially assets not owned by parties participating in this policy. \n3. Issues that are already being addressed publicly or privately by the responsible teams.\n4. Services and websites operated by third parties.\n5. Phishing, clickjacking, tab-nabbing, HTTP header configurations, CORS configurations, cookie flags, Captcha issues, logout CSRF, account lockout issues, mixed content, TLS configuration, email configuration issues, any issues involving server banner or version information.\n6. Configuration issues in which there exists documentation explaining the functionality of the configuration for an expected deployment scenario.\n7. Issues in which a network is specifically vulnerable to an issue due to governance misconfiguration by that network.\n8. Issues involving public package repository and registry configurations, javascript package management, or package management issues requiring non-standard installation scenarios.\n9. Social engineering, e.g. a target needs to open a web inspector, target needs to run a malicious command on host, unicode ambiguity, DNS misconfigurations, target needs to compile code locally with modifications to exploit, etc. \n10. Scanner-generated reports, and “Advisory” or “Informational” reports that do not include any testing specific to in-scope components of the Interchain Stack such as BurpSuite Scanner, AppScan, DNS Bruteforcers, Nessus, Nexpose, Metasploit, etc.\n11. \"Vulnerable Library\" or dependency reports highlighting known framework, dependency, or project vulnerabilities, without a specific proof of concept demonstrating the security impact to the in-scope items running in expected configurations.\n12. Non-trivial DOS attacks or DOS attacks that may be mitigated by existing operational controls e.g. gas, fees, etc. An example of a trivial DOS attack would be a single request or message that could halt or cause significant disruption for all users of the Interchain stack.  DOS scenarios requiring volumetric traffic are not in scope.\n13. Issues raised around product or architecture deficiencies that are not immediately exploitable.\n14. Issues on in-scope networks running software on in-scope frameworks where the issue was addressed in the framework and less than 90 days have passed.\u2028\n15. Issues that are downstream of an issue that was previously resolved as part of a bounty report or advisory (e.g. delayed adoption of a patch that was released through this process).\n\n### A note on Gaia\n\nIn 2018 when Gaia was added to the Cosmos Bug Bounty program, the scope covered Gaia as a reference implementation of the Interchain Stack.  Since then, the Hub has grown Gaia past a reference implementation through governance and product development to include features and functionality that are not included in the core Interchain Stack components.  Due to this, all third-party code, third-party modules, Hub-specific features, or Hub-specific implementation in the Gaia repository are not in-scope for rewards payout in this Bug Bounty program.  \n\n# Program Policies\nAll issues must include a Proof of Concept that demonstrates the impact and exploitability of the issue. Reports that do not include this information may be closed or sent back to the reporter for more information. \n\n### Eligibility for Bounty\n\nTo be eligible for a bounty reward, you must not have been employed or contracted to work for a development team maintaining the code a bug is reported for in the last 12 months. You must also use HackerOne exclusively for submitting your issue to the Bug Bounty program.  Email submissions are not eligible for bounties.\n\n\n### Confidentiality\n\nTo be eligible for a bounty, all communication about an issue reported to the program must occur within the HackerOne site exclusively.  Any external communication, out-of-band communications with the development teams, full or premature disclosure before the issue is marked as resolved on the HackerOne platform may void your eligibility for a bounty reward. Repeated violations may result in ineligibility for future rewards. \n\n\n### Official Channels\n\nThe Cosmos Bug Bounty program and [security@interchain.io](mailto:security@interchain.io) are the official channels for reporting security vulnerabilities.  If you do not want to report an issue via the HackerOne platform, you may send a bug report to [security@interchain.io](mailto:security@interchain.io) with the issue details, reproduction, impact, and other information. Artifacts from an email report are saved at the time the email is triaged. Please note: our team is not able to monitor dynamic content (e.g. a Google Docs link that is edited after receipt) throughout the lifecycle of a report. If you would like to share additional information or modify previous information, please include it in an additional reply as an additional attachment. \n\n\n### Third Party Services\n\nThough bugs in the services that we use are important, they are ineligible for Cosmos bounty program rewards. Any bugs that are found in services in use by teams building and stewarding the Interchain Stack (e.g. Discord, Discourse, Telegram, Signal, Meetup, etc.) should be disclosed directly to those services. \n\n\n### Disclosure\n\nOur program supports public disclosure of issues only after the issue has been marked as Resolved on HackerOne.  This includes limited disclosure on the HackerOne platform itself if a reporter desires to utilize it. If security notifications or code changes are required, reporters may request for their name and social media handles to be included in the corresponding documentation. \n\n\n### Good Faith\n\nTo be eligible to participate in the Cosmos Bug Bounty program, we ask that all researchers act in good faith, which means: \u2028\n* Don’t publicly disclose information about a vulnerability without explicit consent from the team operating this program. \n* Don’t discuss vulnerability details with anyone other than the team operating this program, especially before we can patch the vulnerability with Interchain Stack developers. \n* Don’t exploit or attack a production environment while conducting security research, e.g. mainnet. \n* Be respectful of our team. [Misconduct](https://docs.hackerone.com/hackers/misconduct.html) like making threats (direct, indirect, veiled, or conditional), demanding access to members of our team to report an issue, engaging in extortion tactics, making false accusations of misconduct or illegal behavior, and engaging in harassment and/or a coordinated campaign to attack our team is disrespectful and damages decades of hard work that security researchers and organizations have invested to coordinate disclosure of security issues.  \n\nFailure to respect these rules will result in your reports being ineligible for bounty rewards.\n\n\n\n# Safe Harbor\nWhen conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:\u2028\n* Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;\n* Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;\n* Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and\n* Lawful, helpful to the overall security of the Internet (and Interchain!), and conducted in good faith.\n\nYou are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\u2028\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.\u2028\n\nNote that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.\u2028\u2028\n\n*The Coordinated Vulnerability Disclosure Policy and Safe Harbor Policy included in this program are based on v. 2021.1 of each respective policy from [disclose.io](http://disclose.io/).* \n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-08T22:01:12.265Z"},{"id":3737220,"new_policy":"# Cosmos: the Interchain Stack Bug Bounty Program\n\nWithin the Interchain ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Interchain Stack that is built by decentralized development teams. \u2028\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol, which means that this program isn’t the right place to go searching for web application vulnerabilities like XSS, CSRF, and header misconfigurations. As the focus of this program is on surfacing vulnerabilities in the protocols, modules, and infrastructure that makes up the Interchain Stack, its assets include source code for integral components of the Interchain, and not third-party services or IT assets. \n \nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality that is available [here](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md). \n\n# Program Rewards\n\nWhile there is no maximum program reward in place at this time, we value creative finds and high severity bugs, and we have a robust program budget that allows us to reward them accordingly. We will evaluate each report and are responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high quality reports or creative lower-tier bugs at a higher-tier level at any time.\u2028\n\nRewards for bugs will be paid out according to issue severity:\n\n* Critical: starting at $25,000\n* High: starting at $10,000\n* Medium: starting at $3,000\n* Low/Informational: Starting at $1,000\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. When an issue is on track to be mitigated or remediated, we will coordinate with hackers to credit the find in advisories and release notes, and to support the disclosure of valid issues reported to this program.\n\n# Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes that they have found a vulnerability in the Interchain Stack. This policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Interchain Stack and the teams and infrastructure it supports, and it supersedes previous security policies that have been used in the past by individual teams and projects with targets in scope of this program. For the most up to date version of this policy, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true).\n\n## Our Commitments\nWhen working with us, according to this policy, you can expect us to:\u2028\n* Respond to your report promptly, and work with you to understand and validate your report;\n* Strive to keep you informed about the progress of a vulnerability as it is processed;\n* Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and\n* Extend Safe Harbor for your vulnerability research that is related to this policy.\n\n## Our Expectations\nIn participating in our vulnerability disclosure program in good faith, we ask that you:\u2028\n\n* Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;\n* Report any vulnerability you’ve discovered promptly;\n* Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;\n* Use only the Official Channels to discuss vulnerability information with us;\n* Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly;\n* Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;\n* If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;\n* You should only interact with test accounts you own or with explicit permission from the account holder; and\n* Do not engage in extortion.\n\n\n# Program Scope\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities in the Interchain Stack that we’re interested in include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, trivial denial of service issues, lost write bugs, business logic errors, and payloads/transactions that cause unhandled panics. \n\nTo be considered valid, an issue must be present in the main/`master` branch of a repository or included in the latest release unless a development team specifies otherwise in their Long Term Support policy. \n\n## In Scope\n\n1. An issue must be to be exploitable in an intended deployed environment and configuration.\n2. Successful exploitation of an issue must not require an already compromised environment, whether the context is a single node, machine, or a decentralized network environment.\n3. Generally, issues reported in the latest release and in development will be considered in scope, though long term support commitments may vary from component to component. \n\n\n## Out of Scope\n1. Issues that require a compromised environment to exploit, e.g. a majority-compromised consensus configuration, already compromised node, etc. \n2. Items that are not explicitly listed in scope, especially assets not owned by parties participating in this policy. \n3. Issues that are already being addressed publicly or privately by the responsible teams.\n4. Services and websites operated by third parties.\n5. Phishing, clickjacking, tab-nabbing, HTTP header configurations, CORS configurations, cookie flags, Captcha issues, logout CSRF, account lockout issues, mixed content, TLS configuration, email configuration issues, any issues involving server banner or version information.\n6. Configuration issues in which there exists documentation explaining the functionality of the configuration for an expected deployment scenario.\n7. Issues in which a network is specifically vulnerable to an issue due to governance misconfiguration by that network.\n8. Issues involving public package repository and registry configurations, javascript package management, or package management issues requiring non-standard installation scenarios.\n9. Social engineering, e.g. a target needs to open a web inspector, target needs to run a malicious command on host, unicode ambiguity, DNS misconfigurations, target needs to compile code locally with modifications to exploit, etc. \n10. Scanner-generated reports, and “Advisory” or “Informational” reports that do not include any testing specific to in-scope components of the Interchain Stack such as BurpSuite Scanner, AppScan, DNS Bruteforcers, Nessus, Nexpose, Metasploit, etc.\n11. \"Vulnerable Library\" or dependency reports highlighting known framework, dependency, or project vulnerabilities, without a specific proof of concept demonstrating the security impact to the in-scope items running in expected configurations.\n12. Non-trivial DOS attacks or DOS attacks that may be mitigated by existing operational controls e.g. gas, fees, etc. An example of a trivial DOS attack would be a single request or message that could halt or cause significant disruption for all users of the Interchain stack.  DOS scenarios requiring volumetric traffic are not in scope.\n13. Issues raised around product or architecture deficiencies that are not immediately exploitable.\n14. Issues on in-scope networks running software on in-scope frameworks where the issue was addressed in the framework and less than 90 days have passed.\u2028\n15. Issues that are downstream of an issue that was previously resolved as part of a bounty report or advisory (e.g. delayed adoption of a patch that was released through this process).\n\n### A note on Gaia\n\nIn 2018 when Gaia was added to the Cosmos Bug Bounty program, the scope covered Gaia as a reference implementation of the Interchain Stack.  Since then, the Hub has grown Gaia past a reference implementation through governance and product development to include features and functionality that are not included in the core Interchain Stack components.  Due to this, all third-party code, third-party modules, Hub-specific features, or Hub-specific implementation in the Gaia repository is not in-scope for this Bug Bounty program.  \n\n# Program Policies\nAll issues must include a Proof of Concept that demonstrates the impact and exploitability of the issue. Reports that do not include this information may be closed or sent back to the reporter for more information. \n\n### Eligibility for Bounty\n\nTo be eligible for a bounty reward, you must not have been employed or contracted to work for a development team maintaining the code a bug is reported for in the last 12 months. You must also use HackerOne exclusively for submitting your issue to the Bug Bounty program.  Email submissions are not eligible for bounties.\n\n\n### Confidentiality\n\nTo be eligible for a bounty, all communication about an issue reported to the program must occur within the HackerOne site exclusively.  Any external communication, out-of-band communications with the development teams, full or premature disclosure before the issue is marked as resolved on the HackerOne platform may void your eligibility for a bounty reward. Repeated violations may result in ineligibility for future rewards. \n\n\n### Official Channels\n\nThe Cosmos Bug Bounty program and [security@interchain.io](mailto:security@interchain.io) are the official channels for reporting security vulnerabilities.  If you do not want to report an issue via the HackerOne platform, you may send a bug report to [security@interchain.io](mailto:security@interchain.io) with the issue details, reproduction, impact, and other information. Artifacts from an email report are saved at the time the email is triaged. Please note: our team is not able to monitor dynamic content (e.g. a Google Docs link that is edited after receipt) throughout the lifecycle of a report. If you would like to share additional information or modify previous information, please include it in an additional reply as an additional attachment. \n\n\n### Third Party Services\n\nThough bugs in the services that we use are important, they are ineligible for Cosmos bounty program rewards. Any bugs that are found in services in use by teams building and stewarding the Interchain Stack (e.g. Discord, Discourse, Telegram, Signal, Meetup, etc.) should be disclosed directly to those services. \n\n\n### Disclosure\n\nOur program supports public disclosure of issues only after the issue has been marked as Resolved on HackerOne.  This includes limited disclosure on the HackerOne platform itself if a reporter desires to utilize it. If security notifications or code changes are required, reporters may request for their name and social media handles to be included in the corresponding documentation. \n\n\n### Good Faith\n\nTo be eligible to participate in the Cosmos Bug Bounty program, we ask that all researchers act in good faith, which means: \u2028\n* Don’t publicly disclose information about a vulnerability without explicit consent from the team operating this program. \n* Don’t discuss vulnerability details with anyone other than the team operating this program, especially before we can patch the vulnerability with Interchain Stack developers. \n* Don’t exploit or attack a production environment while conducting security research, e.g. mainnet. \n* Be respectful of our team. [Misconduct](https://docs.hackerone.com/hackers/misconduct.html) like making threats (direct, indirect, veiled, or conditional), demanding access to members of our team to report an issue, engaging in extortion tactics, making false accusations of misconduct or illegal behavior, and engaging in harassment and/or a coordinated campaign to attack our team is disrespectful and damages decades of hard work that security researchers and organizations have invested to coordinate disclosure of security issues.  \n\nFailure to respect these rules will result in your reports being ineligible for bounty rewards.\n\n\n\n# Safe Harbor\nWhen conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:\u2028\n* Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;\n* Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;\n* Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and\n* Lawful, helpful to the overall security of the Internet (and Interchain!), and conducted in good faith.\n\nYou are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\u2028\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.\u2028\n\nNote that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.\u2028\u2028\n\n*The Coordinated Vulnerability Disclosure Policy and Safe Harbor Policy included in this program are based on v. 2021.1 of each respective policy from [disclose.io](http://disclose.io/).* \n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-08-28T01:19:29.427Z"},{"id":3736457,"new_policy":"# Cosmos: the Interchain Stack Bug Bounty Program\n\nWithin the Interchain ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Interchain Stack that is built by decentralized development teams. \u2028\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol, which means that this program isn’t the right place to go searching for web application vulnerabilities like XSS, CSRF, and header misconfigurations. As the focus of this program is on surfacing vulnerabilities in the protocols, modules, and infrastructure that makes up the Interchain Stack, its assets include source code for integral components of the Interchain, and not third-party services or IT assets. \n \nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality that is available [here](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md). \n\n# Program Rewards\n\nWhile there is no maximum program reward in place at this time, we value creative finds and high severity bugs, and we have a robust program budget that allows us to reward them accordingly. We will evaluate each report and are responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high quality reports or creative lower-tier bugs at a higher-tier level at any time.\u2028\n\nRewards for bugs will be paid out according to issue severity:\n\n* Critical: starting at $25,000\n* High: starting at $10,000\n* Medium: starting at $3,000\n* Low/Informational: Starting at $1,000\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. When an issue is on track to be mitigated or remediated, we will coordinate with hackers to credit the find in advisories and release notes, and to support the disclosure of valid issues reported to this program.\n\n# Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes that they have found a vulnerability in the Interchain Stack. This policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Interchain Stack and the teams and infrastructure it supports, and it supersedes previous security policies that have been used in the past by individual teams and projects with targets in scope of this program. For the most up to date version of this policy, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true).\n\n## Our Commitments\nWhen working with us, according to this policy, you can expect us to:\u2028\n* Respond to your report promptly, and work with you to understand and validate your report;\n* Strive to keep you informed about the progress of a vulnerability as it is processed;\n* Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and\n* Extend Safe Harbor for your vulnerability research that is related to this policy.\n\n## Our Expectations\nIn participating in our vulnerability disclosure program in good faith, we ask that you:\u2028\n\n* Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;\n* Report any vulnerability you’ve discovered promptly;\n* Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;\n* Use only the Official Channels to discuss vulnerability information with us;\n* Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly;\n* Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;\n* If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;\n* You should only interact with test accounts you own or with explicit permission from the account holder; and\n* Do not engage in extortion.\n\n\n# Program Scope\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities in the Interchain Stack that we’re interested in include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, trivial denial of service issues, lost write bugs, business logic errors, and payloads/transactions that cause unhandled panics. \n\nTo be considered valid, an issue must be present in the main/`master` branch of a repository or included in the latest release unless a development team specifies otherwise in their Long Term Support policy. \n\n## In Scope\n\n1. An issue must be to be exploitable in an intended deployed environment and configuration.\n2. Successful exploitation of an issue must not require an already compromised environment, whether the context is a single node, machine, or a decentralized network environment.\n3. Generally, issues reported in the latest release and in development will be considered in scope, though long term support commitments may vary from component to component. \n\n\n## Out of Scope\n1. Issues that require a compromised environment to exploit, e.g. a majority-compromised consensus configuration, already compromised node, etc. \n2. Items that are not explicitly listed in scope, especially assets not owned by parties participating in this policy. \n3. Issues that are already being addressed publicly or privately by the responsible teams.\n4. Services and websites operated by third parties.\n5. Phishing, clickjacking, tab-nabbing, HTTP header configurations, CORS configurations, cookie flags, Captcha issues, logout CSRF, account lockout issues, mixed content, TLS configuration, email configuration issues, any issues involving server banner or version information.\n6. Configuration issues in which there exists documentation explaining the functionality of the configuration for an expected deployment scenario.\n7. Issues in which a network is specifically vulnerable to an issue due to governance misconfiguration by that network.\n8. Issues involving public package repository and registry configurations, javascript package management, or package management issues requiring non-standard installation scenarios.\n9. Social engineering, e.g. a target needs to open a web inspector, target needs to run a malicious command on host, unicode ambiguity, DNS misconfigurations, target needs to compile code locally with modifications to exploit, etc. \n10. Scanner-generated reports, and “Advisory” or “Informational” reports that do not include any testing specific to in-scope components of the Interchain Stack such as BurpSuite Scanner, AppScan, DNS Bruteforcers, Nessus, Nexpose, Metasploit, etc.\n11. \"Vulnerable Library\" or dependency reports highlighting known framework, dependency, or project vulnerabilities, without a specific proof of concept demonstrating the security impact to the in-scope items running in expected configurations.\n12. Non-trivial DOS attacks or DOS attacks that may be mitigated by existing operational controls e.g. gas, fees, etc. An example of a trivial DOS attack would be a single request or message that could halt or cause significant disruption for all users of the Interchain stack.  DOS scenarios requiring volumetric traffic are not in scope.\n13. Issues raised around product or architecture deficiencies that are not immediately exploitable.\n14. Issues on in-scope networks running software on in-scope frameworks where the issue was addressed in the framework and less than 90 days have passed.\u2028\n15. Issues that are downstream of an issue that was previously resolved as part of a bounty report or advisory (e.g. delayed adoption of a patch that was released through this process).\n\n\n# Program Policies\nAll issues must include a Proof of Concept that demonstrates the impact and exploitability of the issue. Reports that do not include this information may be closed or sent back to the reporter for more information. \n\n### Eligibility for Bounty\n\nTo be eligible for a bounty reward, you must not have been employed or contracted to work for a development team maintaining the code a bug is reported for in the last 12 months. You must also use HackerOne exclusively for submitting your issue to the Bug Bounty program.  Email submissions are not eligible for bounties.\n\n\n### Confidentiality\n\nTo be eligible for a bounty, all communication about an issue reported to the program must occur within the HackerOne site exclusively.  Any external communication, out-of-band communications with the development teams, full or premature disclosure before the issue is marked as resolved on the HackerOne platform may void your eligibility for a bounty reward. Repeated violations may result in ineligibility for future rewards. \n\n\n### Official Channels\n\nThe Cosmos Bug Bounty program and [security@interchain.io](mailto:security@interchain.io) are the official channels for reporting security vulnerabilities.  If you do not want to report an issue via the HackerOne platform, you may send a bug report to [security@interchain.io](mailto:security@interchain.io) with the issue details, reproduction, impact, and other information. Artifacts from an email report are saved at the time the email is triaged. Please note: our team is not able to monitor dynamic content (e.g. a Google Docs link that is edited after receipt) throughout the lifecycle of a report. If you would like to share additional information or modify previous information, please include it in an additional reply as an additional attachment. \n\n\n### Third Party Services\n\nThough bugs in the services that we use are important, they are ineligible for Cosmos bounty program rewards. Any bugs that are found in services in use by teams building and stewarding the Interchain Stack (e.g. Discord, Discourse, Telegram, Signal, Meetup, etc.) should be disclosed directly to those services. \n\n\n### Disclosure\n\nOur program supports public disclosure of issues only after the issue has been marked as Resolved on HackerOne.  This includes limited disclosure on the HackerOne platform itself if a reporter desires to utilize it. If security notifications or code changes are required, reporters may request for their name and social media handles to be included in the corresponding documentation. \n\n\n### Good Faith\n\nTo be eligible to participate in the Cosmos Bug Bounty program, we ask that all researchers act in good faith, which means: \u2028\n* Don’t publicly disclose information about a vulnerability without explicit consent from the team operating this program. \n* Don’t discuss vulnerability details with anyone other than the team operating this program, especially before we can patch the vulnerability with Interchain Stack developers. \n* Don’t exploit or attack a production environment while conducting security research, e.g. mainnet. \n* Be respectful of our team. [Misconduct](https://docs.hackerone.com/hackers/misconduct.html) like making threats (direct, indirect, veiled, or conditional), demanding access to members of our team to report an issue, engaging in extortion tactics, making false accusations of misconduct or illegal behavior, and engaging in harassment and/or a coordinated campaign to attack our team is disrespectful and damages decades of hard work that security researchers and organizations have invested to coordinate disclosure of security issues.  \n\nFailure to respect these rules will result in your reports being ineligible for bounty rewards.\n\n\n\n# Safe Harbor\nWhen conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:\u2028\n* Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;\n* Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;\n* Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and\n* Lawful, helpful to the overall security of the Internet (and Interchain!), and conducted in good faith.\n\nYou are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\u2028\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.\u2028\n\nNote that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.\u2028\u2028\n\n*The Coordinated Vulnerability Disclosure Policy and Safe Harbor Policy included in this program are based on v. 2021.1 of each respective policy from [disclose.io](http://disclose.io/).* \n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-08-16T22:34:24.574Z"},{"id":3736456,"new_policy":"# Cosmos: the Interchain Stack Bug Bounty Program\n\nWithin the Interchain ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Interchain Stack that is built by decentralized development teams. \u2028\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol, which means that this program isn’t the right place to go searching for web application vulnerabilities like XSS, CSRF, and header misconfigurations. As the focus of this program is on surfacing vulnerabilities in the protocols, modules, and infrastructure that makes up the Interchain Stack, its assets include source code for integral components of the Interchain, and not third-party services or IT assets. \n \nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality, and may also choose to consult CVSS for rating severity as well. \n\n# Program Rewards\n\nWhile there is no maximum program reward in place at this time, we value creative finds and high severity bugs, and we have a robust program budget that allows us to reward them accordingly. We will evaluate each report and are responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high quality reports or creative lower-tier bugs at a higher-tier level at any time.\u2028\n\nRewards for bugs will be paid out according to issue severity:\n\n* Critical: starting at $25,000\n* High: starting at $10,000\n* Medium: starting at $3,000\n* Low/Informational: Starting at $1,000\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. When an issue is on track to be mitigated or remediated, we will coordinate with hackers to credit the find in advisories and release notes, and to support the disclosure of valid issues reported to this program.\n\n# Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes that they have found a vulnerability in the Interchain Stack. This policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Interchain Stack and the teams and infrastructure it supports, and it supersedes previous security policies that have been used in the past by individual teams and projects with targets in scope of this program. For the most up to date version of this policy, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true).\n\n## Our Commitments\nWhen working with us, according to this policy, you can expect us to:\u2028\n* Respond to your report promptly, and work with you to understand and validate your report;\n* Strive to keep you informed about the progress of a vulnerability as it is processed;\n* Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and\n* Extend Safe Harbor for your vulnerability research that is related to this policy.\n\n## Our Expectations\nIn participating in our vulnerability disclosure program in good faith, we ask that you:\u2028\n\n* Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;\n* Report any vulnerability you’ve discovered promptly;\n* Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;\n* Use only the Official Channels to discuss vulnerability information with us;\n* Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly;\n* Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;\n* If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;\n* You should only interact with test accounts you own or with explicit permission from the account holder; and\n* Do not engage in extortion.\n\n\n# Program Scope\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities in the Interchain Stack that we’re interested in include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, trivial denial of service issues, lost write bugs, business logic errors, and payloads/transactions that cause unhandled panics. \n\nTo be considered valid, an issue must be present in the main/`master` branch of a repository or included in the latest release unless a development team specifies otherwise in their Long Term Support policy. \n\n## In Scope\n\n1. An issue must be to be exploitable in an intended deployed environment and configuration.\n2. Successful exploitation of an issue must not require an already compromised environment, whether the context is a single node, machine, or a decentralized network environment.\n3. Generally, issues reported in the latest release and in development will be considered in scope, though long term support commitments may vary from component to component. \n\n\n## Out of Scope\n1. Issues that require a compromised environment to exploit, e.g. a majority-compromised consensus configuration, already compromised node, etc. \n2. Items that are not explicitly listed in scope, especially assets not owned by parties participating in this policy. \n3. Issues that are already being addressed publicly or privately by the responsible teams.\n4. Services and websites operated by third parties.\n5. Phishing, clickjacking, tab-nabbing, HTTP header configurations, CORS configurations, cookie flags, Captcha issues, logout CSRF, account lockout issues, mixed content, TLS configuration, email configuration issues, any issues involving server banner or version information.\n6. Configuration issues in which there exists documentation explaining the functionality of the configuration for an expected deployment scenario.\n7. Issues in which a network is specifically vulnerable to an issue due to governance misconfiguration by that network.\n8. Issues involving public package repository and registry configurations, javascript package management, or package management issues requiring non-standard installation scenarios.\n9. Social engineering, e.g. a target needs to open a web inspector, target needs to run a malicious command on host, unicode ambiguity, DNS misconfigurations, target needs to compile code locally with modifications to exploit, etc. \n10. Scanner-generated reports, and “Advisory” or “Informational” reports that do not include any testing specific to in-scope components of the Interchain Stack such as BurpSuite Scanner, AppScan, DNS Bruteforcers, Nessus, Nexpose, Metasploit, etc.\n11. \"Vulnerable Library\" or dependency reports highlighting known framework, dependency, or project vulnerabilities, without a specific proof of concept demonstrating the security impact to the in-scope items running in expected configurations.\n12. Non-trivial DOS attacks or DOS attacks that may be mitigated by existing operational controls e.g. gas, fees, etc. An example of a trivial DOS attack would be a single request or message that could halt or cause significant disruption for all users of the Interchain stack.  DOS scenarios requiring volumetric traffic are not in scope.\n13. Issues raised around product or architecture deficiencies that are not immediately exploitable.\n14. Issues on in-scope networks running software on in-scope frameworks where the issue was addressed in the framework and less than 90 days have passed.\u2028\n15. Issues that are downstream of an issue that was previously resolved as part of a bounty report or advisory (e.g. delayed adoption of a patch that was released through this process).\n\n\n# Program Policies\nAll issues must include a Proof of Concept that demonstrates the impact and exploitability of the issue. Reports that do not include this information may be closed or sent back to the reporter for more information. \n\n### Eligibility for Bounty\n\nTo be eligible for a bounty reward, you must not have been employed or contracted to work for a development team maintaining the code a bug is reported for in the last 12 months. You must also use HackerOne exclusively for submitting your issue to the Bug Bounty program.  Email submissions are not eligible for bounties.\n\n\n### Confidentiality\n\nTo be eligible for a bounty, all communication about an issue reported to the program must occur within the HackerOne site exclusively.  Any external communication, out-of-band communications with the development teams, full or premature disclosure before the issue is marked as resolved on the HackerOne platform may void your eligibility for a bounty reward. Repeated violations may result in ineligibility for future rewards. \n\n\n### Official Channels\n\nThe Cosmos Bug Bounty program and [security@interchain.io](mailto:security@interchain.io) are the official channels for reporting security vulnerabilities.  If you do not want to report an issue via the HackerOne platform, you may send a bug report to [security@interchain.io](mailto:security@interchain.io) with the issue details, reproduction, impact, and other information. Artifacts from an email report are saved at the time the email is triaged. Please note: our team is not able to monitor dynamic content (e.g. a Google Docs link that is edited after receipt) throughout the lifecycle of a report. If you would like to share additional information or modify previous information, please include it in an additional reply as an additional attachment. \n\n\n### Third Party Services\n\nThough bugs in the services that we use are important, they are ineligible for Cosmos bounty program rewards. Any bugs that are found in services in use by teams building and stewarding the Interchain Stack (e.g. Discord, Discourse, Telegram, Signal, Meetup, etc.) should be disclosed directly to those services. \n\n\n### Disclosure\n\nOur program supports public disclosure of issues only after the issue has been marked as Resolved on HackerOne.  This includes limited disclosure on the HackerOne platform itself if a reporter desires to utilize it. If security notifications or code changes are required, reporters may request for their name and social media handles to be included in the corresponding documentation. \n\n\n### Good Faith\n\nTo be eligible to participate in the Cosmos Bug Bounty program, we ask that all researchers act in good faith, which means: \u2028\n* Don’t publicly disclose information about a vulnerability without explicit consent from the team operating this program. \n* Don’t discuss vulnerability details with anyone other than the team operating this program, especially before we can patch the vulnerability with Interchain Stack developers. \n* Don’t exploit or attack a production environment while conducting security research, e.g. mainnet. \n* Be respectful of our team. [Misconduct](https://docs.hackerone.com/hackers/misconduct.html) like making threats (direct, indirect, veiled, or conditional), demanding access to members of our team to report an issue, engaging in extortion tactics, making false accusations of misconduct or illegal behavior, and engaging in harassment and/or a coordinated campaign to attack our team is disrespectful and damages decades of hard work that security researchers and organizations have invested to coordinate disclosure of security issues.  \n\nFailure to respect these rules will result in your reports being ineligible for bounty rewards.\n\n\n\n# Safe Harbor\nWhen conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:\u2028\n* Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;\n* Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;\n* Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and\n* Lawful, helpful to the overall security of the Internet (and Interchain!), and conducted in good faith.\n\nYou are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\u2028\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.\u2028\n\nNote that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.\u2028\u2028\n\n*The Coordinated Vulnerability Disclosure Policy and Safe Harbor Policy included in this program are based on v. 2021.1 of each respective policy from [disclose.io](http://disclose.io/).* \n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-08-16T22:23:51.518Z"},{"id":3735980,"new_policy":"# Cosmos: the Interchain Stack Bug Bounty Program\n\nWithin the Interchain ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Interchain Stack that is built by decentralized development teams. \u2028\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol, which means that this program isn’t the right place to go searching for web application vulnerabilities like XSS, CSRF, and header misconfigurations. As the focus of this program is on surfacing vulnerabilities in the protocols, modules, and infrastructure that makes up the Interchain Stack, its assets include source code for integral components of the Interchain, and not third-party services or IT assets. \n \nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality, and may also choose to consult CVSS for rating severity as well. \n\n# Program Rewards\n\nWhile there is no maximum program reward in place at this time, we value creative finds and high severity bugs, and we have a robust program budget that allows us to reward them accordingly. We will evaluate each report and are responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high quality reports or creative lower-tier bugs at a higher-tier level at any time.\u2028\n\nRewards for bugs will be paid out according to issue severity:\n\n* Critical: starting at $25,000\n* High: starting at $10,000\n* Medium: starting at $3,000\n* Low/Informational: Starting at $1,000\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. When an issue is on track to be mitigated or remediated, we will coordinate with hackers to credit the find in advisories and release notes, and to support the disclosure of valid issues reported to this program.\n\n# Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes that they have found a vulnerability in the Interchain Stack. This policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Interchain Stack and the teams and infrastructure it supports, and it supersedes previous security policies that have been used in the past by individual teams and projects with targets in scope of this program. For the most up to date version of this policy, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true).\n\n## Our Commitments\nWhen working with us, according to this policy, you can expect us to:\u2028\n* Respond to your report promptly, and work with you to understand and validate your report;\n* Strive to keep you informed about the progress of a vulnerability as it is processed;\n* Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and\n* Extend Safe Harbor for your vulnerability research that is related to this policy.\n\n## Our Expectations\nIn participating in our vulnerability disclosure program in good faith, we ask that you:\u2028\n\n* Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;\n* Report any vulnerability you’ve discovered promptly;\n* Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;\n* Use only the Official Channels to discuss vulnerability information with us;\n* Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly;\n* Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;\n* If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;\n* You should only interact with test accounts you own or with explicit permission from the account holder; and\n* Do not engage in extortion.\n\n\n# Program Scope\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities in the Interchain Stack that we’re interested in include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, trivial denial of service issues, lost write bugs, business logic errors, and payloads/transactions that cause unhandled panics. \n\nTo be considered valid, an issue must be present in the main/`master` branch of a repository or included in the latest release unless a development team specifies otherwise in their Long Term Support policy. \n\n## In Scope\n\n1. An issue must be to be exploitable in an intended deployed environment and configuration.\n2. Successful exploitation of an issue must not require an already compromised environment, whether the context is a single node, machine, or a decentralized network environment.\n3. Generally, issues reported in the latest release and in development will be considered in scope, though long term support commitments may vary from component to component. \n\n\n## Out of Scope\n1. Issues that require a compromised environment to exploit, e.g. a majority-compromised consensus configuration, already compromised node, etc. \n2. Items that are not explicitly listed in scope, especially assets not owned by parties participating in this policy. \n3. Issues that are already being addressed publicly or privately by the responsible teams.\n4. Services and websites operated by third parties.\n5. Phishing, clickjacking, tab-nabbing, HTTP header configurations, CORS configurations, cookie flags, Captcha issues, logout CSRF, account lockout issues, mixed content, TLS configuration, email configuration issues, any issues involving server banner or version information.\n6. Configuration issues in which there exists documentation explaining the functionality of the configuration for an expected deployment scenario.\n7. Issues in which a network is specifically vulnerable to an issue due to governance misconfiguration by that network.\n8. Issues involving public package repository and registry configurations, javascript package management, or package management issues requiring non-standard installation scenarios.\n9. Social engineering, e.g. a target needs to open a web inspector, target needs to run a malicious command on host, unicode ambiguity, DNS misconfigurations, target needs to compile code locally with modifications to exploit, etc. \n10. Scanner-generated reports, and “Advisory” or “Informational” reports that do not include any testing specific to in-scope components of the Interchain Stack such as BurpSuite Scanner, AppScan, DNS Bruteforcers, Nessus, Nexpose, Metasploit, etc.\n11. \"Vulnerable Library\" or dependency reports highlighting known framework, dependency, or project vulnerabilities, without a specific proof of concept demonstrating the security impact to the in-scope items running in expected configurations.\n12. Non-trivial DOS attacks or DOS attacks that may be mitigated by existing operational controls e.g. gas, fees, etc. An example of a trivial DOS attack would be a single request or message that could halt or cause significant disruption for all users of the Interchain stack.  DOS scenarios requiring volumetric traffic are not in scope.\n13. Issues raised around product or architecture deficiencies that are not immediately exploitable.\n14. Issues on in-scope networks running software on in-scope frameworks where the issue was addressed in the framework and less than 90 days have passed.\u2028\n15. Issues that are downstream of an issue that was previously resolved as part of a bounty report or advisory (e.g. delayed adoption of a patch that was released through this process).\n\n\n# Program Policies\nAll issues must include a Proof of Concept that demonstrates the impact and exploitability of the issue. Reports that do not include this information may be closed or sent back to the reporter for more information. \n\n### Eligibility for Bounty\n\nTo be eligible for a bounty reward, you must not have been employed or contracted to work for a development team maintaining the code a bug is reported for in the last 12 months. You must also use HackerOne exclusively for submitting your issue to the Bug Bounty program.  Email submissions are not eligible for bounties.\n\n\n### Confidentiality\n\nTo be eligible for a bounty, all communication about an issue reported to the program must occur within the HackerOne site exclusively.  Any external communication, out-of-band communications with the development teams, full or premature disclosure before the issue is marked as resolved on the HackerOne platform may void your eligibility for a bounty reward. Repeated violations may result in ineligibility for future rewards. \n\n\n### Official Channels\n\nThe Cosmos Bug Bounty program and [security@interchain.io](mailto:security@interchain.io) are the official channels for reporting security vulnerabilities.  If you do not want to report an issue via the HackerOne platform, you may send a bug report to [security@interchain.io](mailto:security@interchain.io) with the issue details, reproduction, impact, and other information. Artifacts from an email report are saved at the time the email is triaged. Please note: our team is not able to monitor dynamic content (e.g. a Google Docs link that is edited after receipt) throughout the lifecycle of a report. If you would like to share additional information or modify previous information, please include it in an additional reply as an additional attachment. \n\n\n### Third Party Services\n\nThough bugs in the services that we use are important, they are ineligible for Cosmos bounty program rewards. Any bugs that are found in services in use by teams building and stewarding the Interchain Stack (e.g. Discord, Discourse, Telegram, Signal, Meetup, etc.) should be disclosed directly to those services. \n\n\n### Disclosure\n\nOur program supports public disclosure of issues only after the issue has been marked as Resolved on HackerOne.  This includes limited disclosure on the HackerOne platform itself if a reporter desires to utilize it. If security notifications or code changes are required, reporters may request for their name and social media handles to be included in the corresponding documentation. \n\n\n### Good Faith\n\nTo be eligible to participate in the Cosmos Bug Bounty program, we ask that all researchers act in good faith, which means: \u2028\n* Don’t publicly disclose information about a vulnerability without explicit consent from the team operating this program. \n* Don’t discuss vulnerability details with anyone other than the team operating this program, especially before we can patch the vulnerability with Interchain Stack developers. \n* Don’t exploit or attack a production environment while conducting security research, e.g. mainnet. \n* Be respectful of our team. [Misconduct](https://docs.hackerone.com/hackers/misconduct.html) like making threats (direct, indirect, veiled, or conditional), demanding access to members of our team to report an issue, engaging in extortion tactics, making false accusations of misconduct or illegal behavior, and engaging in harassment and/or a coordinated campaign to attack our team is disrespectful and damages decades of hard work that security researchers and organizations have invested to coordinate disclosure of security issues.  \n\nFailure to respect these rules will result in your reports being ineligible for bounty rewards.\n\n\n\n# Safe Harbor\nWhen conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:\u2028\n* Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;\n* Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;\n* Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and\n* Lawful, helpful to the overall security of the Internet (and Interchain!), and conducted in good faith.\n\nYou are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\u2028\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.\u2028\n\nNote that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.\u2028\u2028\n\n*The Coordinated Vulnerability Disclosure Policy and Safe Harbor Policy included in this program are based on v. 2021.1 of each respective policy from [disclose.io](http://disclose.io/).* \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-08-13T17:18:10.116Z"},{"id":3733108,"new_policy":"# Cosmos: the Interchain Stack Bug Bounty Program\n\nWithin the Interchain ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Interchain Stack that is built by decentralized development teams. \u2028\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol, which means that this program isn’t the right place to go searching for web application vulnerabilities like XSS, CSRF, and header misconfigurations. As the focus of this program is on surfacing vulnerabilities in the protocols, modules, and infrastructure that makes up the Interchain Stack, its assets include source code for integral components of the Interchain, and not third-party services or IT assets. \n \nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality, and may also choose to consult CVSS for rating severity as well. \n\n# Program Rewards\n\nWhile there is no maximum program reward in place at this time, we value creative finds and high severity bugs, and we have a robust program budget that allows us to reward them accordingly. We will evaluate each report and are responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high quality reports or creative lower-tier bugs at a higher-tier level at any time.\u2028\n\nRewards for bugs will be paid out according to issue severity:\n\n* Critical: starting at $25,000\n* High: starting at $10,000\n* Medium: starting at $3,000\n* Low/Informational: Starting at $1,000\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. When an issue is on track to be mitigated or remediated, we will coordinate with hackers to credit the find in advisories and release notes, and to support the disclosure of valid issues reported to this program.\n\n# Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes that they have found a vulnerability in the Interchain Stack. This policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Interchain Stack and the teams and infrastructure it supports, and it supersedes previous security policies that have been used in the past by individual teams and projects with targets in scope of this program. For the most up to date version of this policy, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true).\n\n## Our Commitments\nWhen working with us, according to this policy, you can expect us to:\u2028\n* Respond to your report promptly, and work with you to understand and validate your report;\n* Strive to keep you informed about the progress of a vulnerability as it is processed;\n* Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and\n* Extend Safe Harbor for your vulnerability research that is related to this policy.\n\n## Our Expectations\nIn participating in our vulnerability disclosure program in good faith, we ask that you:\u2028\n\n* Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;\n* Report any vulnerability you’ve discovered promptly;\n* Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;\n* Use only the Official Channels to discuss vulnerability information with us;\n* Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly;\n* Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;\n* If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;\n* You should only interact with test accounts you own or with explicit permission from the account holder; and\n* Do not engage in extortion.\n\n\n# Program Scope\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities in the Interchain Stack that we’re interested in include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, trivial denial of service issues, lost write bugs, business logic errors, and payloads/transactions that cause unhandled panics. \n\nTo be considered valid, an issue must be present in the main/`master` branch of a repository or included in the latest release unless a development team specifies otherwise in their Long Term Support policy. \n\n## In Scope\n\n1. An issue must be to be exploitable in an intended deployed environment and configuration.\n2. Successful exploitation of an issue must not require an already compromised environment, whether the context is a single node, machine, or a decentralized network environment.\n3. Generally, issues reported in the latest release and in development will be considered in scope, though long term support commitments may vary from component to component. \n\n\n## Out of Scope\n1. Issues that require a compromised environment to exploit, e.g. a majority-compromised consensus configuration, already compromised node, etc. \n2. Items that are not explicitly listed in scope, especially assets not owned by parties participating in this policy. \n3. Issues that are already being addressed publicly or privately by the responsible teams.\n4. Services and websites operated by third parties.\n5. Phishing, clickjacking, tab-nabbing, HTTP header configurations, CORS configurations, cookie flags, Captcha issues, logout CSRF, account lockout issues, mixed content, TLS configuration, email configuration issues, any issues involving server banner or version information.\n6. Configuration issues in which there exists documentation explaining the functionality of the configuration for an expected deployment scenario.\n7. Issues in which a network is specifically vulnerable to an issue due to governance misconfiguration by that network.\n8. Issues involving public package repository and registry configurations, javascript package management, or package management issues requiring non-standard installation scenarios.\n9. Social engineering, e.g. a target needs to open a web inspector, target needs to run a malicious command on host, unicode ambiguity, DNS misconfigurations, target needs to compile code locally with modifications to exploit, etc. \n10. Scanner-generated reports, and “Advisory” or “Informational” reports that do not include any testing specific to in-scope components of the Interchain Stack such as BurpSuite Scanner, AppScan, DNS Bruteforcers, Nessus, Nexpose, Metasploit, etc.\n11. \"Vulnerable Library\" or dependency reports highlighting known framework, dependency, or project vulnerabilities, without a specific proof of concept demonstrating the security impact to the in-scope items running in expected configurations.\n12. Non-trivial DOS attacks or DOS attacks that may be mitigated by existing operational controls e.g. gas, fees, etc. An example of a trivial DOS attack would be a single request or message that could halt or cause significant disruption for all users of the Interchain stack.  DOS scenarios requiring volumetric traffic are not in scope.\n13. Issues raised around product or architecture deficiencies that are not immediately exploitable.\n14. Issues on in-scope networks running software on in-scope frameworks where the issue was addressed in the framework and less than 90 days have passed.\u2028\n15. Issues that are downstream of an issue that was previously resolved as part of a bounty report or advisory (e.g. delayed adoption of a patch that was released through this process).\n\n\n# Program Policies\nAll issues must include a Proof of Concept that demonstrates the impact and exploitability of the issue. Reports that do not include this information may be closed or sent back to the reporter for more information. \n\n### Eligibility for Bounty\n\nTo be eligible for a bounty reward, you must not have been employed or contracted to work for a development team maintaining the code a bug is reported for in the last 12 months. You must also use HackerOne exclusively for submitting your issue to the Bug Bounty program.  Email submissions are not eligible for bounties.\n\n\n### Confidentiality\n\nTo be eligible for a bounty, all communication about an issue reported to the program must occur within the HackerOne site exclusively.  Any external communication, out-of-band communications with the development teams, full or premature disclosure before the issue is marked as resolved on the HackerOne platform may void your eligibility for a bounty reward. Repeated violations may result in ineligibility for future rewards. \n\n\n### Official Channels\n\nThe Cosmos Bug Bounty program and [security@interchain.io](mailto:security@interchain.io) are the official channels for reporting security vulnerabilities.  If you do not want to report an issue via the HackerOne platform, you may send a bug report to [security@interchain.io](mailto:security@interchain.io) with the issue details, reproduction, impact, and other information. Artifacts from an email report are saved at the time the email is triaged. Please note: our team is not able to monitor dynamic content (e.g. a Google Docs link that is edited after receipt) throughout the lifecycle of a report. If you would like to share additional information or modify previous information, please include it in an additional reply as an additional attachment. \n\n\n### Third Party Services\n\nThough bugs in the services that we use are important, they are ineligible for Cosmos bounty program rewards. Any bugs that are found in services in use by teams building and stewarding the Interchain Stack (e.g. Discord, Discourse, Telegram, Signal, Meetup, etc.) should be disclosed directly to those services. \n\n\n### Disclosure\n\nOur program supports public disclosure of issues only after the issue has been marked as Resolved on HackerOne.  This includes limited disclosure on the HackerOne platform itself if a reporter desires to utilize it. If security notifications or code changes are required, reporters may request for their name and social media handles to be included in the corresponding documentation. \n\n\n### Good Faith\n\nTo be eligible to participate in the Cosmos Bug Bounty program, we ask that all researchers act in good faith, which means: \u2028\n* Don’t publicly disclose information about a vulnerability without explicit consent from the team operating this program. \n* Don’t discuss vulnerability details with anyone other than the team operating this program, especially before we can patch the vulnerability with Interchain Stack developers. \n* Don’t exploit or attack a production environment while conducting security research, e.g. mainnet. \n* Be respectful of our team. [Misconduct](https://docs.hackerone.com/hackers/misconduct.html) like making threats (direct, indirect, veiled, or conditional), demanding access to members of our team to report an issue, engaging in extortion tactics, making false accusations of misconduct or illegal behavior, and engaging in harassment and/or a coordinated campaign to attack our team is disrespectful and damages decades of hard work that security researchers and organizations have invested to coordinate disclosure of security issues.  \n\nFailure to respect these rules will result in your reports being ineligible for bounty rewards.\n\n\n\n# Safe Harbor\nWhen conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:\u2028\n* Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;\n* Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;\n* Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and\n* Lawful, helpful to the overall security of the Internet (and Interchain!), and conducted in good faith.\n\nYou are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\u2028\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.\u2028\n\nNote that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.\u2028\u2028\n\n*The Coordinated Vulnerability Disclosure Policy and Safe Harbor Policy included in this program are based on v. 2021.1 of each respective policy from [disclose.io](http://disclose.io/).* \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-20T19:04:35.948Z"},{"id":3723386,"new_policy":"# Cosmos: the Interchain Stack Bug Bounty Program\n\nWithin the Interchain ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Interchain Stack that is built by decentralized development teams. \u2028\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol, which means that this program isn’t the right place to go searching for web application vulnerabilities like XSS, CSRF, and header misconfigurations. As the focus of this program is on surfacing vulnerabilities in the protocols, modules, and infrastructure that makes up the Interchain Stack, its assets include source code for integral components of the Interchain, and not third-party services or IT assets. \n \nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality, and may also choose to consult CVSS for rating severity as well. \n\n# Program Rewards\n\nWhile there is no maximum program reward in place at this time, we value creative finds and high severity bugs, and we have a robust program budget that allows us to reward them accordingly. We will evaluate each report and are responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high quality reports or creative lower-tier bugs at a higher-tier level at any time.\u2028\n\nRewards for bugs will be paid out according to issue severity:\n\n* Critical: starting at $25,000\n* High: starting at $10,000\n* Medium: starting at $3,000\n* Low/Informational: Starting at $1,000\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. When an issue is on track to be mitigated or remediated, we will coordinate with hackers to credit the find in advisories and release notes, and to support the disclosure of valid issues reported to this program.\n\n# Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes that they have found a vulnerability in the Interchain Stack. This policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Interchain Stack and the teams and infrastructure it supports, and it supersedes previous security policies that have been used in the past by individual teams and projects with targets in scope of this program. For the most up to date version of this policy, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true).\n\n## Our Commitments\nWhen working with us, according to this policy, you can expect us to:\u2028\n* Respond to your report promptly, and work with you to understand and validate your report;\n* Strive to keep you informed about the progress of a vulnerability as it is processed;\n* Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and\n* Extend Safe Harbor for your vulnerability research that is related to this policy.\n\n## Our Expectations\nIn participating in our vulnerability disclosure program in good faith, we ask that you:\u2028\n\n* Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;\n* Report any vulnerability you’ve discovered promptly;\n* Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;\n* Use only the Official Channels to discuss vulnerability information with us;\n* Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly;\n* Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;\n* If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;\n* You should only interact with test accounts you own or with explicit permission from the account holder; and\n* Do not engage in extortion.\n\n\n# Program Scope\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities in the Interchain Stack that we’re interested in include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, trivial denial of service issues, lost write bugs, business logic errors, and payloads/transactions that cause unhandled panics. \n\nTo be considered valid, an issue must be present in the main/`master` branch of a repository or included in the latest release unless a development team specifies otherwise in their Long Term Support policy. \n\n## In Scope\n\n1. An issue must be to be exploitable in an intended deployed environment and configuration.\n2. Successful exploitation of an issue must not require an already compromised environment, whether the context is a single node, machine, or a decentralized network environment.\n3. Generally, issues reported in the latest release and in development will be considered in scope, though long term support commitments may vary from component to component. \n\n\n## Out of Scope\n1. Issues that require a compromised environment to exploit, e.g. a majority-compromised consensus configuration, already compromised node, etc. \n2. Items that are not explicitly listed in scope, especially assets not owned by parties participating in this policy. \n3. Issues that are already being addressed publicly or privately by the responsible teams.\n4. Services and websites operated by third parties.\n5. Phishing, clickjacking, tab-nabbing, HTTP header configurations, CORS configurations, cookie flags, Captcha issues, logout CSRF, account lockout issues, mixed content, TLS configuration, email configuration issues, any issues involving server banner or version information.\n6. Configuration issues in which there exists documentation explaining the functionality of the configuration for an expected deployment scenario.\n7. Issues in which a network is specifically vulnerable to an issue due to governance misconfiguration by that network.\n8. Issues involving public package repository and registry configurations, javascript package management, or package management issues requiring non-standard installation scenarios.\n9. Social engineering, e.g. a target needs to open a web inspector, target needs to run a malicious command on host, unicode ambiguity, DNS misconfigurations, etc. \n10. Scanner-generated reports, and “Advisory” or “Informational” reports that do not include any testing specific to in-scope components of the Interchain Stack such as BurpSuite Scanner, AppScan, DNS Bruteforcers, Nessus, Nexpose, Metasploit, etc.\n11. Non-trivial DOS attacks or DOS attacks that may be mitigated by existing operational controls e.g. gas, fees, etc. An example of a trivial DOS attack would be a single request or message that could halt or cause significant disruption for all users of the Interchain stack.\n12. Issues raised around product or architecture deficiencies that are not immediately exploitable.\n13. Issues on in-scope networks running software on in-scope frameworks where the issue was addressed in the framework and less than 90 days have passed.\u2028\n14. Issues that are downstream of an issue that was previously resolved as part of a bounty report or advisory (e.g. delayed adoption of a patch that was released through this process).\n\n\n# Program Policies\nAll issues must include a Proof of Concept that demonstrates the impact and exploitability of the issue. Reports that do not include this information may be closed or sent back to the reporter for more information. \n\n### Eligibility for Bounty\n\nTo be eligible for a bounty reward, you must not have been employed or contracted to work for a development team maintaining the code a bug is reported for in the last 12 months. You must also use HackerOne exclusively for submitting your issue to the Bug Bounty program.  Email submissions are not eligible for bounties.\n\n\n### Confidentiality\n\nTo be eligible for a bounty, all communication about an issue reported to the program must occur within the HackerOne site exclusively.  Any external communication, out-of-band communications with the development teams, full or premature disclosure before the issue is marked as resolved on the HackerOne platform may void your eligibility for a bounty reward. Repeated violations may result in ineligibility for future rewards. \n\n\n### Official Channels\n\nThe Cosmos Bug Bounty program and [security@interchain.io](mailto:security@interchain.io) are the official channels for reporting security vulnerabilities.  If you do not want to report an issue via the HackerOne platform, you may send a bug report to [security@interchain.io](mailto:security@interchain.io) with the issue details, reproduction, impact, and other information. Artifacts from an email report are saved at the time the email is triaged. Please note: our team is not able to monitor dynamic content (e.g. a Google Docs link that is edited after receipt) throughout the lifecycle of a report. If you would like to share additional information or modify previous information, please include it in an additional reply as an additional attachment. \n\n\n### Third Party Services\n\nThough bugs in the services that we use are important, they are ineligible for Cosmos bounty program rewards. Any bugs that are found in services in use by teams building and stewarding the Interchain Stack (e.g. Discord, Discourse, Telegram, Signal, Meetup, etc.) should be disclosed directly to those services. \n\n\n### Disclosure\n\nOur program supports public disclosure of issues only after the issue has been marked as Resolved on HackerOne.  This includes limited disclosure on the HackerOne platform itself if a reporter desires to utilize it. If security notifications or code changes are required, reporters may request for their name and social media handles to be included in the corresponding documentation. \n\n\n### Good Faith\n\nTo be eligible to participate in the Cosmos Bug Bounty program, we ask that all researchers act in good faith, which means: \u2028\n* Don’t publicly disclose information about a vulnerability without explicit consent from the team operating this program. \n* Don’t discuss vulnerability details with anyone other than the team operating this program, especially before we can patch the vulnerability with Interchain Stack developers. \n* Don’t exploit or attack a production environment while conducting security research, e.g. mainnet. \n* Be respectful of our team. [Misconduct](https://docs.hackerone.com/hackers/misconduct.html) like making threats (direct, indirect, veiled, or conditional), demanding access to members of our team to report an issue, engaging in extortion tactics, making false accusations of misconduct or illegal behavior, and engaging in harassment and/or a coordinated campaign to attack our team is disrespectful and damages decades of hard work that security researchers and organizations have invested to coordinate disclosure of security issues.  \n\nFailure to respect these rules will result in your reports being ineligible for bounty rewards.\n\n\n\n# Safe Harbor\nWhen conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:\u2028\n* Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;\n* Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;\n* Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and\n* Lawful, helpful to the overall security of the Internet (and Interchain!), and conducted in good faith.\n\nYou are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\u2028\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.\u2028\n\nNote that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.\u2028\u2028\n\n*The Coordinated Vulnerability Disclosure Policy and Safe Harbor Policy included in this program are based on v. 2021.1 of each respective policy from [disclose.io](http://disclose.io/).* \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-12T19:33:23.381Z"},{"id":3706337,"new_policy":"# Cosmos: the Interchain Stack Bug Bounty Program\n\nWithin the Interchain ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Interchain Stack that is built by decentralized development teams. \u2028\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol, which means that this program isn’t the right place to go searching for web application vulnerabilities like XSS, CSRF, and header misconfigurations. As the focus of this program is on surfacing vulnerabilities in the protocols, modules, and infrastructure that makes up the Interchain Stack, its assets include source code for integral components of the Interchain, and not third-party services or IT assets. \n \nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality, and may also choose to consult CVSS for rating severity as well. \n\n# Program Rewards\n\nWhile there is no maximum program reward in place at this time, we value creative finds and high severity bugs, and we have a robust program budget that allows us to reward them accordingly. We will evaluate each report and are responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high quality reports or creative lower-tier bugs at a higher-tier level at any time.\u2028\n\nRewards for bugs will be paid out according to issue severity:\n\n* Critical: starting at $25,000\n* High: starting at $10,000\n* Medium: starting at $3,000\n* Low/Informational: Starting at $1,000\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. When an issue is on track to be mitigated or remediated, we will coordinate with hackers to credit the find in advisories and release notes, and to support the disclosure of valid issues reported to this program.\n\n# Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes that they have found a vulnerability in the Interchain Stack. This policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Interchain Stack and the teams and infrastructure it supports, and it supersedes previous security policies that have been used in the past by individual teams and projects with targets in scope of this program. For the most up to date version of this policy, please consult the [HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true).\n\n## Our Commitments\nWhen working with us, according to this policy, you can expect us to:\u2028\n* Respond to your report promptly, and work with you to understand and validate your report;\n* Strive to keep you informed about the progress of a vulnerability as it is processed;\n* Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and\n* Extend Safe Harbor for your vulnerability research that is related to this policy.\n\n## Our Expectations\nIn participating in our vulnerability disclosure program in good faith, we ask that you:\u2028\n\n* Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;\n* Report any vulnerability you’ve discovered promptly;\n* Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;\n* Use only the Official Channels to discuss vulnerability information with us;\n* Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly;\n* Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;\n* If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;\n* You should only interact with test accounts you own or with explicit permission from the account holder; and\n* Do not engage in extortion.\n\n\n# Program Scope\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities in the Interchain Stack that we’re interested in include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, trivial denial of service issues, lost write bugs, business logic errors, and payloads/transactions that cause unhandled panics. \n\nTo be considered valid, an issue must be present in the main/`master` branch of a repository or included in the latest release unless a development team specifies otherwise in their Long Term Support policy. \n\n## In Scope\n\n1. An issue must be to be exploitable in an intended deployed environment and configuration.\n2. Successful exploitation of an issue must not require an already compromised environment, whether the context is a single node, machine, or a decentralized network environment.\n3. Generally, issues reported in the latest release and in development will be considered in scope, though long term support commitments may vary from component to component. \n\n\n## Out of Scope\n1. Issues that require a compromised environment to exploit, e.g. a majority-compromised consensus configuration, already compromised node, etc. \n2. Items that are not explicitly listed in scope, especially assets not owned by parties participating in this policy. \n3. Issues that are already being addressed publicly or privately by the responsible teams.\n4. Services and websites operated by third parties.\n5. Phishing, clickjacking, tab-nabbing, HTTP header configurations, CORS configurations, cookie flags, Captcha issues, logout CSRF, account lockout issues, mixed content, TLS configuration, email configuration issues, any issues involving server banner or version information.\n6. Configuration issues in which there exists documentation explaining the functionality of the configuration for an expected deployment scenario.\n7. Issues in which a network is specifically vulnerable to an issue due to governance misconfiguration by that network.\n8. Issues involving public package repository and registry configurations, javascript package management, or package management issues requiring non-standard installation scenarios.\n9. Social engineering, e.g. a target needs to open a web inspector, target needs to run a malicious command on host, unicode ambiguity, DNS misconfigurations, etc. \n10. Scanner-generated reports, and “Advisory” or “Informational” reports that do not include any testing specific to in-scope components of the Interchain Stack such as BurpSuite Scanner, AppScan, DNS Bruteforcers, Nessus, Nexpose, Metasploit, etc.\n11. Non-trivial DOS attacks or DOS attacks that may be mitigated by existing operational controls e.g. gas, fees, etc. An example of a trivial DOS attack would be a single request or message that could halt or cause significant disruption for all users of the Interchain stack.\n12. Issues raised around product or architecture deficiencies that are not immediately exploitable.\n13. Issues on in-scope networks running software on in-scope frameworks where the issue was addressed in the framework and less than 90 days have passed.\u2028\n\n\n# Program Policies\nAll issues must include a Proof of Concept that demonstrates the impact and exploitability of the issue. Reports that do not include this information may be closed or sent back to the reporter for more information. \n\n### Eligibility for Bounty\n\nTo be eligible for a bounty reward, you must not have been employed or contracted to work for a development team maintaining the code a bug is reported for in the last 12 months. You must also use HackerOne exclusively for submitting your issue to the Bug Bounty program.  Email submissions are not eligible for bounties.\n\n\n### Confidentiality\n\nTo be eligible for a bounty, all communication about an issue reported to the program must occur within the HackerOne site exclusively.  Any external communication, out-of-band communications with the development teams, full or premature disclosure before the issue is marked as resolved on the HackerOne platform may void your eligibility for a bounty reward. Repeated violations may result in ineligibility for future rewards. \n\n\n### Official Channels\n\nThe Cosmos Bug Bounty program and [security@interchain.io](mailto:security@interchain.io) are the official channels for reporting security vulnerabilities.  If you do not want to report an issue via the HackerOne platform, you may send a bug report to [security@interchain.io](mailto:security@interchain.io) with the issue details, reproduction, impact, and other information. Artifacts from an email report are saved at the time the email is triaged. Please note: our team is not able to monitor dynamic content (e.g. a Google Docs link that is edited after receipt) throughout the lifecycle of a report. If you would like to share additional information or modify previous information, please include it in an additional reply as an additional attachment. \n\n\n### Third Party Services\n\nThough bugs in the services that we use are important, they are ineligible for Cosmos bounty program rewards. Any bugs that are found in services in use by teams building and stewarding the Interchain Stack (e.g. Discord, Discourse, Telegram, Signal, Meetup, etc.) should be disclosed directly to those services. \n\n\n### Disclosure\n\nOur program supports public disclosure of issues only after the issue has been marked as Resolved on HackerOne.  This includes limited disclosure on the HackerOne platform itself if a reporter desires to utilize it. If security notifications or code changes are required, reporters may request for their name and social media handles to be included in the corresponding documentation. \n\n\n### Good Faith\n\nTo be eligible to participate in the Cosmos Bug Bounty program, we ask that all researchers act in good faith, which means: \u2028\n* Don’t publicly disclose information about a vulnerability without explicit consent from the team operating this program. \n* Don’t discuss vulnerability details with anyone other than the team operating this program, especially before we can patch the vulnerability with Interchain Stack developers. \n* Don’t exploit or attack a production environment while conducting security research, e.g. mainnet. \n* Be respectful of our team. [Misconduct](https://docs.hackerone.com/hackers/misconduct.html) like making threats (direct, indirect, veiled, or conditional), demanding access to members of our team to report an issue, engaging in extortion tactics, making false accusations of misconduct or illegal behavior, and engaging in harassment and/or a coordinated campaign to attack our team is disrespectful and damages decades of hard work that security researchers and organizations have invested to coordinate disclosure of security issues.  \n\nFailure to respect these rules will result in your reports being ineligible for bounty rewards.\n\n\n\n# Safe Harbor\nWhen conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:\u2028\n* Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;\n* Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;\n* Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and\n* Lawful, helpful to the overall security of the Internet (and Interchain!), and conducted in good faith.\n\nYou are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\u2028\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.\u2028\n\nNote that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.\u2028\u2028\n\n*The Coordinated Vulnerability Disclosure Policy and Safe Harbor Policy included in this program are based on v. 2021.1 of each respective policy from [disclose.io](http://disclose.io/).* \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-01T19:04:38.786Z"},{"id":3706069,"new_policy":"# Cosmos: the Interchain Stack Bug Bounty Program\n\nWithin the Interchain ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Interchain Stack that is built by decentralized development teams. \u2028\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol, which means that this program isn’t the right place to go searching for web application vulnerabilities like XSS, CSRF, and header misconfigurations. As the focus of this program is on surfacing vulnerabilities in the protocols, modules, and infrastructure that makes up the Interchain Stack, its assets include source code for integral components of the Interchain, and not third-party services or IT assets. \n \nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality, and may also choose to consult CVSS for rating severity as well. \n\n# Program Rewards\n\nWhile there is no maximum program reward in place at this time, we value creative finds and high severity bugs, and we have a robust program budget that allows us to reward them accordingly. We will evaluate each report and are responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high quality reports or creative lower-tier bugs at a higher-tier level at any time.\u2028\n\nRewards for bugs will be paid out according to issue severity:\n\n* Critical: starting at $25,000\n* High: starting at $10,000\n* Medium: starting at $3,000\n* Low/Informational: Starting at $1,000\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. When an issue is on track to be mitigated or remediated, we will coordinate with hackers to credit the find in advisories and release notes, and to support the disclosure of valid issues reported to this program.\n\n# Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes that they have found a vulnerability in the Interchain Stack. This policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Interchain Stack and the teams and infrastructure it supports, and it supersedes previous security policies that have been used in the past by individual teams and projects with targets in scope of this program. For the most up to date version of this policy, please consult the ~[HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true)~.\n\n## Our Commitments\nWhen working with us, according to this policy, you can expect us to:\u2028\n* Respond to your report promptly, and work with you to understand and validate your report;\n* Strive to keep you informed about the progress of a vulnerability as it is processed;\n* Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and\n* Extend Safe Harbor for your vulnerability research that is related to this policy.\n\n## Our Expectations\nIn participating in our vulnerability disclosure program in good faith, we ask that you:\u2028\n\n* Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;\n* Report any vulnerability you’ve discovered promptly;\n* Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;\n* Use only the Official Channels to discuss vulnerability information with us;\n* Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly;\n* Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;\n* If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;\n* You should only interact with test accounts you own or with explicit permission from the account holder; and\n* Do not engage in extortion.\n\n\n# Program Scope\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n \nExamples of vulnerabilities in the Interchain Stack that we’re interested in include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, trivial denial of service issues, lost write bugs, business logic errors, and payloads/transactions that cause unhandled panics. \n\nTo be considered valid, an issue must be present in the main/`master` branch of a repository or included in the latest release unless a development team specifies otherwise in their Long Term Support policy. \n\n## In Scope\n\n1. An issue must be to be exploitable in an intended deployed environment and configuration.\n2. Successful exploitation of an issue must not require an already compromised environment, whether the context is a single node, machine, or a decentralized network environment.\n3. Generally, issues reported in the latest release and in development will be considered in scope, though long term support commitments may vary from component to component. \n\n\n## Out of Scope\n1. Issues that require a compromised environment to exploit, e.g. a majority-compromised consensus configuration, already compromised node, etc. \n2. Items that are not explicitly listed in scope, especially assets not owned by parties participating in this policy. \n3. Issues that are already being addressed publicly or privately by the responsible teams.\n4. Services and websites operated by third parties.\n5. Phishing, clickjacking, tab-nabbing, HTTP header configurations, CORS configurations, cookie flags, Captcha issues, logout CSRF, account lockout issues, mixed content, TLS configuration, email configuration issues, any issues involving server banner or version information.\n6. Configuration issues in which there exists documentation explaining the functionality of the configuration for an expected deployment scenario.\n7. Issues in which a network is specifically vulnerable to an issue due to governance misconfiguration by that network.\n8. Issues involving public package repository and registry configurations, javascript package management, or package management issues requiring non-standard installation scenarios.\n9. Social engineering, e.g. a target needs to open a web inspector, target needs to run a malicious command on host, unicode ambiguity, DNS misconfigurations, etc. \n10. Scanner-generated reports, and “Advisory” or “Informational” reports that do not include any testing specific to in-scope components of the Interchain Stack such as BurpSuite Scanner, AppScan, DNS Bruteforcers, Nessus, Nexpose, Metasploit, etc.\n11. Non-trivial DOS attacks or DOS attacks that may be mitigated by existing operational controls e.g. gas, fees, etc. An example of a trivial DOS attack would be a single request or message that could halt or cause significant disruption for all users of the Interchain stack.\n12. Issues raised around product or architecture deficiencies that are not immediately exploitable.\n13. Issues on in-scope networks running software on in-scope frameworks where the issue was addressed in the framework and less than 90 days have passed.\u2028\n\n\n# Program Policies\nAll issues must include a Proof of Concept that demonstrates the impact and exploitability of the issue. Reports that do not include this information may be closed or sent back to the reporter for more information. \n\n### Eligibility for Bounty\n\nTo be eligible for a bounty reward, you must not have been employed or contracted to work for a development team maintaining the code a bug is reported for in the last 12 months. You must also use HackerOne exclusively for submitting your issue to the Bug Bounty program.  Email submissions are not eligible for bounties.\n\n\n### Confidentiality\n\nTo be eligible for a bounty, all communication about an issue reported to the program must occur within the HackerOne site exclusively.  Any external communication, out-of-band communications with the development teams, full or premature disclosure before the issue is marked as resolved on the HackerOne platform may void your eligibility for a bounty reward. Repeated violations may result in ineligibility for future rewards. \n\n\n### Official Channels\n\nThe Cosmos Bug Bounty program and ~[security@interchain.io](mailto:security@interchain.io)~ are the official channels for reporting security vulnerabilities.  If you do not want to report an issue via the HackerOne platform, you may send a bug report to ~[security@interchain.io](mailto:security@interchain.io)~ with the issue details, reproduction, impact, and other information. Artifacts from an email report are saved at the time the email is triaged. Please note: our team is not able to monitor dynamic content (e.g. a Google Docs link that is edited after receipt) throughout the lifecycle of a report. If you would like to share additional information or modify previous information, please include it in an additional reply as an additional attachment. \n\n\n### Third Party Services\n\nThough bugs in the services that we use are important, they are ineligible for Cosmos bounty program rewards. Any bugs that are found in services in use by teams building and stewarding the Interchain Stack (e.g. Discord, Discourse, Telegram, Signal, Meetup, etc.) should be disclosed directly to those services. \n\n\n### Disclosure\n\nOur program supports public disclosure of issues only after the issue has been marked as Resolved on HackerOne.  This includes limited disclosure on the HackerOne platform itself if a reporter desires to utilize it. If security notifications or code changes are required, reporters may request for their name and social media handles to be included in the corresponding documentation. \n\n\n### Good Faith\n\nTo be eligible to participate in the Cosmos Bug Bounty program, we ask that all researchers act in good faith, which means: \u2028\n* Don’t publicly disclose information about a vulnerability without explicit consent from the team operating this program. \n* Don’t discuss vulnerability details with anyone other than the team operating this program, especially before we can patch the vulnerability with Interchain Stack developers. \n* Don’t exploit or attack a production environment while conducting security research, e.g. mainnet. \n* Be respectful of our team. ~[Misconduct](https://docs.hackerone.com/hackers/misconduct.html)~ like making threats (direct, indirect, veiled, or conditional), demanding access to members of our team to report an issue, engaging in extortion tactics, making false accusations of misconduct or illegal behavior, and engaging in harassment and/or a coordinated campaign to attack our team is disrespectful and damages decades of hard work that security researchers and organizations have invested to coordinate disclosure of security issues.  \n\nFailure to respect these rules will result in your reports being ineligible for bounty rewards.\n\n\n\n# Safe Harbor\nWhen conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:\u2028\n* Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;\n* Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;\n* Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and\n* Lawful, helpful to the overall security of the Internet (and Interchain!), and conducted in good faith.\n\nYou are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\u2028\n\nIf at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.\u2028\n\nNote that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.\u2028\u2028\n\n*The Coordinated Vulnerability Disclosure Policy and Safe Harbor Policy included in this program are based on v. 2021.1 of each respective policy from ~[disclose.io](http://disclose.io/)~.* \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-30T06:24:16.623Z"},{"id":3706068,"new_policy":"# Cosmos: the Interchain Stack Bug Bounty Program\n\nWithin the Interchain ecosystem, we believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. This program exists as a public good to actively reward the people who discover bugs in the Interchain Stack that is built by decentralized development teams. \u2028\n\nOur stack includes distributed systems protocols, cryptography, a smart contract platform, a consensus algorithm, and an interoperability protocol, which means that this program isn’t the right place to go searching for web application vulnerabilities like XSS, CSRF, and header misconfigurations. As the focus of this program is on surfacing vulnerabilities in the protocols, modules, and infrastructure that makes up the Interchain Stack, its assets include source code for integral components of the Interchain, and not third-party services or IT assets. \n \nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use an impact/likelihood framework to assess criticality, and may also choose to consult CVSS for rating severity as well. \n\n# Program Rewards\n\nWhile there is no maximum program reward in place at this time, we value creative finds and high severity bugs, and we have a robust program budget that allows us to reward them accordingly. We will evaluate each report and are responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high quality reports or creative lower-tier bugs at a higher-tier level at any time.\u2028\n\nRewards for bugs will be paid out according to issue severity:\n\n* Critical: starting at $25,000\n* High: starting at $10,000\n* Medium: starting at $3,000\n* Low/Informational: Starting at $1,000\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. When an issue is on track to be mitigated or remediated, we will coordinate with hackers to credit the find in advisories and release notes, and to support the disclosure of valid issues reported to this program.\n\n # Coordinated Vulnerability Disclosure Policy\n\nWe are committed to working in good faith with anyone who believes that they have found a vulnerability in the Interchain Stack. This policy, as hosted on HackerOne, is the official Coordinated Vulnerability Disclosure policy for the Interchain Stack and the teams and infrastructure it supports, and it supersedes previous security policies that have been used in the past by individual teams and projects with targets in scope of this program. For the most up to date version of this policy, please consult the ~[HackerOne program page](https://hackerone.com/cosmos?type=team\u0026view_policy=true)~.\n\n## Our Commitments\nWhen working with us, according to this policy, you can expect us to:\u2028\n* Respond to your report promptly, and work with you to understand and validate your report;\n* Strive to keep you informed about the progress of a vulnerability as it is processed;\n* Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and\n* Extend Safe Harbor for your vulnerability research that is related to this policy.\n\n## Our Expectations\nIn participating in our vulnerability disclosure program in good faith, we ask that you:\u2028\n\n* Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;\n* Report any vulnerability you’ve discovered promptly;\n* Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;\n* Use only the Official Channels to discuss vulnerability information with us;\n* Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly;\n* Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;\n* If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;\n* You should only interact with test accounts you own or with explicit permission from the account holder; and\n* Do not engage in extortion.\n\n\n# Program Scope\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n \nExamples of vulnerabilities in the Interchain Stack that we’re interested in include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, trivial denial of service issues, lost write bugs, business logic errors, and payloads/transactions that cause unhandled panics. \n\nTo be considered valid, an issue must be present in the main/`master` branch of a repository or included in the latest release unless a development team specifies otherwise in their Long Term Support policy. \n\n## In Scope\n\n1. An issue must be to be exploitable in an intended deployed environment and configuration.\n2. Successful exploitation of an issue must not require an already compromised environment, whether the context is a single node, machine, or a decentralized network environment.\n3. Generally, issues reported in the latest release and in development will be considered in scope, though long term support commitments may vary from component to component. \n\n\n## Out of Scope\n1. Issues that require a compromised environment to exploit, e.g. a majority-compromised consensus configuration, already compromised node, etc. \n2. Items that are not explicitly listed in scope, especially assets not owned by parties participating in this policy. \n3. Issues that are already being addressed publicly or privately by the responsible teams.\n4. Services and websites operated by third parties.\n5. Phishing, clickjacking, tab-nabbing, HTTP header configurations, CORS configurations, cookie flags, Captcha issues, logout CSRF, account lockout issues, mixed content, TLS configuration, email configuration issues, any issues involving server banner or version information.\n6. Configuration issues in which there exists documentation explaining the functionality of the configuration for an expected deployment scenario.\n7. Issues in which a network is specifically vulnerable to an issue due to governance misconfiguration by that network.\n8. Issues involving public package repository and registry configurations, javascript package management, or package management issues requiring non-standard installation scenarios.\n9. Social engineering, e.g. a target needs to open a web inspector, target needs to run a malicious command on host, unicode ambiguity, DNS misconfigurations, etc. \n10. Scanner-generated reports, and “Advisory” or “Informational” reports that do not include any testing specific to in-scope components of the Interchain Stack such as BurpSuite Scanner, AppScan, DNS Bruteforcers, Nessus, Nexpose, Metasploit, etc.\n11. Non-trivial DOS attacks or DOS attacks that may be mitigated by existing operational controls e.g. gas, fees, etc. An example of a trivial DOS attack would be a single request or message that could halt or cause significant disruption for all users of the Interchain stack.\n12. Issues raised around product or architecture deficiencies that are not immediately exploitable.\n13. Issues on in-scope networks running software on in-scope frameworks where the issue was addressed in the framework and less than 90 days have passed.\u2028\n\n\n# Program Policies\nAll issues must include a Proof of Concept that demonstrates the impact and exploitability of the issue. Reports that do not include this information may be closed or sent back to the reporter for more information. \n\n### Eligibility for Bounty\n\nTo be eligible for a bounty reward, you must not have been employed or contracted to work for a development team maintaining the code a bug is reported for in the last 12 months. You must also use HackerOne exclusively for submitting your issue to the Bug Bounty program.  Email submissions are not eligible for bounties.\n\n\n### Confidentiality\n\nTo be eligible for a bounty, all communication about an issue reported to the program must occur within the HackerOne site exclusively.  Any external communication, out-of-band communications with the development teams, full or premature disclosure before the issue is marked as resolved on the HackerOne platform may void your eligibility for a bounty reward. Repeated violations may result in ineligibility for future rewards. \n\n\n### Official Channels\n\nThe Cosmos Bug Bounty program and ~[security@interchain.io](mailto:security@interchain.io)~ are the official channels for reporting security vulnerabilities.  If you do not want to report an issue via the HackerOne platform, you may send a bug report to ~[security@interchain.io](mailto:security@interchain.io)~ with the issue details, reproduction, impact, and other information. Artifacts from an email report are saved at the time the email is triaged. Please note: our team is not able to monitor dynamic content (e.g. a Google Docs link that is edited after receipt) throughout the lifecycle of a report. If you would like to share additional information or modify previous information, please include it in an additional reply as an additional attachment. \n\n\n### Third Party Services\n\nThough bugs in the services that we use are important, they are ineligible for Cosmos bounty program rewards. Any bugs that are found in services in use by teams building and stewarding the Interchain Stack (e.g. Discord, Discourse, Telegram, Signal, Meetup, etc.) should be disclosed directly to those services. \n\n\n### Disclosure\n\nOur program supports public disclosure of issues only after the issue has been marked as Resolved on HackerOne.  This includes limited disclosure on the HackerOne platform itself if a reporter desires to utilize it. If security notifications or code changes are required, reporters may request for their name and social media handles to be included in the corresponding documentation. \n\n\n### Good Faith\n\nTo be eligible to participate in the Cosmos Bug Bounty program, we ask that all researchers act in good faith, which means: \u2028\n* Don’t publicly disclose information about a vulnerability without explicit consent from the team operating this program. \n* Don’t discuss vulnerability details with anyone other than the team operating this program, especially before we can patch the vulnerability with Interchain Stack developers. \n* Don’t exploit or attack a production environment while conducting security research, e.g. mainnet. \n* Be respectful of our team. ~[Misconduct](https://docs.hackerone.com/hackers/misconduct.html)~ like making threats (direct, indirect, veiled, or conditional), demanding access to members of our team to report an issue, engaging in extortion tactics, making false accusations of misconduct or illegal behavior, and engaging in harassment and/or a coordinated campaign to attack our team is disrespectful and damages decades of hard work that security researchers and organizations have invested to coordinate disclosure of security issues.  \n\nFailure to respect these rules will result in your reports being ineligible for bounty rewards.\n\n\n# Safe Harbor\nWhen conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:\u2028\n* Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;\n* Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;\n* Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and\n* Lawful, helpful to the overall security of the Internet (and Interchain!), and conducted in good faith.\n\nYou are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\u2028\nIf at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.\u2028\n\nNote that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.\u2028\u2028\n\n*The Coordinated Vulnerability Disclosure Policy and Safe Harbor Policy included in this program are based on v. 2021.1 of each respective policy from ~[disclose.io](http://disclose.io/)~.* \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-30T06:23:13.588Z"},{"id":3700309,"new_policy":"# Cosmos Bug Bounty Program\n\n## About the program\n\nThe Cosmos ecosystem teams all believe that strong security is a blend of highly technical security researchers who care about security and the forward progression of the ecosystem and the attentiveness and openness of Cosmos core contributors to help continually secure our operations.\n\nThe bug bounty is an **application security** program rewarding specification and code-related issues.\n\n## Responsible disclosure\nThe program is built around responsible disclosure of vulnerabilities:\n\nFollow the guidelines, including adhering to strict confidentiality and NOT publishing security-sensitive information in public.\n\n* Abide by this policy to disclose vulnerabilities, and avoid posting vulnerability information in public places, including Github, Discord, Telegram, and Twitter.\n* Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems (including but not limited to the Cosmos Hub), and destruction of data.\n* Keep any information about vulnerabilities that you’ve discovered confidential between yourself and the Cosmos engineering team until the issue has been resolved and disclosed.\n* Avoid posting personally identifiable information, privately or publicly.\n\n## Program Scope and Rules\n1. Vulnerabilities in applications and specifications written in Go, Rust, proto3, C++ or plain-text / pseudocode for the Cosmos Ecosystem\nmay be in scope for the program. The exact application repositories are listed under \"Scope\".\n2. At least, the code in the `main` branch and the latest release (tagged) are supported for security vulnerabilities.\nEach repository may expand their supported release scope in their SECURITY.md file.\n3. If a vulnerability and its exploit are both publicly known, the bug bounty program may not apply.\nHowever, resolutions and mitigation strategies may still be eligible for rewards through the bounty program.\n4. Not adhering to the responsible disclosure guidelines voids payout from the program and might lead to exclusion from the program.\n5. The reported vulnerability must be valid for 64-bit machines with at least 2GB RAM.\n6. The reported vulnerability must be valid on Tendermint clusters where fewer than ⅓ of the nodes are faulty or malicious.\n7. All server environments have not been compromised before and during testing by other adversarial software or actors.\n\n## Not in scope\nEven if they are part of a GitHub repository, the below scenarios are not in scope for the bug bounty program.\n1. Javascript libraries, code\n2. Third-party services vulnerabilities.\nExamples: Google Suite, GitHub integrations, documentation websites, https://cosmos.network, https://www.cometbft.com, AWS S3 buckets, other cloud services.\n3. Findings from physical testing, such as office access\n4. Findings derived from social engineering (e.g., phishing)\n5. DoS attacks that only rely on exhausting resources by adding many attackers, or are mitigated under gas or fee mechanisms on-chain (use operational best practices)\n6. Scanner-generated reports and \"Advisory\" or “Informational” reports that do not include any CometBFT, IBC, or Cosmos-specific testing or context\n7. Clickjacking as a single finding and issues requiring social engineering components\n\nAny vulnerabilities found in third-party services should be disclosed directly to them.\n\n## More Details\n\nWe’re interested in a full range of bugs with demonstrable security risks:\nfrom those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nSee [EXAMPLES.md](https://github.com/cosmos/security/EXAMPLES.md) for some of the examples that we are interested in for the bug bounty program.\n\nSee [here](https://docs.cometbft.com/) for a quick-start guide to getting CometBFT running, so you can start hunting for bugs.\n\nSee [here](https://cosmos.network/docs/) to start working with the Cosmos-SDK Learn more about getting it up and running in your testing environment.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-23T19:59:06.943Z"},{"id":3685342,"new_policy":"# Cosmos Bug Bounty Program\n\n## About the program\n\nThe Cosmos ecosystem teams all believe that strong security is a blend of highly technical security researchers who care about security and the forward progression of the ecosystem and the attentiveness and openness of Cosmos core contributors to help continually secure our operations.\n\nThe bug bounty is an **application security** program rewarding specification and code-related issues.\n\n## Responsible disclosure\nThe program is built around responsible disclosure of vulnerabilities:\n\nFollow the guidelines, including adhering to strict confidentiality and NOT publishing security-sensitive information in public.\n\n* Abide by this policy to disclose vulnerabilities, and avoid posting vulnerability information in public places, including Github, Discord, Telegram, and Twitter.\n* Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems (including but not limited to the Cosmos Hub), and destruction of data.\n* Keep any information about vulnerabilities that you’ve discovered confidential between yourself and the Cosmos engineering team until the issue has been resolved and disclosed.\n* Avoid posting personally identifiable information, privately or publicly.\n\n## Program Scope and Rules\n1. Vulnerabilities in applications and specifications written in Go, Rust, proto3, C++ or plain-text / pseudocode for the Cosmos Ecosystem\nmay be in scope for the program. The exact application repositories are listed under \"Scope\".\n2. At least, the code in the `main` branch and the latest release (tagged) are supported for security vulnerabilities.\nEach repository may expand their supported release scope in their SECURITY.md file.\n3. If a vulnerability and its exploit are both publicly known, the bug bounty program may not apply.\nHowever, resolutions and mitigation strategies may still be eligible for rewards through the bounty program.\n4. Not adhering to the responsible disclosure guidelines voids payout from the program and might lead to exclusion from the program.\n5. The reported vulnerability must be valid for 64-bit machines with at least 2GB RAM.\n6. The reported vulnerability must be valid on Tendermint clusters where fewer than ⅓ of the nodes are faulty or malicious.\n7. All server environments have not been compromised before and during testing by other adversarial software or actors.\n\n## Not in scope\nEven if they are part of a GitHub repository, the below scenarios are not in scope for the bug bounty program.\n1. Javascript libraries, code\n2. Third-party services vulnerabilities.\nExamples: Google Suite, GitHub integrations, documentation websites, https://cosmos.network, https://www.cometbft.com, AWS S3 buckets, other cloud services.\n3. Findings from physical testing, such as office access\n4. Findings derived from social engineering (e.g., phishing)\n5. DDoS attacks that only rely on exhausting resources by adding many attackers (use operational best practices)\n6. Scanner-generated reports and \"Advisory\" or “Informational” reports that do not include any CometBFT, IBC, or Cosmos-specific testing or context\n7. Clickjacking as a single finding and issues requiring social engineering components\n\nAny vulnerabilities found in third-party services should be disclosed directly to them.\n\n## More Details\n\nWe’re interested in a full range of bugs with demonstrable security risks:\nfrom those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nSee [EXAMPLES.md](https://github.com/cosmos/security/EXAMPLES.md) for some of the examples that we are interested in for the bug bounty program.\n\nSee [here](https://docs.cometbft.com/) for a quick-start guide to getting CometBFT running, so you can start hunting for bugs.\n\nSee [here](https://cosmos.network/docs/) to start working with the Cosmos-SDK Learn more about getting it up and running in your testing environment.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-25T00:08:03.523Z"},{"id":3685341,"new_policy":"# Cosmos Bug Bounty Program\n\n## About the program\n\nThe Cosmos ecosystem teams all believe that strong security is a blend of highly technical security researchers who care about security and the forward progression of the ecosystem and the attentiveness and openness of Cosmos core contributors to help continually secure our operations.\n\nThe bug bounty is an **application security** program rewarding specification and code-related issues.\n\n## Responsible disclosure\nThe program is built around responsible disclosure of vulnerabilities:\n\nFollow the guidelines, including adhering to strict confidentiality and NOT publishing security-sensitive information in public.\n\n* Abide by this policy to disclose vulnerabilities, and avoid posting vulnerability information in public places, including Github, Discord, Telegram, and Twitter.\n* Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems (including but not limited to the Cosmos Hub), and destruction of data.\n* Keep any information about vulnerabilities that you’ve discovered confidential between yourself and the Cosmos engineering team until the issue has been resolved and disclosed.\n* Avoid posting personally identifiable information, privately or publicly.\n\n## Program Scope and Rules\n1. Vulnerabilities in applications and specifications written in Go, Rust, proto3 or plain-text / pseudocode for the Cosmos Ecosystem\nmay be in scope for the program. The exact application repositories are listed under \"Scope\".\n2. At least, the code in the `main` branch and the latest release (tagged) are supported for security vulnerabilities.\nEach repository may expand their supported release scope in their SECURITY.md file.\n3. If a vulnerability and its exploit are both publicly known, the bug bounty program may not apply.\nHowever, resolutions and mitigation strategies may still be eligible for rewards through the bounty program.\n4. Not adhering to the responsible disclosure guidelines voids payout from the program and might lead to exclusion from the program.\n5. The reported vulnerability must be valid for 64-bit machines with at least 2GB RAM.\n6. The reported vulnerability must be valid on Tendermint clusters where fewer than ⅓ of the nodes are faulty or malicious.\n7. All server environments have not been compromised before and during testing by other adversarial software or actors.\n\n## Not in scope\nEven if they are part of a GitHub repository, the below scenarios are not in scope for the bug bounty program.\n1. Javascript libraries, code\n2. Third-party services vulnerabilities.\nExamples: Google Suite, GitHub integrations, documentation websites, https://cosmos.network, https://www.cometbft.com, AWS S3 buckets, other cloud services.\n3. Findings from physical testing, such as office access\n4. Findings derived from social engineering (e.g., phishing)\n5. DDoS attacks that only rely on exhausting resources by adding many attackers (use operational best practices)\n6. Scanner-generated reports and \"Advisory\" or “Informational” reports that do not include any CometBFT, IBC, or Cosmos-specific testing or context are ineligible for rewards.\n7. Clickjacking as a single finding and issues requiring social engineering components\n\nAny vulnerabilities found in third-party services should be disclosed directly to them.\n\n## More Details\n\nWe’re interested in a full range of bugs with demonstrable security risks:\nfrom those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nSee [EXAMPLES.md](https://github.com/cosmos/security/EXAMPLES.md) for some of the examples that we are interested in for the bug bounty program.\n\nSee [here](https://docs.cometbft.com/) for a quick-start guide to getting CometBFT running, so you can start hunting for bugs.\n\nSee [here](https://cosmos.network/docs/) to start working with the Cosmos-SDK Learn more about getting it up and running in your testing environment.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-24T23:48:44.257Z"},{"id":3684782,"new_policy":"# Cosmos Bug Bounty Program\n\n## About the Cosmos Bug Bounty\n\nThe Cosmos ecosystem teams include the Cosmos SDK, Gaia, IBC-go, CometBFT, and IBC Relayers. We all believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. \n\nOur program exists to actively reward the people who discover security bugs in our protocol and the products we are building and *responsibly disclose* them. Responsible disclosure requires following our guidelines, including adhering to strict confidentiality and not publishing security-sensitive information in public.\n\nBounty rewards are based on many factors including impact, risk, the likelihood of exploitation, and report quality. We use the CVSS framework to score all reports in a standardized and fair way.\n\n* Critical— $5,000 and up\n\n* High— $3,000 and up \n\n* Medium— $1000 and up \n\n* Low— up to $200\n\nWhile there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n## Program Scope\n\nPlease see the “Scope” section for a list of assets that are included in the scope of our bug bounty program.\n\n## More Details\n\nTo qualify for a bounty, bugs must be: \n\n* Not reported in public (Discord, Telegram, GitHub public issue)\n\n* Valid on the master/main branch, or on a supported release branch, of the corresponding repository. \n\n* Valid for 64-bit machines with at least 2 GB RAM.\n\n* Valid on Tendermint clusters where fewer than ⅓ of the nodes are faulty or malicious.\n\nWe’re interested in a full range of bugs with demonstratable security risks: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities that are of interest to us include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, denial of service (specifically at the protocol layer), lost-write bugs, unauthorized account or capability access, stolen funds, token inflation bugs, payloads/transactions that cause panics, and so on. We are also interested in vulnerabilities that highlight clusters where more than ⅓ of the nodes may become faulty or malicious.\n\nPlease see [here](https://docs.cometbft.com/) for a quick-start guide to getting CometBFT running so you can start hunting for bugs. To work with Cosmos-SDK, start [here](https://cosmos.network/docs/) to learn more about getting it up and running in your testing environment.\n\nAll associated websites, services, and sub-domains are **out of scope**, including:\n\n* [https://cometbft.com](https://www.cometbft.com/)\n\n* [https://cosmos.network](https://cosmos.network/) \n\n* Cloud services, including AWS S3 buckets\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, Discord, and Telegram) should be disclosed directly to those services. \n\nScanner-generated reports and \"Advisory\" or “Informational” reports that do not include any CometBFT, IBC, or Cosmos-specific testing or context are ineligible for rewards. Additionally, clickjacking as a single finding and issues requiring social engineering components are ineligible for reward as part of this program. However, we may accept clickjacking as part of a chain. We also assume that all server environments have not been compromised before and during testing by other adversarial software or actors. \n\n## Security Guidelines\n\nSee our [Security Policy Document](https://github.com/cometbft/cometbft/blob/master/SECURITY.md) for more details on submissions and rewards.\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-03-14T18:31:29.688Z"},{"id":3679374,"new_policy":"# Cosmos Bug Bounty Program\n\n## About the Cosmos Bug Bounty\n\nThe Cosmos ecosystem teams include the Cosmos SDK, Gaia, IBC, Tendermint Core, and IBC Relayers. We all believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. \n\nOur program exists to actively reward the people who discover bugs in our protocol and the products we are building and *responsibly disclose* them. Responsible disclosure requires following our guidelines, including adhering to strict confidentiality and not publishing security sensitive information in public or on Github.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use the CVSS framework to score all reports in a standardized and fair way.\n\n* Critical— $5,000 and up\n\n* High— $3,000 and up \n\n* Medium— $1000 and up \n\n* Low— up to $200\n\nWhile there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n## Program Scope\n\nPlease see the “Scope” tab for a list of assets which are included in the scope of our bug bounty program.\n\n## More Details\n\nTo qualify for a bounty, bugs must be: \n\n* Not reported in public or on Github (!)\n\n* Valid on the master/main branch, or on a supported release branch, of the corresponding repository. \n\n* Valid for 64-bit machines with at least 2 GB RAM.\n\n* Valid on Tendermint clusters where fewer than ⅓ of the nodes are faulty or malicious.\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities that are of interest to us include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, denial of service (specifically at the application- or protocol-layer), lost-write bugs, unauthorized account or capability access, stolen funds, token inflation bugs, payloads/transactions that cause panics, and so on. We are also interested in vulnerabilities that highlight clusters where more than ⅓ of the nodes may become faulty or malicious.\n\nPlease see [here](https://tendermint.com/docs/) for a quick-start guide to getting Tendermint running so you can start hunting for bugs. To work with Cosmos-SDK, start [here](https://cosmos.network/docs/) to learn more about getting it up and running in your testing environment.\n\nAll other associated websites, services, and sub-domains are **out of scope**, including:\n\n* [https://tendermint.com](https://www.tendermint.com/)\n\n* [https://cosmos.network](https://cosmos.network/) \n\n* Cloud services, including AWS S3 buckets\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, Discord, and Telegram) should be disclosed directly to those services. \n\nScanner-generated reports and \"Advisory\" or “Informational” reports that do not include any Tendermint or Cosmos specific testing or context are ineligible for rewards. Additionally, clickjacking as a single finding and issues requiring social engineering components are ineligible for reward as part of this program. However, we may accept clickjacking as part of a chain. We also assume that all server environments have not been compromised before and during testing by other adversarial software or actors. \n\n## Security Guidelines\n\nSee our [Security Policy Document](https://github.com/tendermint/tendermint/blob/master/SECURITY.md) for more details on submissions and rewards.\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-11-02T15:47:51.801Z"},{"id":3673609,"new_policy":"# Cosmos Bug Bounty Program\n\n## About the Cosmos Bug Bounty\n\nThe Cosmos ecosystem teams include the Cosmos SDK, Gaia, IBC, Tendermint Core, and IBC Relayers. We all believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. \n\nOur program exists to actively reward the people who discover bugs in our protocol and the products we are building.\n\nRecent changes to the code include a transition from an in-house serialization system to Protobuf, major new Tendermint Core features like state sync and the first implementation of Cosmos’s flagship Inter-blockchain Communication (IBC) protocol. These are high priority for the security community to review.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use the CVSS framework to score all reports in a standardized and fair way.\n\n* Critical— $5,000 and up\n\n* High— $3,000 and up \n\n* Medium— $1000 and up \n\n* Low— up to $200\n\nWhile there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n## Program Scope\n\nPlease see the “Scope” tab for a list of assets which are included in the scope of our bug bounty program.\n\n## More Details\n\nTo qualify for a bounty, bugs must be: \n\n* Valid on the master/main branch (or, under certain circumstances, on the latest release branch) of the corresponding repository. \n\n* Valid for 64-bit machines with at least 2 GB RAM.\n\n* Valid on Tendermint clusters where fewer than ⅓ of the nodes are faulty or malicious.\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities that are of interest to us include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, denial of service (specifically at the application- or protocol-layer), lost-write bugs, unauthorized account or capability access, stolen funds, token inflation bugs, payloads/transactions that cause panics, and so on. We are also interested in vulnerabilities that highlight clusters where more than ⅓ of the nodes may become faulty or malicious.\n\nPlease see [here](https://tendermint.com/docs/) for a quick-start guide to getting Tendermint running so you can start hunting for bugs. To work with Cosmos-SDK, start [here](https://cosmos.network/docs/) to learn more about getting it up and running in your testing environment.\n\nAll other associated websites, services, and sub-domains are **out of scope**, including:\n\n* [https://tendermint.com](https://www.tendermint.com/)\n\n* [https://cosmos.network](https://cosmos.network/) \n\n* Cloud services, including AWS S3 buckets\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, Discord, and Telegram) should be disclosed directly to those services. \n\nScanner-generated reports and \"Advisory\" or “Informational” reports that do not include any Tendermint or Cosmos specific testing or context are ineligible for rewards. Additionally, clickjacking as a single finding and issues requiring social engineering components are ineligible for reward as part of this program. However, we may accept clickjacking as part of a chain. We also assume that all server environments have not been compromised before and during testing by other adversarial software or actors. \n\n## Security Guidelines\n\nSee our [Security Policy Document](https://github.com/tendermint/tendermint/blob/master/SECURITY.md) for more details on submissions and rewards.\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-06-29T17:52:41.992Z"},{"id":3661428,"new_policy":"# Cosmos Bug Bounty Program\n\n## About the Cosmos Bug Bounty\n\nThe Cosmos ecosystem teams include the Cosmos SDK, Gaia, IBC, Tendermint Core, and IBC Relayers. We all believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. \n\nOur program exists to actively reward the people who discover bugs in our protocol and the products we are building.\n\nRecent changes to the code include a transition from an in-house serialization system to Protobuf, major new Tendermint Core features like state sync and the first implementation of Cosmos’s flagship Inter-blockchain Communication (IBC) protocol. These are high priority for the security community to review.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use the CVSS framework to score all reports in a standardized and fair way.\n\n* Critical— $5,000 and up\n\n* High— $3,000 and up \n\n* Medium— $1000 and up \n\n* Low— up to $200\n\nWhile there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n## Program Scope\n\nPlease see the “Scope” tab for a list of assets which are included in the scope of our bug bounty program.\n\n## More Details\n\nTo qualify for a bounty, bugs must be: \n\n* Valid on the master/main branch (or, under certain circumstances, on the latest release branch) of the corresponding repository. \n\n* Valid for 64-bit machines with at least 2 GB RAM.\n\n* Valid on Tendermint clusters where fewer than ⅓ of the nodes are faulty or malicious.\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities that are of interest to us include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, denial of service (specifically at the application- or protocol-layer), lost-write bugs, unauthorized account or capability access, stolen funds, token inflation bugs, payloads/transactions that cause panics, and so on. We are also interested in vulnerabilities that highlight clusters where more than ⅓ of the nodes may become faulty or malicious.\n\nPlease see [here](https://tendermint.com/docs/) for a quick-start guide to getting Tendermint running so you can start hunting for bugs. To work with Cosmos-SDK, start [here](https://cosmos.network/docs/) to learn more about getting it up and running in your testing environment.\n\nAll other associated websites, services, and sub-domains are **out of scope**, including:\n\n* [https://tendermint.com](https://www.tendermint.com/)\n\n* [https://cosmos.network](https://blog.cosmos.network/) \n\n* Cloud services, including AWS S3 buckets\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, Discord, and Telegram) should be disclosed directly to those services. \n\nScanner-generated reports and \"Advisory\" or “Informational” reports that do not include any Tendermint or Cosmos specific testing or context are ineligible for rewards. Additionally, clickjacking as a single finding and issues requiring social engineering components are ineligible for reward as part of this program. However, we may accept clickjacking as part of a chain. We also assume that all server environments have not been compromised before and during testing by other adversarial software or actors. \n\n## Security Guidelines\n\nSee our [Security Policy Document](https://github.com/tendermint/tendermint/blob/master/SECURITY.md) for more details on submissions and rewards.\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-09T15:05:54.309Z"},{"id":3650163,"new_policy":"# Tendermint Core/Cosmos Bug Bounty Program\n\n_The Cosmos Stargate Bug Bounty has concluded and we are through the Stargate. Thank you for your submissions!_ \n\n## About the Cosmos Bug Bounty\n\nThe Cosmos ecosystem teams include the Cosmos SDK, IBC, Tendermint Core, and IBC Relayer teams. We all believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. \n\nOur program exists to actively reward the people who discover bugs in our protocol and the products we’re building.\n\nRecent changes to the code include a transition from an in-house serialization system to Protobuf, major new Tendermint Core features like state sync and the first implementation of Cosmos’s flagship Inter-blockchain Communication (IBC) protocol. These are high priority for the security community to review.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use the CVSS framework to score all reports in a standardized and fair way.\n\n* Critical— $2,500 and up\n\n* High— $1,000 and up \n\n* Medium— $500 and up \n\n* Low— up to $100\n\nWhile there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n## Program Scope\n\nPlease see the “Scope” tab for a list of assets which are included in the scope of our bug bounty program.\n\n## More Details\n\nTo qualify for a bounty, bugs must be: \n\n* Valid on the master branch (or, under certain circumstances, on the latest release branch) of the corresponding repository. \n\n* Valid for 64-bit machines with at least 2 GB RAM.\n\n* Valid on Tendermint clusters where fewer than ⅓ of the nodes are faulty or malicious.\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities that are of interest to us include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, denial of service (specifically at the application- or protocol-layer), lost-write bugs, unauthorized account or capability access, stolen funds, token inflation bugs, payloads/transactions that cause panics, and so on. We are also interested in vulnerabilities that highlight clusters where more than ⅓ of the nodes may become faulty or malicious.\n\nPlease see [here](https://tendermint.com/docs/) for a quick-start guide to getting Tendermint running so you can start hunting for bugs. To work with Cosmos-SDK, start [here](https://cosmos.network/docs/) to learn more about getting it up and running in your testing environment.\n\nAll other associated websites, services, and sub-domains are **out of scope**, including:\n\n* [https://tendermint.com](https://www.tendermint.com/)\n\n* [https://cosmos.network](https://blog.cosmos.network/) \n\n* Cloud services, including AWS S3 buckets\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, Discord, and Telegram) should be disclosed directly to those services. \n\nScanner-generated reports and \"Advisory\" or “Informational” reports that do not include any Tendermint or Cosmos specific testing or context are ineligible for rewards. Additionally, clickjacking as a single finding and issues requiring social engineering components are ineligible for reward as part of this program. However, we may accept clickjacking as part of a chain. We also assume that all server environments have not been compromised before and during testing by other adversarial software or actors. \n\n## Security Guidelines\n\nSee our [Security Policy Document](https://github.com/tendermint/tendermint/blob/master/SECURITY.md) for more details on submissions and rewards.\n\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-22T11:28:03.859Z"},{"id":3650139,"new_policy":"# **Cosmos Stargate Release Bug Bounty Program**\n\nThe Cosmos Stargate testnet release candidate is ready to launch. The various Cosmos teams responsible for delivering this new software are excited to enlist the help of the community to identify critical bugs that may have made it past engineering and integration testing so far. We depend on the community to assist us with testing so that we can increase confidence in the software release. Thus, for Stargate we will launch a special bug bounty program that will last from today through December 31, 2020. Rewards for this program will be temporarily increased from rewards in prior programs to encourage the community to actively support bug discovery.\n\n## About the Cosmos Stargate Bug Bounty\n\nThe Cosmos Stargate release teams include the Cosmos SDK, IBC, Tendermint Core, and IBC Relayer teams. We all believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. \n\nOur program exists to actively reward the people who discover bugs in our protocol and the products we’re building.\n\nRecent changes to the code include a transition from an in-house serialization system to Protobuf, major new Tendermint Core features like state sync and the first implementation of Cosmos’s flagship Inter-blockchain Communication (IBC) protocol. These are high priority for the security community to review.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use the CVSS framework to score all reports in a standardized and fair way.\n\nOnly for the Cosmos Stargate Release and only until December 31st 2020, we’ve increased the rewards for bugs and they will be classified into these categories for payout:\n\n* Critical— $5,000 and up (normally $2,500)\n\n* High— $3,000 and up (normally $1,000)\n\n* Medium— $1,000 and up (normally $500)\n\n* Low— up to $200\n\nWhile there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. The Trail of Bits team will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n## **Program Scope**\n\nThe Cosmos Stargate release consists of upgrades and breaking changes to the Cosmos SDK, Tendermint, Gaia, and IBC codebases. Below is a brief summary of the changes to each project and links to their respective repositories:\n\n### Tendermint\n\nRepository: [https://github.com/tendermint/tendermint](https://github.com/tendermint/tendermint)\n\nThe Cosmos Hub has been running since December 2019 using the v0.32 series of Tendermint (latest version v0.32.13). There have since been major protocol breaking upgrades and various other changes introduced in the v0.33 and v0.34 releases of Tendermint, that have not yet been deployed to the Cosmos Hub (see the many v0.33 and v0.34 series release notes in the [CHANGELOG](https://github.com/tendermint/tendermint/blob/master/CHANGELOG.md)). We are especially interested in security regressions, risks, DoS, and other security vulnerabilities introduced with these changes. These changes include:\n\n* Migration from Amino to Protocol Buffers (see [example](https://github.com/tendermint/tendermint/issues/5423) regression)\n\n    * This in particular has a lot of surface area for regressions and other bugs, including malleable messages, invalid size bounds, serialization-related DoS, etc.. See the [Tendermint 0.34, Protocol Buffers, and You](https://medium.com/tendermint/tendermint-0-34-protocol-buffers-and-you-8c40558939ae) post for context on this migration. \n\n* Commit data structure refactor (see [example](https://github.com/tendermint/tendermint/blob/master/CHANGELOG.md#denial-of-service) regression)\n\n* Upgraded light client protocol (see [example](https://github.com/tendermint/tendermint/blob/master/CHANGELOG.md#false-witness) regression)\n\n* Upgraded evidence handling reactor protocol (for validator accountability, and especially for attacks on light clients)\n\n* New state sync reactor protocol for quickly downloading the application state\n\n* Block pruning\n\n### Cosmos SDK\n\nRepository: [https://github.com/cosmos/cosmos-sdk](https://github.com/cosmos/cosmos-sdk)\n\nThe Cosmos Hub has been running since December 2019 using the v0.37 series of the Cosmos-SDK (latest version v0.37.14). There have since been major protocol breaking upgrades and various other changes introduced in the v0.38, v0.39, and v0.40 releases of the Cosmos-SDK, that have not yet been deployed to the Cosmos Hub (see the major [v0.38.0](https://github.com/cosmos/cosmos-sdk/wiki/v0.38-Release-Notes), [v0.39.0](https://github.com/cosmos/cosmos-sdk/blob/v0.39.0/RELEASE_NOTES.md), and [v0.40.0](https://github.com/cosmos/cosmos-sdk/blob/v0.40.x/RELEASE_NOTES.md) release notes, or view all changelog entries directly in the [CHANGELOG](https://github.com/cosmos/cosmos-sdk/blob/master/CHANGELOG.md)). We are especially interested in security regressions, security risks, DoS, and other security vulnerabilities introduced with these changes.\n\nSince v0.39.1 (the most recent published version of the Cosmos SDK), the major changes include:\n\n* Migration of the SDK’s primary serialization format from Amino to Protocol Buffers\n\n* Introduction of single application binary ( + upgrade daemon)\n\n* New testutil package for in-process integration tests / testnet testing framework\n\nMore detail on these major upgrades are available in the [Stargate release notes](https://github.com/cosmos/cosmos-sdk/blob/v0.40.x/RELEASE_NOTES.md), but the [CHANGELOG](https://github.com/cosmos/cosmos-sdk/blob/v0.40.x/CHANGELOG.md) is still the best place to see a comprehensive list of all breaking changes and improvements.\n\n### Gaia (Cosmos Hub)\n\nRepository: [https://github.com/cosmos/gaia](https://github.com/cosmos/gaia)\n\nVirtually all the relevant changes that affect Gaia are contained in the Cosmos-SDK repository. That said, the Gaia repo still composes the application and pulls everything together, and is the place where the binaries are ultimately built from. While the Cosmos Hub has been running the v2 series of Gaia releases since December, the v3 release will include updating for all the relevant changes in the Cosmos-SDK and Tendermint, and especially adding support for new modules like IBC.\n\n### IBC\n\nRepository: [https://github.com/cosmos/cosmos-sdk](https://github.com/cosmos/cosmos-sdk)\n\nThe inter-blockchain communication (IBC) protocol is implemented within the Cosmos-SDK repository, in particular within the `x/ibc` directory. All sub-modules within `x/ibc` in the Cosmos-SDK are in scope. See both the IBC [implementation documentation](https://github.com/cosmos/cosmos-sdk/tree/1b9f144b9de1b0437be8f65e06ff6f982436b56d/x/ibc/spec) and the IBC [protocol specification](https://github.com/cosmos/ics/tree/master/spec). \n\n### IAVL\n\nRepository: [https://github.com/cosmos/iavl](https://github.com/cosmos/iavl)\n\nThe Cosmos Hub has been running since December 2019 using the v0.12.4 release of the IAVL. There have since been major breaking upgrades and various other changes introduced in the v0.13, v0.14, and v0.15 releases of the IAVL that have not yet been deployed to the Cosmos Hub (see the many v0.13, v0.14, and v0.15 series release notes in the [CHANGELOG](https://github.com/cosmos/iavl/blob/master/CHANGELOG.md)). We are especially interested in security regressions, security risks, DoS, and other security vulnerabilities introduced with these changes. These changes included, primarily, better support and fixes for pruning the database, and migrating from Amino serialization to Protocol Buffers.\n\n### Other\n\nThe following additional repositories are also in scope:\n\n* [https://github.com/iqlusioninc/signatory](https://github.com/iqlusioninc/signatory) Restricted to the ed25519 provider sub-crates like dalek-ed25519 and ring.\n\n* [https://github.com/iqlusioninc/tmkms](https://github.com/iqlusioninc/tmkms)\n\n* [https://github.com/iqlusioninc/yubihsm.rs](https://github.com/iqlusioninc/yubihsm.rs) Restricted to the ed25519 pubkey and signing paths.\n\n* [https://github.com/cosmos/ledger-cosmos](https://github.com/cosmos/ledger-cosmos)\n\nWhile these have seen fewer changes than the other repos, they are all highly security critical as they handle private key material and secure hardware signing for both validators and token holders\n\n## More Details\n\nTo qualify for a bounty, bugs must be: \n\n* Valid on the master branch of the corresponding repository. \n\n* Valid for 64-bit machines with at least 2 GB RAM.\n\n* Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities that are of interest to us include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, denial of service (specifically at the application- or protocol-layer), lost-write bugs, unauthorized account or capability access, stolen funds, token inflation bugs, payloads/transactions that cause panics, and so on. We are also interested in vulnerabilities that highlight clusters where more than ⅓ of the nodes may become faulty or malicious.\n\nPlease see [here](https://tendermint.com/docs/) for a quick-start guide to getting Tendermint running so you can start hunting for bugs. To work with Cosmos-SDK, start [here](https://cosmos.network/docs/) to learn more about getting it up and running in your testing environment.\n\nAll other associated websites, services, and sub-domains are **out of scope**, including but not limited to:\n\n* [https://tendermint.com](https://www.tendermint.com/)\n\n* [https://cosmos.network](https://blog.cosmos.network/) \n\n* Cloud services, including AWS S3 buckets\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, Discord, and Telegram) should be disclosed directly to those services. \n\nScanner-generated reports and \"Advisory\" or “Informational” reports that do not include any Tendermint or Cosmos specific testing or context are ineligible for rewards. Additionally, clickjacking as a single finding and issues requiring social engineering components are ineligible for reward as part of this program. However, we may accept clickjacking as part of a chain. We also assume that all server environments have not been compromised before and during testing by other adversarial software or actors. \n\n## Security Guidelines\n\nSee our [Security Policy Document](https://github.com/tendermint/tendermint/blob/master/SECURITY.md) for more details on submissions and rewards.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-20T21:39:49.819Z"},{"id":3643508,"new_policy":"# **Cosmos Stargate Release Bug Bounty Program**\n\nThe Cosmos Stargate testnet release candidate is ready to launch. The various Cosmos teams responsible for delivering this new software are excited to enlist the help of the community to identify critical bugs that may have made it past engineering and integration testing so far. We depend on the community to assist us with testing so that we can increase confidence in the software release. Thus, for Stargate we will launch a special bug bounty program that will last from today through December 31, 2020. Rewards for this program will be temporarily increased from rewards in prior programs to encourage the community to actively support bug discovery.\n\n## About the Cosmos Stargate Bug Bounty\n\nThe Cosmos Stargate release teams include the Cosmos SDK, IBC, Tendermint Core, and IBC Relayer teams. We all believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. \n\nOur program exists to actively reward the people who discover bugs in our protocol and the products we’re building.\n\nRecent changes to the code include a transition from an in-house serialization system to Protobuf, major new Tendermint Core features like state sync and the first implementation of Cosmos’s flagship Inter-blockchain Communication (IBC) protocol. These are high priority for the security community to review.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use the CVSS framework to score all reports in a standardized and fair way.\n\nOnly for the Cosmos Stargate Release and only until December 31st 2020, we’ve increased the rewards for bugs and they will be classified into these categories for payout:\n\n* Critical— $5,000 and up (normally $2,500)\n\n* High— $3,000 and up (normally $1,000)\n\n* Medium— $1,000 and up (normally $500)\n\n* Low— up to $200\n\nWhile there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. The Trail of Bits team will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n## **Program Scope**\n\nThe Cosmos Stargate release consists of upgrades and breaking changes to the Cosmos SDK, Tendermint, Gaia, and IBC codebases. Below is a brief summary of the changes to each project and links to their respective repositories:\n\n### Tendermint\n\nRepository: [https://github.com/tendermint/tendermint](https://github.com/tendermint/tendermint)\n\nThe Cosmos Hub has been running since December 2019 using the v0.32 series of Tendermint (latest version v0.32.13). There have since been major protocol breaking upgrades and various other changes introduced in the v0.33 and v0.34 releases of Tendermint, that have not yet been deployed to the Cosmos Hub (see the many v0.33 and v0.34 series release notes in the [CHANGELOG](https://github.com/tendermint/tendermint/blob/master/CHANGELOG.md)). We are especially interested in security regressions, risks, DoS, and other security vulnerabilities introduced with these changes. These changes include:\n\n* Migration from Amino to Protocol Buffers (see [example](https://github.com/tendermint/tendermint/issues/5423) regression)\n\n    * This in particular has a lot of surface area for regressions and other bugs, including malleable messages, invalid size bounds, serialization-related DoS, etc.. See the [Tendermint 0.34, Protocol Buffers, and You](https://medium.com/tendermint/tendermint-0-34-protocol-buffers-and-you-8c40558939ae) post for context on this migration. \n\n* Commit data structure refactor (see [example](https://github.com/tendermint/tendermint/blob/master/CHANGELOG.md#denial-of-service) regression)\n\n* Upgraded light client protocol (see [example](https://github.com/tendermint/tendermint/blob/master/CHANGELOG.md#false-witness) regression)\n\n* Upgraded evidence handling reactor protocol (for validator accountability, and especially for attacks on light clients)\n\n* New state sync reactor protocol for quickly downloading the application state\n\n* Block pruning\n\n### Cosmos SDK\n\nRepository: [https://github.com/cosmos/cosmos-sdk](https://github.com/cosmos/cosmos-sdk)\n\nThe Cosmos Hub has been running since December 2019 using the v0.37 series of the Cosmos-SDK (latest version v0.37.14). There have since been major protocol breaking upgrades and various other changes introduced in the v0.38, v0.39, and v0.40 releases of the Cosmos-SDK, that have not yet been deployed to the Cosmos Hub (see the major [v0.38.0](https://github.com/cosmos/cosmos-sdk/wiki/v0.38-Release-Notes), [v0.39.0](https://github.com/cosmos/cosmos-sdk/blob/v0.39.0/RELEASE_NOTES.md), and [v0.40.0](https://github.com/cosmos/cosmos-sdk/blob/v0.40.x/RELEASE_NOTES.md) release notes, or view all changelog entries directly in the [CHANGELOG](https://github.com/cosmos/cosmos-sdk/blob/master/CHANGELOG.md)). We are especially interested in security regressions, security risks, DoS, and other security vulnerabilities introduced with these changes.\n\nSince v0.39.1 (the most recent published version of the Cosmos SDK), the major changes include:\n\n* Migration of the SDK’s primary serialization format from Amino to Protocol Buffers\n\n* Introduction of single application binary ( + upgrade daemon)\n\n* New testutil package for in-process integration tests / testnet testing framework\n\nMore detail on these major upgrades are available in the [Stargate release notes](https://github.com/cosmos/cosmos-sdk/blob/v0.40.x/RELEASE_NOTES.md), but the [CHANGELOG](https://github.com/cosmos/cosmos-sdk/blob/v0.40.x/CHANGELOG.md) is still the best place to see a comprehensive list of all breaking changes and improvements.\n\n### Gaia (Cosmos Hub)\n\nRepository: [https://github.com/cosmos/gaia](https://github.com/cosmos/gaia)\n\nVirtually all the relevant changes that affect Gaia are contained in the Cosmos-SDK repository. That said, the Gaia repo still composes the application and pulls everything together, and is the place where the binaries are ultimately built from. While the Cosmos Hub has been running the v2 series of Gaia releases since December, the v3 release will include updating for all the relevant changes in the Cosmos-SDK and Tendermint, and especially adding support for new modules like IBC.\n\n### IBC\n\nRepository: [https://github.com/cosmos/cosmos-sdk](https://github.com/cosmos/cosmos-sdk)\n\nThe inter-blockchain communication (IBC) protocol is implemented within the Cosmos-SDK repository, in particular within the `x/ibc` directory. All sub-modules within `x/ibc` in the Cosmos-SDK are in scope. See both the IBC [implementation documentation](https://github.com/cosmos/cosmos-sdk/tree/1b9f144b9de1b0437be8f65e06ff6f982436b56d/x/ibc/spec) and the IBC [protocol specification](https://github.com/cosmos/ics/tree/master/spec). \n\n### IAVL\n\nRepository: [https://github.com/cosmos/iavl](https://github.com/cosmos/iavl)\n\nThe Cosmos Hub has been running since December 2019 using the v0.12.4 release of the IAVL. There have since been major breaking upgrades and various other changes introduced in the v0.13, v0.14, and v0.15 releases of the IAVL that have not yet been deployed to the Cosmos Hub (see the many v0.13, v0.14, and v0.15 series release notes in the [CHANGELOG](https://github.com/cosmos/iavl/blob/master/CHANGELOG.md)). We are especially interested in security regressions, security risks, DoS, and other security vulnerabilities introduced with these changes. These changes included, primarily, better support and fixes for pruning the database, and migrating from Amino serialization to Protocol Buffers.\n\n### Other\n\nThe following additional repositories are also in scope:\n\n* [https://github.com/iqlusioninc/signatory](https://github.com/iqlusioninc/signatory) Restricted to the ed25519 provider sub-crates like dalek-ed25519 and ring.\n\n* [https://github.com/iqlusioninc/tmkms](https://github.com/iqlusioninc/tmkms)\n\n* [https://github.com/iqlusioninc/yubihsm.rs](https://github.com/iqlusioninc/yubihsm.rs) Restricted to the ed25519 pubkey and signing paths.\n\n* [https://github.com/cosmos/ledger-cosmos](https://github.com/cosmos/ledger-cosmos)\n\nWhile these have seen fewer changes than the other repos, they are all highly security critical as they handle private key material and secure hardware signing for both validators and token holders\n\n## More Details\n\nTo qualify for a bounty, bugs must be: \n\n* Valid on the master branch of the corresponding repository. \n\n* Valid for 64-bit machines with at least 2 GB RAM.\n\n* Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities that are of interest to us include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, denial of service (specifically at the application- or protocol-layer), lost-write bugs, unauthorized account or capability access, stolen funds, token inflation bugs, payloads/transactions that cause panics, and so on. We are also interested in vulnerabilities that highlight clusters where more than ⅓ of the nodes may become faulty or malicious.\n\nPlease see [here](https://tendermint.com/docs/) for a quick-start guide to getting Tendermint running so you can start hunting for bugs. To work with Cosmos-SDK, start [here](https://cosmos.network/docs/) to learn more about getting it up and running in your testing environment.\n\nAll other associated websites, services, and sub-domains are **out of scope**, including:\n\n* [https://tendermint.com](https://www.tendermint.com/)\n\n* [https://cosmos.network](https://blog.cosmos.network/) \n\n* Cloud services, including AWS S3 buckets\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, Discord, and Telegram) should be disclosed directly to those services. \n\nScanner-generated reports and \"Advisory\" or “Informational” reports that do not include any Tendermint or Cosmos specific testing or context are ineligible for rewards. Additionally, clickjacking as a single finding and issues requiring social engineering components are ineligible for reward as part of this program. However, we may accept clickjacking as part of a chain. We also assume that all server environments have not been compromised before and during testing by other adversarial software or actors. \n\n## Security Guidelines\n\nSee our [Security Policy Document](https://github.com/tendermint/tendermint/blob/master/SECURITY.md) for more details on submissions and rewards.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-08T12:19:42.357Z"},{"id":3643507,"new_policy":"# **Cosmos Stargate Release Bug Bounty Program**\n\nThe Cosmos Stargate testnet release candidate is ready to launch. The various Cosmos teams responsible for delivering this new software are excited to enlist the help of the community to identify critical bugs that may have made it past engineering and integration testing so far. We depend on the community to assist us with testing so that we can increase confidence in the software release. Thus, for Stargate we will launch a special bug bounty program that will last from today through December 31, 2020. Rewards for this program will be temporarily increased from rewards in prior programs to encourage the community to actively support bug discovery.\n\n## About the Cosmos Stargate Bug Bounty\n\nThe Cosmos Stargate release teams include the Cosmos SDK, IBC, Tendermint Core, and IBC Relayer teams. We all believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. \n\nOur program exists to actively reward the people who discover bugs in our protocol and the products we’re building.\n\nRecent changes to the code include a transition from an in-house serialization system to Protobuf, major new Tendermint Core features like state sync and the first implementation of Cosmos’s flagship Inter-blockchain Communication (IBC) protocol. These are high priority for the security community to review.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use the CVSS framework to score all reports in a standardized and fair way.\n\nOnly for the Cosmos Stargate Release and only until December 31st 2020, we’ve increased the rewards for bugs and they will be classified into these categories for payout:\n\n* Critical— $5,000 and up\n\n* High— $3,000 and up\n\n* Medium— $1,000 and up\n\n* Low— up to $200\n\nWhile there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. The Trail of Bits team will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n## **Program Scope**\n\nThe Cosmos Stargate release consists of upgrades and breaking changes to the Cosmos SDK, Tendermint, Gaia, and IBC codebases. Below is a brief summary of the changes to each project and links to their respective repositories:\n\n### Tendermint\n\nRepository: [https://github.com/tendermint/tendermint](https://github.com/tendermint/tendermint)\n\nThe Cosmos Hub has been running since December 2019 using the v0.32 series of Tendermint (latest version v0.32.13). There have since been major protocol breaking upgrades and various other changes introduced in the v0.33 and v0.34 releases of Tendermint, that have not yet been deployed to the Cosmos Hub (see the many v0.33 and v0.34 series release notes in the [CHANGELOG](https://github.com/tendermint/tendermint/blob/master/CHANGELOG.md)). We are especially interested in security regressions, risks, DoS, and other security vulnerabilities introduced with these changes. These changes include:\n\n* Migration from Amino to Protocol Buffers (see [example](https://github.com/tendermint/tendermint/issues/5423) regression)\n\n    * This in particular has a lot of surface area for regressions and other bugs, including malleable messages, invalid size bounds, serialization-related DoS, etc.. See the [Tendermint 0.34, Protocol Buffers, and You](https://medium.com/tendermint/tendermint-0-34-protocol-buffers-and-you-8c40558939ae) post for context on this migration. \n\n* Commit data structure refactor (see [example](https://github.com/tendermint/tendermint/blob/master/CHANGELOG.md#denial-of-service) regression)\n\n* Upgraded light client protocol (see [example](https://github.com/tendermint/tendermint/blob/master/CHANGELOG.md#false-witness) regression)\n\n* Upgraded evidence handling reactor protocol (for validator accountability, and especially for attacks on light clients)\n\n* New state sync reactor protocol for quickly downloading the application state\n\n* Block pruning\n\n### Cosmos SDK\n\nRepository: [https://github.com/cosmos/cosmos-sdk](https://github.com/cosmos/cosmos-sdk)\n\nThe Cosmos Hub has been running since December 2019 using the v0.37 series of the Cosmos-SDK (latest version v0.37.14). There have since been major protocol breaking upgrades and various other changes introduced in the v0.38, v0.39, and v0.40 releases of the Cosmos-SDK, that have not yet been deployed to the Cosmos Hub (see the major [v0.38.0](https://github.com/cosmos/cosmos-sdk/wiki/v0.38-Release-Notes), [v0.39.0](https://github.com/cosmos/cosmos-sdk/blob/v0.39.0/RELEASE_NOTES.md), and [v0.40.0](https://github.com/cosmos/cosmos-sdk/blob/v0.40.x/RELEASE_NOTES.md) release notes, or view all changelog entries directly in the [CHANGELOG](https://github.com/cosmos/cosmos-sdk/blob/master/CHANGELOG.md)). We are especially interested in security regressions, security risks, DoS, and other security vulnerabilities introduced with these changes.\n\nSince v0.39.1 (the most recent published version of the Cosmos SDK), the major changes include:\n\n* Migration of the SDK’s primary serialization format from Amino to Protocol Buffers\n\n* Introduction of single application binary ( + upgrade daemon)\n\n* New testutil package for in-process integration tests / testnet testing framework\n\nMore detail on these major upgrades are available in the [Stargate release notes](https://github.com/cosmos/cosmos-sdk/blob/v0.40.x/RELEASE_NOTES.md), but the [CHANGELOG](https://github.com/cosmos/cosmos-sdk/blob/v0.40.x/CHANGELOG.md) is still the best place to see a comprehensive list of all breaking changes and improvements.\n\n### Gaia (Cosmos Hub)\n\nRepository: [https://github.com/cosmos/gaia](https://github.com/cosmos/gaia)\n\nVirtually all the relevant changes that affect Gaia are contained in the Cosmos-SDK repository. That said, the Gaia repo still composes the application and pulls everything together, and is the place where the binaries are ultimately built from. While the Cosmos Hub has been running the v2 series of Gaia releases since December, the v3 release will include updating for all the relevant changes in the Cosmos-SDK and Tendermint, and especially adding support for new modules like IBC.\n\n### IBC\n\nRepository: [https://github.com/cosmos/cosmos-sdk](https://github.com/cosmos/cosmos-sdk)\n\nThe inter-blockchain communication (IBC) protocol is implemented within the Cosmos-SDK repository, in particular within the `x/ibc` directory. All sub-modules within `x/ibc` in the Cosmos-SDK are in scope. See both the IBC [implementation documentation](https://github.com/cosmos/cosmos-sdk/tree/1b9f144b9de1b0437be8f65e06ff6f982436b56d/x/ibc/spec) and the IBC [protocol specification](https://github.com/cosmos/ics/tree/master/spec). \n\n### IAVL\n\nRepository: [https://github.com/cosmos/iavl](https://github.com/cosmos/iavl)\n\nThe Cosmos Hub has been running since December 2019 using the v0.12.4 release of the IAVL. There have since been major breaking upgrades and various other changes introduced in the v0.13, v0.14, and v0.15 releases of the IAVL that have not yet been deployed to the Cosmos Hub (see the many v0.13, v0.14, and v0.15 series release notes in the [CHANGELOG](https://github.com/cosmos/iavl/blob/master/CHANGELOG.md)). We are especially interested in security regressions, security risks, DoS, and other security vulnerabilities introduced with these changes. These changes included, primarily, better support and fixes for pruning the database, and migrating from Amino serialization to Protocol Buffers.\n\n### Other\n\nThe following additional repositories are also in scope:\n\n* [https://github.com/iqlusioninc/signatory](https://github.com/iqlusioninc/signatory) Restricted to the ed25519 provider sub-crates like dalek-ed25519 and ring.\n\n* [https://github.com/iqlusioninc/tmkms](https://github.com/iqlusioninc/tmkms)\n\n* [https://github.com/iqlusioninc/yubihsm.rs](https://github.com/iqlusioninc/yubihsm.rs) Restricted to the ed25519 pubkey and signing paths.\n\n* [https://github.com/cosmos/ledger-cosmos](https://github.com/cosmos/ledger-cosmos)\n\nWhile these have seen fewer changes than the other repos, they are all highly security critical as they handle private key material and secure hardware signing for both validators and token holders\n\n## More Details\n\nTo qualify for a bounty, bugs must be: \n\n* Valid on the master branch of the corresponding repository. \n\n* Valid for 64-bit machines with at least 2 GB RAM.\n\n* Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities that are of interest to us include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, denial of service (specifically at the application- or protocol-layer), lost-write bugs, unauthorized account or capability access, stolen funds, token inflation bugs, payloads/transactions that cause panics, and so on. We are also interested in vulnerabilities that highlight clusters where more than ⅓ of the nodes may become faulty or malicious.\n\nPlease see [here](https://tendermint.com/docs/) for a quick-start guide to getting Tendermint running so you can start hunting for bugs. To work with Cosmos-SDK, start [here](https://cosmos.network/docs/) to learn more about getting it up and running in your testing environment.\n\nAll other associated websites, services, and sub-domains are **out of scope**, including:\n\n* [https://tendermint.com](https://www.tendermint.com/)\n\n* [https://cosmos.network](https://blog.cosmos.network/) \n\n* Cloud services, including AWS S3 buckets\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, Discord, and Telegram) should be disclosed directly to those services. \n\nScanner-generated reports and \"Advisory\" or “Informational” reports that do not include any Tendermint or Cosmos specific testing or context are ineligible for rewards. Additionally, clickjacking as a single finding and issues requiring social engineering components are ineligible for reward as part of this program. However, we may accept clickjacking as part of a chain. We also assume that all server environments have not been compromised before and during testing by other adversarial software or actors. \n\n## Security Guidelines\n\nSee our [Security Policy Document](https://github.com/tendermint/tendermint/blob/master/SECURITY.md) for more details on submissions and rewards.\n\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-10-08T12:13:31.983Z"},{"id":3620589,"new_policy":"## Tendermint Bug Bounty Program\nAt Tendermint, proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. Our program exists to actively reward the people who discover bugs in our protocol and the products we’re building. If you’re here to find web application vulnerabilities, our code isn’t the right place to go searching for the usual suspects like XSS, CSRF, and header misconfigurations.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality.  \n\nRewards for bugs will be classified into these categories for payout:\n\n* Critical— $2,500 and up\n* High— $1,000 and up\n* Medium— $500 and up\n* Low— up to $100\n\n\nWhile there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. Tendermint will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n## Program Scope\n\nTendermint is a fault-tolerant database engine that replicates transaction logs and application data consistently across many computers. Unlike other fault-tolerant database engines, Tendermint works even if some of the participating computers are malicious. Tendermint’s goal is to be the world’s best and most secure replicated database software - it should be performant, highly available, and never lead to inconsistencies.\n\nAt present,  the `tendermint` repo,  `signatory`, `kms`, `yubihsm-rs`, `go-amino` and `iavl` libraries, `Ledger-Cosmos`, `ledger-cosmos-app`  and `Cosmos-SDK` are in-scope. To qualify for a bounty, bugs must be: \n\n* Valid on the master branch of the corresponding repository, unless they're in `Cosmos-SDK`. As this repository is under rapid development, we will accept submissions that are valid on the `develop` branch. \n* Valid for 64-bit machines with at least 2 GB RAM.\n* Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.\n* Valid using Tendermint’s built in `persistent_dummy` application\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities we’re interested include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service, lost write bugs, and payloads/transactions that cause panics.\n\nPlease see [here](https://tendermint.com/docs/) for a quick-start guide to getting Tendermint running so you can start hunting for bugs. To work with `Cosmos-SDK`, start [here](https://cosmos.network/docs/) to learn more about getting it up and running in your testing environment.\n\nPlease note that only the `tendermint` repo and its libraries, `signatory`, `kms`, `yubihsm-rs`, as well as the `Cosmos-SDK` is in scope for this bounty. All other associated websites and services are out of scope, including:\n\n* https://www.tendermint.com \n* https://blog.cosmos.network\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, RiotChat) should be disclosed directly to those services. \n\nScanner-generated reports and “Advisory” or “Informational” reports that do not include any Tendermint-specific testing or context are ineligible for rewards. Additionally, clickjacking and issues requiring social engineering components are ineligible for reward as part of this program. \n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n```bunnytalk\n|￣￣￣￣￣￣|\n| happy     |\n| hunting!  |\n| ＿＿＿＿＿_| \n(\\__/) || \n(•ㅅ•) || \n/ 　 づ\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-04T21:24:39.526Z"},{"id":3605370,"new_policy":"## Tendermint Bug Bounty Program\nAt Tendermint, proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. Our program exists to actively reward the people who discover bugs in our protocol and the products we’re building. If you’re here to find web application vulnerabilities, our code isn’t the right place to go searching for the usual suspects like XSS, CSRF, and header misconfigurations.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality.  \n\nRewards for bugs will be classified into these categories for payout:\n\n* Critical— $2,500 and up\n* High— $1000 and up\n* Medium— $500 and up\n* Low— up to $100\n\n\nWhile there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. Tendermint will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n## Program Scope\n\nTendermint is a fault-tolerant database engine that replicates transaction logs and application data consistently across many computers. Unlike other fault-tolerant database engines, Tendermint works even if some of the participating computers are malicious. Tendermint’s goal is to be the world’s best and most secure replicated database software - it should be performant, highly available, and never lead to inconsistencies.\n\nAt present,  the `tendermint` repo,  `signatory`, `kms`, `yubihsm-rs`, `go-amino` and `iavl` libraries, `Ledger-Cosmos`, `ledger-cosmos-app`  and `Cosmos-SDK` are in-scope. To qualify for a bounty, bugs must be: \n\n* Valid on the master branch of the corresponding repository, unless they're in `Cosmos-SDK`. As this repository is under rapid development, we will accept submissions that are valid on the `develop` branch. \n* Valid for 64-bit machines with at least 2 GB RAM.\n* Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.\n* Valid using Tendermint’s built in `persistent_dummy` application\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities we’re interested include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service, lost write bugs, and payloads/transactions that cause panics.\n\nPlease see [here](https://tendermint.com/docs/) for a quick-start guide to getting Tendermint running so you can start hunting for bugs. To work with `Cosmos-SDK`, start [here](https://cosmos.network/docs/) to learn more about getting it up and running in your testing environment.\n\nPlease note that only the `tendermint` repo and its libraries, `signatory`, `kms`, `yubihsm-rs`, as well as the `Cosmos-SDK` is in scope for this bounty. All other associated websites and services are out of scope, including:\n\n* https://www.tendermint.com \n* https://blog.cosmos.network\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, RiotChat) should be disclosed directly to those services. \n\nScanner-generated reports and “Advisory” or “Informational” reports that do not include any Tendermint-specific testing or context are ineligible for rewards. Additionally, clickjacking and issues requiring social engineering components are ineligible for reward as part of this program. \n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n```bunnytalk\n|￣￣￣￣￣￣|\n| happy     |\n| hunting!  |\n| ＿＿＿＿＿_| \n(\\__/) || \n(•ㅅ•) || \n/ 　 づ\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-03-16T14:08:04.851Z"},{"id":3601243,"new_policy":"## Tendermint Bug Bounty Program\nAt Tendermint, proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. Our program exists to actively reward the people who discover bugs in our protocol and the products we’re building. If you’re here to find web application vulnerabilities, our code isn’t the right place to go searching for the usual suspects like XSS, CSRF, and header misconfigurations.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality.  \n\nRewards for bugs will be classified into these categories for payout:\n\n* Critical— $2,500 and up\n* High— $1000 and up\n* Medium— $500 and up\n* Low— up to $100\n\n\nWhile there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. Tendermint will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\n**PROGRAM REWARDS UPDATE: From now until the upcoming launch of the Cosmos mainnet, any valid bugs in our `Cosmos-SDK` submitted to this program will paid out at a 1.5x reward rate. And from now through February 28th, we'll even throw in a bonus reward for Critical and High risk bugs: a [personalized poem about the bug] (https://twitter.com/buchmanster/status/1088857831800012800) from our very own Ethan Buchman.**\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n\n## Program Scope\n\nTendermint is a fault-tolerant database engine that replicates transaction logs and application data consistently across many computers. Unlike other fault-tolerant database engines, Tendermint works even if some of the participating computers are malicious. Tendermint’s goal is to be the world’s best and most secure replicated database software - it should be performant, highly available, and never lead to inconsistencies.\n\nAt present,  the `tendermint` repo,  `signatory`, `kms`, `yubihsm-rs`, `go-amino` and `iavl` libraries, `Ledger-Cosmos`, `ledger-cosmos-app`  and `Cosmos-SDK` are in-scope. To qualify for a bounty, bugs must be: \n\n* Valid on the master branch of the corresponding repository, unless they're in `Cosmos-SDK`. As this repository is under rapid development, we will accept submissions that are valid on the `develop` branch. \n* Valid for 64-bit machines with at least 2 GB RAM.\n* Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.\n* Valid using Tendermint’s built in `persistent_dummy` application\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities we’re interested include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service, lost write bugs, and payloads/transactions that cause panics.\n\nPlease see [here](https://tendermint.com/docs/) for a quick-start guide to getting Tendermint running so you can start hunting for bugs. To work with `Cosmos-SDK`, start [here](https://cosmos.network/docs/) to learn more about getting it up and running in your testing environment.\n\nPlease note that only the `tendermint` repo and its libraries, `signatory`, `kms`, `yubihsm-rs`, as well as the `Cosmos-SDK` is in scope for this bounty. All other associated websites and services are out of scope, including:\n\n* https://www.tendermint.com \n* https://blog.cosmos.network\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, RiotChat) should be disclosed directly to those services. \n\nScanner-generated reports and “Advisory” or “Informational” reports that do not include any Tendermint-specific testing or context are ineligible for rewards. Additionally, clickjacking and issues requiring social engineering components are ineligible for reward as part of this program. \n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n```bunnytalk\n|￣￣￣￣￣￣|\n| happy     |\n| hunting!  |\n| ＿＿＿＿＿_| \n(\\__/) || \n(•ㅅ•) || \n/ 　 づ\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-25T18:15:12.378Z"},{"id":3601242,"new_policy":"## Tendermint Bug Bounty Program\nAt Tendermint, proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. Our program exists to actively reward the people who discover bugs in our protocol and the products we’re building. If you’re here to find web application vulnerabilities, our code isn’t the right place to go searching for the usual suspects like XSS, CSRF, and header misconfigurations.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality.  \n\nRewards for bugs will be classified into these categories for payout:\n\n* Critical— $2,500 and up\n* High— $1000 and up\n* Medium— $500 and up\n* Low— up to $100\n\n\nWhile there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. Tendermint will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\n__PROGRAM REWARDS UPDATE: From now until the upcoming launch of the Cosmos mainnet, any valid bugs in our `Cosmos-SDK` submitted to this program will paid out at a 1.5x reward rate. And from now through February 28th, we'll even throw in a bonus reward for Critical and High risk bugs: a [personalized poem about the bug] (https://twitter.com/buchmanster/status/1088857831800012800) from our very own Ethan Buchman. __\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n\n## Program Scope\n\nTendermint is a fault-tolerant database engine that replicates transaction logs and application data consistently across many computers. Unlike other fault-tolerant database engines, Tendermint works even if some of the participating computers are malicious. Tendermint’s goal is to be the world’s best and most secure replicated database software - it should be performant, highly available, and never lead to inconsistencies.\n\nAt present,  the `tendermint` repo,  `signatory`, `kms`, `yubihsm-rs`, `go-amino` and `iavl` libraries, `Ledger-Cosmos`, `ledger-cosmos-app`  and `Cosmos-SDK` are in-scope. To qualify for a bounty, bugs must be: \n\n* Valid on the master branch of the corresponding repository, unless they're in `Cosmos-SDK`. As this repository is under rapid development, we will accept submissions that are valid on the `develop` branch. \n* Valid for 64-bit machines with at least 2 GB RAM.\n* Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.\n* Valid using Tendermint’s built in `persistent_dummy` application\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities we’re interested include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service, lost write bugs, and payloads/transactions that cause panics.\n\nPlease see [here](https://tendermint.com/docs/) for a quick-start guide to getting Tendermint running so you can start hunting for bugs. To work with `Cosmos-SDK`, start [here](https://cosmos.network/docs/) to learn more about getting it up and running in your testing environment.\n\nPlease note that only the `tendermint` repo and its libraries, `signatory`, `kms`, `yubihsm-rs`, as well as the `Cosmos-SDK` is in scope for this bounty. All other associated websites and services are out of scope, including:\n\n* https://www.tendermint.com \n* https://blog.cosmos.network\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, RiotChat) should be disclosed directly to those services. \n\nScanner-generated reports and “Advisory” or “Informational” reports that do not include any Tendermint-specific testing or context are ineligible for rewards. Additionally, clickjacking and issues requiring social engineering components are ineligible for reward as part of this program. \n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n```bunnytalk\n|￣￣￣￣￣￣|\n| happy     |\n| hunting!  |\n| ＿＿＿＿＿_| \n(\\__/) || \n(•ㅅ•) || \n/ 　 づ\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-25T18:13:57.463Z"},{"id":3601241,"new_policy":"## Tendermint Bug Bounty Program\nAt Tendermint, proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. Our program exists to actively reward the people who discover bugs in our protocol and the products we’re building. If you’re here to find web application vulnerabilities, our code isn’t the right place to go searching for the usual suspects like XSS, CSRF, and header misconfigurations.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality.  \n\nRewards for bugs will be classified into these categories for payout:\n\n* Critical— $2,500 and up\n* High— $1000 and up\n* Medium— $500 and up\n* Low— up to $100\n\n\nWhile there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. Tendermint will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\n__PROGRAM REWARDS UPDATE: From now until the upcoming launch of the Cosmos mainnet, any valid bugs in our `Cosmos-SDK` submitted to this program will paid out at a 1.5x reward rate. And from now through February 28th, we'll even throw in a bonus reward for Critical and High risk bugs: a personalized poem about the bug from our very own Ethan Buchman: https://twitter.com/buchmanster/status/1088857831800012800__\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n\n## Program Scope\n\nTendermint is a fault-tolerant database engine that replicates transaction logs and application data consistently across many computers. Unlike other fault-tolerant database engines, Tendermint works even if some of the participating computers are malicious. Tendermint’s goal is to be the world’s best and most secure replicated database software - it should be performant, highly available, and never lead to inconsistencies.\n\nAt present,  the `tendermint` repo,  `signatory`, `kms`, `yubihsm-rs`, `go-amino` and `iavl` libraries, `Ledger-Cosmos`, `ledger-cosmos-app`  and `Cosmos-SDK` are in-scope. To qualify for a bounty, bugs must be: \n\n* Valid on the master branch of the corresponding repository, unless they're in `Cosmos-SDK`. As this repository is under rapid development, we will accept submissions that are valid on the `develop` branch. \n* Valid for 64-bit machines with at least 2 GB RAM.\n* Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.\n* Valid using Tendermint’s built in `persistent_dummy` application\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities we’re interested include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service, lost write bugs, and payloads/transactions that cause panics.\n\nPlease see [here](https://tendermint.com/docs/) for a quick-start guide to getting Tendermint running so you can start hunting for bugs. To work with `Cosmos-SDK`, start [here](https://cosmos.network/docs/) to learn more about getting it up and running in your testing environment.\n\nPlease note that only the `tendermint` repo and its libraries, `signatory`, `kms`, `yubihsm-rs`, as well as the `Cosmos-SDK` is in scope for this bounty. All other associated websites and services are out of scope, including:\n\n* https://www.tendermint.com \n* https://blog.cosmos.network\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, RiotChat) should be disclosed directly to those services. \n\nScanner-generated reports and “Advisory” or “Informational” reports that do not include any Tendermint-specific testing or context are ineligible for rewards. Additionally, clickjacking and issues requiring social engineering components are ineligible for reward as part of this program. \n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n```bunnytalk\n|￣￣￣￣￣￣|\n| happy     |\n| hunting!  |\n| ＿＿＿＿＿_| \n(\\__/) || \n(•ㅅ•) || \n/ 　 づ\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-25T18:13:04.499Z"},{"id":3600781,"new_policy":"## Tendermint Bug Bounty Program\nAt Tendermint, proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. Our program exists to actively reward the people who discover bugs in our protocol and the products we’re building. If you’re here to find web application vulnerabilities, our code isn’t the right place to go searching for the usual suspects like XSS, CSRF, and header misconfigurations.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality.  \n\nRewards for bugs will be classified into these categories for payout:\n\n* Critical— $2,500 and up\n* High— $1000 and up\n* Medium— $500 and up\n* Low— up to $100\n\n\nWhile there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. Tendermint will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\n__PROGRAM REWARDS UPDATE: From now until the upcoming launch of the Cosmos mainnet, any valid bugs in our `Cosmos-SDK` submitted to this program will paid out at a 1.5x reward rate!!!__\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n\n## Program Scope\n\nTendermint is a fault-tolerant database engine that replicates transaction logs and application data consistently across many computers. Unlike other fault-tolerant database engines, Tendermint works even if some of the participating computers are malicious. Tendermint’s goal is to be the world’s best and most secure replicated database software - it should be performant, highly available, and never lead to inconsistencies.\n\nAt present,  the `tendermint` repo,  `signatory`, `kms`, `yubihsm-rs`, `go-amino` and `iavl` libraries, `Ledger-Cosmos`, `ledger-cosmos-app`  and `Cosmos-SDK` are in-scope. To qualify for a bounty, bugs must be: \n\n* Valid on the master branch of the corresponding repository, unless they're in `Cosmos-SDK`. As this repository is under rapid development, we will accept submissions that are valid on the `develop` branch. \n* Valid for 64-bit machines with at least 2 GB RAM.\n* Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.\n* Valid using Tendermint’s built in `persistent_dummy` application\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities we’re interested include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service, lost write bugs, and payloads/transactions that cause panics.\n\nPlease see [here](https://tendermint.com/docs/) for a quick-start guide to getting Tendermint running so you can start hunting for bugs. To work with `Cosmos-SDK`, start [here](https://cosmos.network/docs/) to learn more about getting it up and running in your testing environment.\n\nPlease note that only the `tendermint` repo and its libraries, `signatory`, `kms`, `yubihsm-rs`, as well as the `Cosmos-SDK` is in scope for this bounty. All other associated websites and services are out of scope, including:\n\n* https://www.tendermint.com \n* https://blog.cosmos.network\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, RiotChat) should be disclosed directly to those services. \n\nScanner-generated reports and “Advisory” or “Informational” reports that do not include any Tendermint-specific testing or context are ineligible for rewards. Additionally, clickjacking and issues requiring social engineering components are ineligible for reward as part of this program. \n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n```bunnytalk\n|￣￣￣￣￣￣|\n| happy     |\n| hunting!  |\n| ＿＿＿＿＿_| \n(\\__/) || \n(•ㅅ•) || \n/ 　 づ\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-18T23:36:25.654Z"},{"id":3595161,"new_policy":"## Tendermint Bug Bounty Program\nAt Tendermint, proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. Our program exists to actively reward the people who discover bugs in our protocol and the products we’re building. If you’re here to find web application vulnerabilities, our code isn’t the right place to go searching for the usual suspects like XSS, CSRF, and header misconfigurations.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality.  \n\nRewards for bugs will be classified into these categories for payout:\n\n* Critical— $2,500 and up\n* High— $1000 and up\n* Medium— $500 and up\n* Low— up to $100\n\n\nWhile there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. Tendermint will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\n__PROGRAM REWARDS UPDATE: From now until the upcoming launch of the Cosmos mainnet, any valid bugs in our `Cosmos-SDK` submitted to this program will paid out at a 1.5x reward rate!!!__\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n\n## Program Scope\n\nTendermint is a fault-tolerant database engine that replicates transaction logs and application data consistently across many computers. Unlike other fault-tolerant database engines, Tendermint works even if some of the participating computers are malicious. Tendermint’s goal is to be the world’s best and most secure replicated database software - it should be performant, highly available, and never lead to inconsistencies.\n\nAt present,  the `tendermint` repo,  `signatory`, `kms`, `yubihsm-rs`, `go-amino` and `iavl` libraries, `Ledger-Cosmos`, `ledger-cosmos-app`  and `Cosmos-SDK` are in-scope. To qualify for a bounty, bugs must be: \n\n* Valid on the master branch of the corresponding repository, unless they're in `Cosmos-SDK`. As this repository is under rapid development, we will accept submissions that are valid on the `develop` branch. \n* Valid for 64-bit machines with at least 2 GB RAM.\n* Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.\n* Valid using Tendermint’s built in `persistent_dummy` application\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities we’re interested include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service, lost write bugs, and payloads/transactions that cause panics.\n\nPlease see [here](https://tendermint.com/docs/) for a quick-start guide to getting Tendermint running so you can start hunting for bugs. To work with `Cosmos-SDK`, start [here](https://cosmos.network/docs/) to learn more about getting it up and running in your testing environment.\n\nPlease note that only the `tendermint` repo and its libraries, `signatory`, `kms`, `yubihsm-rs`, as well as the `Cosmos-SDK` is in scope for this bounty. All other associated websites and services are out of scope, including:\n\n* https://www.tendermint.com \n* https://blog.cosmos.network\n* https://tendermint.readthedocs.io\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, RiotChat) should be disclosed directly to those services. \n\nScanner-generated reports and “Advisory” or “Informational” reports that do not include any Tendermint-specific testing or context are ineligible for rewards. Additionally, clickjacking and issues requiring social engineering components are ineligible for reward as part of this program. \n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n```bunnytalk\n|￣￣￣￣￣￣|\n| happy     |\n| hunting!  |\n| ＿＿＿＿＿_| \n(\\__/) || \n(•ㅅ•) || \n/ 　 づ\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-20T04:30:32.647Z"},{"id":3595130,"new_policy":"## Tendermint Bug Bounty Program\nAt Tendermint, proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. Our program exists to actively reward the people who discover bugs in our protocol and the products we’re building. If you’re here to find web application vulnerabilities, our code isn’t the right place to go searching for the usual suspects like XSS, CSRF, and header misconfigurations.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality.  \n\nRewards for bugs will be classified into these categories for payout:\n\n* Critical— $2,500 and up\n* High— $1000 and up\n* Medium— $500 and up\n* Low— up to $100\n\n\nWhile there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. Tendermint will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\n__PROGRAM REWARDS UPDATE: From now until the upcoming launch of the Cosmos mainnet, any valid bugs in our `Cosmos-SDK` submitted to this program will paid out at a 1.5x reward rate!!!__\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n\n## Program Scope\n\nTendermint is a fault-tolerant database engine that replicates transaction logs and application data consistently across many computers. Unlike other fault-tolerant database engines, Tendermint works even if some of the participating computers are malicious. Tendermint’s goal is to be the world’s best and most secure replicated database software - it should be performant, highly available, and never lead to inconsistencies.\n\nAt present,  the `tendermint` repo,  `signatory`, `kms`, `yubihsm-rs`, `go-amino` and `iavl` libraries, and `Cosmos-SDK` are in-scope. To qualify for a bounty, bugs must be: \n\n* Valid on the master branch of the corresponding repository, unless they're in `Cosmos-SDK`. As this repository is under rapid development, we will accept submissions that are valid on the `develop` branch. \n* Valid for 64-bit machines with at least 2 GB RAM.\n* Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.\n* Valid using Tendermint’s built in `persistent_dummy` application\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities we’re interested include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service, lost write bugs, and payloads/transactions that cause panics.\n\nPlease see [here](https://tendermint.com/docs/) for a quick-start guide to getting Tendermint running so you can start hunting for bugs. To work with `Cosmos-SDK`, start [here](https://cosmos.network/docs/) to learn more about getting it up and running in your testing environment.\n\nPlease note that only the `tendermint` repo and its libraries, `signatory`, `kms`, `yubihsm-rs`, as well as the `Cosmos-SDK` is in scope for this bounty. All other associated websites and services are out of scope, including:\n\n* https://www.tendermint.com \n* https://blog.cosmos.network\n* https://tendermint.readthedocs.io\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, RiotChat) should be disclosed directly to those services. \n\nScanner-generated reports and “Advisory” or “Informational” reports that do not include any Tendermint-specific testing or context are ineligible for rewards. Additionally, clickjacking and issues requiring social engineering components are ineligible for reward as part of this program. \n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n```bunnytalk\n|￣￣￣￣￣￣|\n| happy     |\n| hunting!  |\n| ＿＿＿＿＿_| \n(\\__/) || \n(•ㅅ•) || \n/ 　 づ\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-19T20:33:54.564Z"},{"id":3595129,"new_policy":"## Tendermint Bug Bounty Program\nAt Tendermint, proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. Our program exists to actively reward the people who discover bugs in our protocol and the products we’re building. If you’re here to find web application vulnerabilities, our code isn’t the right place to go searching for the usual suspects like XSS, CSRF, and header misconfigurations.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality.  \n\nRewards for bugs will be classified into these categories for payout:\n\n* Critical— $2,500 and up\n* High— $1000 and up\n* Medium— $500 and up\n* Low— up to $100\n\n\nWhile there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. Tendermint will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\n__PROGRAM REWARDS UPDATE: From now until the upcoming launch of the Cosmos mainnet, any valid bugs in our `Cosmos-SDK` submitted to this program will paid out at a 1.5x reward rate!!!__\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n\n## Program Scope\n\nTendermint is a fault-tolerant database engine that replicates transaction logs and application data consistently across many computers. Unlike other fault-tolerant database engines, Tendermint works even if some of the participating computers are malicious. Tendermint’s goal is to be the world’s best and most secure replicated database software - it should be performant, highly available, and never lead to inconsistencies.\n\nAt present,  the `tendermint` repo,  `signatory`, `kms`, `yubihsm-rs`, `go-amino` and `iavl` libraries, and `Cosmos-SDK` are in-scope. To qualify for a bounty, bugs must be: \n\n* Valid on the master branch of the corresponding repository\n* Valid for 64-bit machines with at least 2 GB RAM.\n* Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.\n* Valid using Tendermint’s built in `persistent_dummy` application\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities we’re interested include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service, lost write bugs, and payloads/transactions that cause panics.\n\nPlease see [here](https://tendermint.com/docs/) for a quick-start guide to getting Tendermint running so you can start hunting for bugs. To work with `Cosmos-SDK`, start [here](https://cosmos.network/docs/) to learn more about getting it up and running in your testing environment.\n\nPlease note that only the `tendermint` repo and its libraries, `signatory`, `kms`, `yubihsm-rs`, as well as the `Cosmos-SDK` is in scope for this bounty. All other associated websites and services are out of scope, including:\n\n* https://www.tendermint.com \n* https://blog.cosmos.network\n* https://tendermint.readthedocs.io\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, RiotChat) should be disclosed directly to those services. \n\nScanner-generated reports and “Advisory” or “Informational” reports that do not include any Tendermint-specific testing or context are ineligible for rewards. Additionally, clickjacking and issues requiring social engineering components are ineligible for reward as part of this program. \n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n```bunnytalk\n|￣￣￣￣￣￣|\n| happy     |\n| hunting!  |\n| ＿＿＿＿＿_| \n(\\__/) || \n(•ㅅ•) || \n/ 　 づ\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-19T20:09:26.199Z"},{"id":3595128,"new_policy":"## Tendermint Bug Bounty Program\nAt Tendermint, proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. Our program exists to actively reward the people who discover bugs in our protocol and the products we’re building. If you’re here to find web application vulnerabilities, our code isn’t the right place to go searching for the usual suspects like XSS, CSRF, and header misconfigurations.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality.  \n\nRewards for bugs will be classified into these categories for payout:\n\n* Critical— $2,500 and up\n* High— $1000 and up\n* Medium— $500 and up\n* Low— up to $100\n\n\nWhile there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. Tendermint will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\n__PROGRAM UPDATE: From now until the launch of the Cosmos mainnet, any valid bugs in `Cosmos-SDK` submitted to our program will paid out at a 1.5x reward rate!!!__\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n\n## Program Scope\n\nTendermint is a fault-tolerant database engine that replicates transaction logs and application data consistently across many computers. Unlike other fault-tolerant database engines, Tendermint works even if some of the participating computers are malicious. Tendermint’s goal is to be the world’s best and most secure replicated database software - it should be performant, highly available, and never lead to inconsistencies.\n\nAt present,  the `tendermint` repo,  `signatory`, `kms`, `yubihsm-rs`, `go-amino` and `iavl` libraries, and `Cosmos-SDK` are in-scope. To qualify for a bounty, bugs must be: \n\n* Valid on the master branch of the corresponding repository\n* Valid for 64-bit machines with at least 2 GB RAM.\n* Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.\n* Valid using Tendermint’s built in `persistent_dummy` application\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities we’re interested include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service, lost write bugs, and payloads/transactions that cause panics.\n\nPlease see [here](https://tendermint.com/docs/) for a quick-start guide to getting Tendermint running so you can start hunting for bugs. To work with `Cosmos-SDK`, start [here](https://cosmos.network/docs/) to learn more about getting it up and running in your testing environment.\n\nPlease note that only the `tendermint` repo and its libraries, `signatory`, `kms`, `yubihsm-rs`, as well as the `Cosmos-SDK` is in scope for this bounty. All other associated websites and services are out of scope, including:\n\n* https://www.tendermint.com \n* https://blog.cosmos.network\n* https://tendermint.readthedocs.io\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, RiotChat) should be disclosed directly to those services. \n\nScanner-generated reports and “Advisory” or “Informational” reports that do not include any Tendermint-specific testing or context are ineligible for rewards. Additionally, clickjacking and issues requiring social engineering components are ineligible for reward as part of this program. \n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n```bunnytalk\n|￣￣￣￣￣￣|\n| happy     |\n| hunting!  |\n| ＿＿＿＿＿_| \n(\\__/) || \n(•ㅅ•) || \n/ 　 づ\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-19T20:07:15.177Z"},{"id":3594401,"new_policy":"## Tendermint Bug Bounty Program\nAt Tendermint, proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. Our program exists to actively reward the people who discover bugs in our protocol and the products we’re building. If you’re here to find web application vulnerabilities, our code isn’t the right place to go searching for the usual suspects like XSS, CSRF, and header misconfigurations.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality.  \n\nRewards for bugs will be classified into these categories for payout:\n\n* Critical— $2,500 and up\n* High— $1000 and up\n* Medium— $500 and up\n* Low— up to $100\n\nWhile there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. Tendermint will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue.\n\nOnce resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n\n## Program Scope\n\nTendermint is a fault-tolerant database engine that replicates transaction logs and application data consistently across many computers. Unlike other fault-tolerant database engines, Tendermint works even if some of the participating computers are malicious. Tendermint’s goal is to be the world’s best and most secure replicated database software - it should be performant, highly available, and never lead to inconsistencies.\n\nAt present,  the `tendermint` repo,  `signatory`, `kms`, `yubihsm-rs`, `go-amino` and `iavl` libraries, and `Cosmos-SDK` are in-scope. To qualify for a bounty, bugs must be: \n\n* Valid on the master branch of the corresponding repository\n* Valid for 64-bit machines with at least 2 GB RAM.\n* Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.\n* Valid using Tendermint’s built in `persistent_dummy` application\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities we’re interested include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service, lost write bugs, and payloads/transactions that cause panics.\n\nPlease see [here](https://tendermint.com/docs/) for a quick-start guide to getting Tendermint running so you can start hunting for bugs. To work with `Cosmos-SDK`, start [here](https://cosmos.network/docs/) to learn more about getting it up and running in your testing environment.\n\nPlease note that only the `tendermint` repo and its libraries, `signatory`, `kms`, `yubihsm-rs`, as well as the `Cosmos-SDK` is in scope for this bounty. All other associated websites and services are out of scope, including:\n\n* https://www.tendermint.com \n* https://blog.cosmos.network\n* https://tendermint.readthedocs.io\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, RiotChat) should be disclosed directly to those services. \n\nScanner-generated reports and “Advisory” or “Informational” reports that do not include any Tendermint-specific testing or context are ineligible for rewards. Additionally, clickjacking and issues requiring social engineering components are ineligible for reward as part of this program. \n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n```bunnytalk\n|￣￣￣￣￣￣|\n| happy     |\n| hunting!  |\n| ＿＿＿＿＿_| \n(\\__/) || \n(•ㅅ•) || \n/ 　 づ\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-12T19:06:57.760Z"},{"id":3594399,"new_policy":"## Tendermint Bug Bounty Program\nAt Tendermint, proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. Our program exists to actively reward the people who discover bugs in our protocol and the products we’re building. If you’re here to find web application vulnerabilities, our code isn’t the right place to go searching for the usual suspects like XSS, CSRF, and header misconfigurations.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality.  \n\nRewards for bugs will be classified into these categories for payout:\n\n* Critical— $2,500 and up\n* High— $1000 and up\n* Medium— $500 and up\n* Low— up to $100\n\nWhile there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. Tendermint will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue.\n\nOnce resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n\n## Program Scope\n\nTendermint is a fault-tolerant database engine that replicates transaction logs and application data consistently across many computers. Unlike other fault-tolerant database engines, Tendermint works even if some of the participating computers are malicious. Tendermint’s goal is to be the world’s best and most secure replicated database software - it should be performant, highly available, and never lead to inconsistencies.\n\nAt present,  the `tendermint` repo,  `signatory`, `kms`, `yubihsm-rs`, `go-amino` and `iavl` libraries, and `Cosmos-SDK` are in-scope. To qualify for a bounty, bugs must be: \n\n* Valid on the master branch of the corresponding repository\n* Valid for 64-bit machines with at least 2 GB RAM.\n* Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.\n* Valid using Tendermint’s built in `persistent_dummy` application\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities we’re interested include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service, lost write bugs, and payloads/transactions that cause panics.\n\nPlease see [here](https://tendermint.readthedocs.io/en/master/install.html) for a quick-start guide to getting Tendermint running so you can start hunting for bugs. To work with `Cosmos-SDK`, start [here](https://cosmos.network/docs/) to learn more about getting it up and running in your testing environment.\n\nPlease note that only the `tendermint` repo and its libraries, `signatory`, `kms`, `yubihsm-rs`, as well as the `Cosmos-SDK` is in scope for this bounty. All other associated websites and services are out of scope, including:\n\n* https://www.tendermint.com \n* https://blog.cosmos.network\n* https://tendermint.readthedocs.io\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, RiotChat) should be disclosed directly to those services. \n\nScanner-generated reports and “Advisory” or “Informational” reports that do not include any Tendermint-specific testing or context are ineligible for rewards. Additionally, clickjacking and issues requiring social engineering components are ineligible for reward as part of this program. \n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n```bunnytalk\n|￣￣￣￣￣￣|\n| happy     |\n| hunting!  |\n| ＿＿＿＿＿_| \n(\\__/) || \n(•ㅅ•) || \n/ 　 づ\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-12T18:18:03.252Z"},{"id":3594398,"new_policy":"## Tendermint Bug Bounty Program\nAt Tendermint, proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. Our program exists to actively reward the people who discover bugs in our protocol and the products we’re building. If you’re here to find web application vulnerabilities, our code isn’t the right place to go searching for the usual suspects like XSS, CSRF, and header misconfigurations.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality.  \n\nRewards for bugs will be classified into these categories for payout:\n\n* Critical— $2,500 and up\n* High— $1000 and up\n* Medium— $500 and up\n* Low— up to $100\n\nWhile there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. Tendermint will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue.\n\nOnce resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n\n## Program Scope\n\nTendermint is a fault-tolerant database engine that replicates transaction logs and application data consistently across many computers. Unlike other fault-tolerant database engines, Tendermint works even if some of the participating computers are malicious. Tendermint’s goal is to be the world’s best and most secure replicated database software - it should be performant, highly available, and never lead to inconsistencies.\n\nAt present,  the `tendermint` repo, the `go-amino` and `iavl` libraries, and `Cosmos-SDK` are in-scope. To qualify for a bounty, bugs must be: \n\n* Valid on the master branch of the corresponding repository\n* Valid for 64-bit machines with at least 2 GB RAM.\n* Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.\n* Valid using Tendermint’s built in `persistent_dummy` application\n\nWe’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities we’re interested include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service, lost write bugs, and payloads/transactions that cause panics.\n\nPlease see [here](https://tendermint.readthedocs.io/en/master/install.html) for a quick-start guide to getting Tendermint running so you can start hunting for bugs. To work with `Cosmos-SDK`, start [here](https://cosmos.network/docs/) to learn more about getting it up and running in your testing environment.\n\nPlease note that only the `tendermint` repo and its libraries as well as the `Cosmos-SDK` is in scope for this bounty. All other associated websites and services are out of scope, including:\n\n* https://www.tendermint.com \n* https://blog.cosmos.network\n* https://tendermint.readthedocs.io\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, RiotChat) should be disclosed directly to those services. \n\nScanner-generated reports and “Advisory” or “Informational” reports that do not include any Tendermint-specific testing or context are ineligible for rewards. Additionally, clickjacking and issues requiring social engineering components are ineligible for reward as part of this program. \n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n```bunnytalk\n|￣￣￣￣￣￣|\n| happy     |\n| hunting!  |\n| ＿＿＿＿＿_| \n(\\__/) || \n(•ㅅ•) || \n/ 　 づ\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-12T17:57:15.182Z"},{"id":3581327,"new_policy":"## Tendermint Bug Bounty Program\nAt Tendermint, proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. Our program exists to actively reward the people who discover bugs in our protocol and the products we’re building. If you’re here to find web application vulnerabilities, our code isn’t the right place to go searching for the usual suspects like XSS, CSRF, and header misconfigurations.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality.  \n\n\nRewards for bugs will be classified into these categories for payout:\n\n* Critical— $2,500 and up\n* High— $1000 and up\n* Medium— $500 and up\n* Low— up to $100\n\nWhile there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. Tendermint will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue.\n\nOnce resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n\n## Program Scope\n\nTendermint is a fault-tolerant database engine that replicates transaction logs and application data consistently across many computers. Unlike other fault-tolerant database engines, Tendermint works even if some of the participating computers are malicious. Tendermint’s goal is to be the world’s best and most secure replicated database software - it should be performant, highly available, and never lead to inconsistencies.\n\nAt present, only the `tendermint` repo and the `go-amino` and `iavl` libraries are in-scope. To qualify for a bounty, bugs must be: \n\n* Valid on the master branch of the corresponding repository\n* Valid for 64-bit machines with at least 2 GB RAM.\n* Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.\n* Valid using Tendermint’s built in `persistent_dummy` application\n\nWe’re interested in a full range of bugs: from those that can be demonstrated with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities we’re interested include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service, lost write bugs, and payloads/transactions that cause panics.\n\nPlease see [here](https://tendermint.readthedocs.io/en/master/install.html) for a quick-start guide to getting Tendermint running in your environment so you can start hunting for bugs.\n\nPlease note that only the `tendermint` repo and libraries are in scope for this bounty.\nAll other associated websites and services are out of scope, including:\n\n* https://www.tendermint.com \n* https://blog.cosmos.network\n* https://tendermint.readthedocs.io\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, RiotChat) should be disclosed directly to those services. \n\nScanner-generated reports and “Advisory” or “Informational” reports that do not include any Tendermint-specific testing or context are ineligible for rewards. Additionally, clickjacking and issues requiring social engineering components are ineligible for reward as part of this program. \n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n```bunnytalk\n|￣￣￣￣￣￣|\n| happy     |\n| hunting!  |\n| ＿＿＿＿＿_| \n(\\__/) || \n(•ㅅ•) || \n/ 　 づ\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-02T17:07:12.562Z"},{"id":3581107,"new_policy":"## Tendermint Bug Bounty Program\nAt Tendermint, proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. Our program exists to actively reward the people who discover bugs in our protocol and the products we’re building. If you’re here to find web application vulnerabilities, our code isn’t the right place to go searching for the usual suspects like XSS, CSRF, and header misconfigurations.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality.  \n\n\nRewards for bugs will be classified into these categories for payout:\n\n* Critical— $2,500 and up\n* High— $1000 and up\n* Medium— $500 and up\n* Low— up to $100\n\nWhile there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. Tendermint will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue.\n\nOnce resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n\n## Program Scope\n\nTendermint is a fault-tolerant database engine that replicates transaction logs and application data consistently across many computers. Unlike other fault-tolerant database engines, Tendermint works even if some of the participating computers are malicious. Tendermint’s goal is to be the world’s best and most secure replicated database software - it should be performant, highly available, and never lead to inconsistencies.\n\nAt present, only the `tendermint` repo and the `abci`, `go-amino`, `go-crypto` and `iavl` libraries are in-scope. To qualify for a bounty, bugs must be: \n\n* Valid on the master branch of the corresponding repository\n* Valid for 64-bit machines with at least 2 GB RAM.\n* Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.\n* Valid using Tendermint’s built in `persistent_dummy` application\n\nWe’re interested in a full range of bugs: from those that can be demonstrated with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities we’re interested include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service, lost write bugs, and payloads/transactions that cause panics.\n\nPlease see [here](https://tendermint.readthedocs.io/en/master/install.html) for a quick-start guide to getting Tendermint running in your environment so you can start hunting for bugs.\n\nPlease note that only the `tendermint` repo and libraries are in scope for this bounty.\nAll other associated websites and services are out of scope, including:\n\n* https://www.tendermint.com \n* https://blog.cosmos.network\n* https://tendermint.readthedocs.io\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, RiotChat) should be disclosed directly to those services. \n\nScanner-generated reports and “Advisory” or “Informational” reports that do not include any Tendermint-specific testing or context are ineligible for rewards. Additionally, clickjacking and issues requiring social engineering components are ineligible for reward as part of this program. \n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n```bunnytalk\n|￣￣￣￣￣￣|\n| happy     |\n| hunting!  |\n| ＿＿＿＿＿_| \n(\\__/) || \n(•ㅅ•) || \n/ 　 づ\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-06-28T19:41:46.426Z"},{"id":3581106,"new_policy":"## Tendermint Bug Bounty Program\nAt Tendermint, proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. Our program exists to actively reward the people who discover bugs in our protocol and the products we’re building. If you’re here to find web application vulnerabilities, our code isn’t the right place to go searching for the usual suspects like XSS, CSRF, and header misconfigurations.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality.  \n\n\nRewards for bugs will be classified into these categories for payout:\n\n* Critical— $2,500 and up\n* High— $1000 and up\n* Medium— $500 and up\n* Low— up to $100\n\nWhile there is no maximum program reward, we will reward creative or severe bugs accordingly. Tendermint will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue.\n\nOnce resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n\n## Program Scope\n\nTendermint is a fault-tolerant database engine that replicates transaction logs and application data consistently across many computers. Unlike other fault-tolerant database engines, Tendermint works even if some of the participating computers are malicious. Tendermint’s goal is to be the world’s best and most secure replicated database software - it should be performant, highly available, and never lead to inconsistencies.\n\nAt present, only the `tendermint` repo and the `abci`, `go-amino`, `go-crypto` and `iavl` libraries are in-scope. To qualify for a bounty, bugs must be: \n\n* Valid on the master branch of the corresponding repository\n* Valid for 64-bit machines with at least 2 GB RAM.\n* Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.\n* Valid using Tendermint’s built in `persistent_dummy` application\n\nWe’re interested in a full range of bugs: from those that can be demonstrated with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities we’re interested include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service, lost write bugs, and payloads/transactions that cause panics.\n\nPlease see [here](https://tendermint.readthedocs.io/en/master/install.html) for a quick-start guide to getting Tendermint running in your environment so you can start hunting for bugs.\n\nPlease note that only the `tendermint` repo and libraries are in scope for this bounty.\nAll other associated websites and services are out of scope, including:\n\n* https://www.tendermint.com \n* https://blog.cosmos.network\n* https://tendermint.readthedocs.io\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, RiotChat) should be disclosed directly to those services. \n\nScanner-generated reports and “Advisory” or “Informational” reports that do not include any Tendermint-specific testing or context are ineligible for rewards. Additionally, clickjacking and issues requiring social engineering components are ineligible for reward as part of this program. \n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n```bunnytalk\n|￣￣￣￣￣￣|\n| happy     |\n| hunting!  |\n| ＿＿＿＿＿_| \n(\\__/) || \n(•ㅅ•) || \n/ 　 づ\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-06-28T19:31:09.285Z"},{"id":3581105,"new_policy":"## Tendermint Bug Bounty Program\nAt Tendermint, proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. Our program exists to actively reward the people who discover bugs in our protocol and the products we’re building. If you’re here to find web application vulnerabilities, our code isn’t the right place to go searching for the usual suspects like XSS, CSRF, and header misconfigurations.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality.  \n\n\nRewards for bugs will be classified into these categories for payout:\n\n* Critical— $2,500 and up\n* High— $1000 and up\n* Medium— $500 and up\n* Low— up to $100\n\nWhile there is no maximum program reward, we will reward creative or severe bugs accordingly. Tendermint will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue.\n\nOnce resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n\n## Program Scope\n\nTendermint is a fault-tolerant database engine that replicates transaction logs and application data consistently across many computers. Unlike other fault-tolerant database engines, Tendermint works even if some of the participating computers are malicious. Tendermint’s goal is to be the world’s best and most secure replicated database software - it should be performant, highly available, and never lead to inconsistencies.\n\nAt present, only the `tendermint` repo and the `abci`, `go-amino`, `go-crypto` and `iavl` libraries are in-scope. To qualify for a bounty, bugs must be: \n\n* Valid on the master branch of the corresponding repository\n* Valid for 64-bit machines with at least 2 GB RAM.\n* Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.\n* Valid using Tendermint’s built in `persistent_dummy` application\n\nWe’re interested in a full range of bugs: from those that can be demonstrated with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities we’re interested include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service, lost write bugs, and payloads/transactions that cause panics.\n\nPlease see [here](https://tendermint.readthedocs.io/en/master/install.html) for a quick-start guide to getting Tendermint running in your environment so you can start hunting for bugs.\n\nPlease note that only the `tendermint` repo and libraries are in scope for this bounty.\nAll other associated websites and services are out of scope, including:\n\n* https://www.tendermint.com \n* https://blog.cosmos.network\n* https://tendermint.readthedocs.io\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, RiotChat) should be disclosed directly to those services. \n\nScanner-generated reports and “Advisory” or “Informational” reports that do not include any Tendermint-specific testing or context are ineligible for rewards. Additionally, issues requiring social engineering components are ineligible for reward as part of this program. \n\n##Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n```bunnytalk\n|￣￣￣￣￣￣|\n| happy     |\n| hunting!  |\n| ＿＿＿＿＿_| \n(\\__/) || \n(•ㅅ•) || \n/ 　 づ\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-06-28T19:30:39.889Z"},{"id":3577566,"new_policy":"# Tendermint Bug Bounty Program\nAt Tendermint, proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. Our program exists to actively reward the people who discover bugs in our protocol and the products we’re building. If you’re here to find web application vulnerabilities, our code isn’t the right place to go searching for the usual suspects like XSS, CSRF, and header misconfigurations.\n\nBounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality.  \n\n\nRewards for bugs will be classified into these categories for payout:\n\n* Critical— $2,500 and up\n* High— $1000 and up\n* Medium— $500 and up\n* Low— up to $100\n\nWhile there is no maximum program reward, we will reward creative or severe bugs accordingly. Tendermint will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.\n\nIf we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue.\n\nOnce resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated. \n\n\n## Program Scope\n\nTendermint is a fault-tolerant database engine that replicates transaction logs and application data consistently across many computers. Unlike other fault-tolerant database engines, Tendermint works even if some of the participating computers are malicious. Tendermint’s goal is to be the world’s best and most secure replicated database software - it should be performant, highly available, and never lead to inconsistencies.\n\nAt present, only the `tendermint` repo and the `abci`, `go-amino`, `go-crypto` and `iavl` libraries are in-scope. To qualify for a bounty, bugs must be: \n\n* Valid on the master branch of the corresponding repository\n* Valid for 64-bit machines with at least 2 GB RAM.\n* Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.\n* Valid using Tendermint’s built in `persistent_dummy` application\n\nWe’re interested in a full range of bugs: from those that can be demonstrated with a simple unit test, to those that require a full cluster and a complex sequence of transactions.\n\nExamples of vulnerabilities we’re interested include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service, lost write bugs, and payloads/transactions that cause panics.\n\nPlease see [here](https://tendermint.readthedocs.io/en/master/install.html) for a quick-start guide to getting Tendermint running in your environment so you can start hunting for bugs.\n\nPlease note that only the `tendermint` repo and libraries are in scope for this bounty.\nAll other associated websites and services are out of scope, including:\n\n* https://www.tendermint.com \n* https://blog.cosmos.network\n* https://tendermint.readthedocs.io\n\nThough bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, RiotChat) should be disclosed directly to those services. \n\nScanner-generated reports and “Advisory” or “Informational” reports that do not include any Tendermint-specific testing or context are ineligible for rewards. Additionally, issues requiring social engineering components are ineligible for reward as part of this program. \n\n\n```bunnytalk\n|￣￣￣￣￣￣|\n| happy     |\n| hunting!  |\n| ＿＿＿＿＿_| \n(\\__/) || \n(•ㅅ•) || \n/ 　 づ\n```\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-05-23T23:48:59.387Z"}]