[{"id":3756104,"new_policy":"# MPC Bug Bounty Program \nThis program is for the disclosure of software security vulnerabilities only.\nThe program only covers code found in the mpc-lib repository (https://github.com/fireblocks/mpc-lib).\n\nThis policy governs the MPC Bug Bounty Program (the “Program”)\nNote: Fireblocks have additional bug bounty programs, such as the [Fireblocks Bug Bounty Program](https://hackerone.com/fireblocks), which shall be governed by their own separate policies. \n\n# Introduction\nSecurity researchers play a crucial role in ensuring the safety of the blockchain industry as we build toward a common goal. Fireblocks actively encourages the responsible disclosure of security vulnerabilities through our Bug Bounty Program so that we may enable every business to manage their digital asset operations and build innovative businesses on the blockchain.\n\nWith the objective of securing the most widely used protocols and signature schemes, this Program focuses on the highest priority signature scheme, the MPC protocol for ECDSA signatures used in Bitcoin, Ethereum, and additional blockchains, in addition, the protocol for EdDSA.\n\nTo qualify for a reward, a report must clearly demonstrate a software vulnerability that harms Fireblocks and its customers. Such a report is considered a valid, in-scope report. Fireblocks will determine, at its sole discretion, whether a report meets the eligibility criteria for a bounty and the amount of the reward.\n\n# Program Rules\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses. Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not use the vulnerability for any purpose, such as publicly disclosing or making a profit, other than receiving a reward through this Program.\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) \n* Any public disclosure of any vulnerabilities is prohibited without our consent. We will not approve public disclosure requests until the vulnerability has been resolved.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit only one vulnerability per submission unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a report,  you agree to be bound by these rules.\n\n# Report Evaluation\nIn order for a report to be deemed valid, a report must demonstrate a vulnerability within the scope. \nA report must be a valid, in scope report in order to qualify for a bounty.\n\nIf the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to the reproducibility and severity of the vulnerability, and the amount of the reward may be reduced.\n\nAwards bounties are based on severity of the vulnerability. \n\nFor your reported vulnerability to be eligible, you must:\n* Discover a previously unreported, non-public vulnerability\n* Provide sufficient information to enable Fireblocks’ team to reproduce and fix the vulnerability.\n* Submit a vulnerability on an issue that was not already rewarded under this Program.\n\n| **Vulnerability Tier** | **Example Vulnerability** |\n| - | - |\n| **Critical** | **Retrieving the key or rogue signature without triggering any failures or aborts, regardless of the number of transactions involved. Obtaining the key/rogue signature by causing fewer than 1000 failures/aborts.** |\n| **High** | **Obtaining the key/rogue signature by causing fewer than 1 billion failures/aborts.** |\n| **Medium** | **Leaking bits of the private key or causing memory corruption.** |\n| **Low** | **Exploit exposure to a smaller subset of non-critical systems and/or data** |\n\n| **Vulnerability Tier** | **Reward** |\n| - | - |\n| **Critical** | **Up to 250000$** |\n| **High** | **Up to 100000$** |\n| **Medium** | **Up to 40000$** | \n| **Low** | **Up to 5,000$** | \n\nThe rewards listed next to each tier are maximum bounties for each tier. The specific amount of the bug will vary according to:\n* The impact of the bug.\n* The cause of the bug.\n* Whether or not the report submitted suggests a solution to the bug or helps in its resolution.\n* The process through which the bug was discovered. \n\n# Report Closure\nFireblocks reviews all findings that are reported via this Program. Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Fireblocks may request additional information from the reporter. After all information is aggregated; the report submission goes through an internal review and scoring process. After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports. Failure to provide a detailed report will result in delayed triage and/or ticket closure. Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited.\n\n# Scope\n* Only the MPC is eligible for this Program (https://github.com/fireblocks/mpc-lib).\n* Only an issue identified within the scope qualifies for the Program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n\n# Non-Qualifying Vulnerabilities\n* Unexploitable hypothetical side-channel attack\n* Vulnerability discovered in a third party library that is utilized in the MPC cryptography source code\n\n# Qualifying Vulnerabilities\nWe are looking to find security issues affecting our blockchain protocol such as:\n\n* Bugs in our implementation of the cryptographic primitives\n* Bugs in our implementation of the cryptographic protocol\n* Remote Code Execution\n* Vulnerabilities that disrupt the consensus result and performance\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,individual node, or the reference wallet implementation\n\n\n# Participation Eligibility\n**Please review the following participation eligibility criteria before participating in the Program:**\n* Participants must be at least 14 years old and have the legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Participants must not be residents of any country under U.S. sanctions or any country that does not allow participation in these types of programs are prohibited from participating in this Program\n* Fireblocks employee, family member of a Fireblocks employee, Fireblocks contractor, Fireblocks partners or Fireblocks service provider are prohibited from participating in this Program\n* **All submissions for bounties to Fireblocks must be through HackerOne. Anonymous reports are acceptable through HackerOne but are not eligible for rewards.**\n\n# Disclaimer\n**We reserve the right to modify the Program or cancel it at any time. **\n\n**Fireblocks reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.**\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-22T15:33:15.008Z"},{"id":3743545,"new_policy":"# MPC Bug Bounty Program \nThis program is for the disclosure of software security vulnerabilities only.\nThe program only covers code found in the mpc-lib repository (https://github.com/fireblocks/mpc-lib).\n\nThis policy governs the MPC Bug Bounty Program (the “Program”)\nNote: Fireblocks have additional bug bounty programs, such as the [Fireblocks Bug Bounty Program](https://hackerone.com/fireblocks), which shall be governed by their own separate policies. \n\n# Introduction\nSecurity researchers play a crucial role in ensuring the safety of the blockchain industry as we build toward a common goal. Fireblocks actively encourages the responsible disclosure of security vulnerabilities through our Bug Bounty Program so that we may enable every business to manage their digital asset operations and build innovative businesses on the blockchain.\n\nWith the objective of securing the most widely used protocols and signature schemes, this Program focuses on the highest priority signature scheme, the MPC protocol for ECDSA signatures used in Bitcoin, Ethereum, and additional blockchains, in addition, the protocol for EdDSA.\n\nTo qualify for a reward, a report must clearly demonstrate a software vulnerability that harms Fireblocks and its customers. Such a report is considered a valid, in-scope report. Fireblocks will determine, at its sole discretion, whether a report meets the eligibility criteria for a bounty and the amount of the reward.\n\n# Program Rules\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses. Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not use the vulnerability for any purpose, such as publicly disclosing or making a profit, other than receiving a reward through this Program.\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) \n* Any public disclosure of any vulnerabilities is prohibited without our consent. We will not approve public disclosure requests until the vulnerability has been resolved.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit only one vulnerability per submission unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a report,  you agree to be bound by these rules.\n\n# Report Evaluation\nIn order for a report to be deemed valid, a report must demonstrate a vulnerability within the scope. \nA report must be a valid, in scope report in order to qualify for a bounty.\n\nIf the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to the reproducibility and severity of the vulnerability, and the amount of the reward may be reduced.\n\nAwards bounties are based on severity of the vulnerability. \n\nFor your reported vulnerability to be eligible, you must:\n* Discover a previously unreported, non-public vulnerability\n* Provide sufficient information to enable Fireblocks’ team to reproduce and fix the vulnerability.\n* Submit a vulnerability on an issue that was not already rewarded under this Program.\n\n| **Vulnerability Tier** | **Example Vulnerability** |\n| - | - |\n| **Critical** | **Retrieving the key or rogue signature without triggering any failures or aborts, regardless of the number of transactions involved. Obtaining the key/rogue signature by causing fewer than 1000 failures/aborts.** |\n| **High** | **Obtaining the key/rogue signature by causing fewer than 1 billion failures/aborts.** |\n| **Medium** | **Leaking bits of the private key or causing memory corruption.** |\n| **Low** | **Exploit exposure to a smaller subset of non-critical systems and/or data** |\n\n| **Vulnerability Tier** | **Reward** |\n| - | - |\n| **Critical** | **Up to 250000$** |\n| **High** | **Up to 100000$** |\n| **Medium** | **Up to 40000$** | \n| **Low** | **Up to 5,000$** | \n\nThe rewards listed next to each tier are maximum bounties for each tier. The specific amount of the bug will vary according to:\n* The impact of the bug.\n* The cause of the bug.\n* Whether or not the report submitted suggests a solution to the bug or helps in its resolution.\n* The process through which the bug was discovered. \n\n# Report Closure\nFireblocks reviews all findings that are reported via this Program. Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Fireblocks may request additional information from the reporter. After all information is aggregated; the report submission goes through an internal review and scoring process. After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports. Failure to provide a detailed report will result in delayed triage and/or ticket closure. Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited.\n\n# Scope\n* Only the MPC is eligible for this Program (https://github.com/fireblocks/mpc-lib).\n* Only an issue identified within the scope qualifies for the Program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n\n# Non-Qualifying Vulnerabilities\n* Unexploitable hypothetical side-channel attack\n* Vulnerability discovered in a third party library that is utilized in the MPC cryptography source code\n\n# Qualifying Vulnerabilities\nWe are looking to find security issues affecting our blockchain protocol such as:\n\n* Bugs in our implementation of the cryptographic primitives\n* Bugs in our implementation of the cryptographic protocol\n* Remote Code Execution\n* Vulnerabilities that disrupt the consensus result and performance\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,individual node, or the reference wallet implementation\n* Vulnerabilities in a dependent 3rd party library (openssl)\n\n\n# Participation Eligibility\n**Please review the following participation eligibility criteria before participating in the Program:**\n* Participants must be at least 14 years old and have the legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Participants must not be residents of any country under U.S. sanctions or any country that does not allow participation in these types of programs are prohibited from participating in this Program\n* Fireblocks employee, family member of a Fireblocks employee, Fireblocks contractor, Fireblocks partners or Fireblocks service provider are prohibited from participating in this Program\n* **All submissions for bounties to Fireblocks must be through HackerOne. Anonymous reports are acceptable through HackerOne but are not eligible for rewards.**\n\n# Disclaimer\n**We reserve the right to modify the Program or cancel it at any time. **\n\n**Fireblocks reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.**\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-03T22:10:14.347Z"},{"id":3710794,"new_policy":"# MPC Bug Bounty Program \nThis program is for the disclosure of software security vulnerabilities only.\n\nThis policy governs the MPC Bug Bounty Program (the “Program”)\nNote: Fireblocks have additional bug bounty programs, such as the [Fireblocks Bug Bounty Program](https://hackerone.com/fireblocks), which shall be governed by their own separate policies. \n\n# Introduction\nSecurity researchers play a crucial role in ensuring the safety of the blockchain industry as we build toward a common goal. Fireblocks actively encourages the responsible disclosure of security vulnerabilities through our Bug Bounty Program so that we may enable every business to manage their digital asset operations and build innovative businesses on the blockchain.\n\nWith the objective of securing the most widely used protocols and signature schemes, this Program focuses on the highest priority signature scheme, the MPC protocol for ECDSA signatures used in Bitcoin, Ethereum, and additional blockchains, in addition, the protocol for EdDSA.\n\nTo qualify for a reward, a report must clearly demonstrate a software vulnerability that harms Fireblocks and its customers. Such a report is considered a valid, in-scope report. Fireblocks will determine, at its sole discretion, whether a report meets the eligibility criteria for a bounty and the amount of the reward.\n\n# Program Rules\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses. Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not use the vulnerability for any purpose, such as publicly disclosing or making a profit, other than receiving a reward through this Program.\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) \n* Any public disclosure of any vulnerabilities is prohibited without our consent. We will not approve public disclosure requests until the vulnerability has been resolved.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit only one vulnerability per submission unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a report,  you agree to be bound by these rules.\n\n# Report Evaluation\nIn order for a report to be deemed valid, a report must demonstrate a vulnerability within the scope. \nA report must be a valid, in scope report in order to qualify for a bounty.\n\nIf the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to the reproducibility and severity of the vulnerability, and the amount of the reward may be reduced.\n\nAwards bounties are based on severity of the vulnerability. \n\nFor your reported vulnerability to be eligible, you must:\n* Discover a previously unreported, non-public vulnerability\n* Provide sufficient information to enable Fireblocks’ team to reproduce and fix the vulnerability.\n* Submit a vulnerability on an issue that was not already rewarded under this Program.\n\n| **Vulnerability Tier** | **Example Vulnerability** |\n| - | - |\n| **Critical** | **Retrieving the key or rogue signature without triggering any failures or aborts, regardless of the number of transactions involved. Obtaining the key/rogue signature by causing fewer than 1000 failures/aborts.** |\n| **High** | **Obtaining the key/rogue signature by causing fewer than 1 billion failures/aborts.** |\n| **Medium** | **Leaking bits of the private key or causing memory corruption.** |\n| **Low** | **Exploit exposure to a smaller subset of non-critical systems and/or data** |\n\n| **Vulnerability Tier** | **Reward** |\n| - | - |\n| **Critical** | **Up to 250000$** |\n| **High** | **Up to 100000$** |\n| **Medium** | **Up to 40000$** | \n| **Low** | **Up to 5,000$** | \n\nThe rewards listed next to each tier are maximum bounties for each tier. The specific amount of the bug will vary according to:\n* The impact of the bug.\n* The cause of the bug.\n* Whether or not the report submitted suggests a solution to the bug or helps in its resolution.\n* The process through which the bug was discovered. \n\n# Report Closure\nFireblocks reviews all findings that are reported via this Program. Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Fireblocks may request additional information from the reporter. After all information is aggregated; the report submission goes through an internal review and scoring process. After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports. Failure to provide a detailed report will result in delayed triage and/or ticket closure. Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited.\n\n# Scope\n* Only the MPC is eligible for this Program.\n* Only an issue identified within the scope qualifies for the Program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n\n# Non-Qualifying Vulnerabilities\n* Unexploitable hypothetical side-channel attack\n* Vulnerability discovered in a third party library that is utilized in the MPC cryptography source code\n\n# Qualifying Vulnerabilities\nWe are looking to find security issues affecting our blockchain protocol such as:\n\n* Bugs in our implementation of the cryptographic primitives\n* Bugs in our implementation of the cryptographic protocol\n* Remote Code Execution\n* Vulnerabilities that disrupt the consensus result and performance\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,individual node, or the reference wallet implementation\n* Vulnerabilities in a dependent 3rd party library (openssl)\n\n\n# Participation Eligibility\n**Please review the following participation eligibility criteria before participating in the Program:**\n* Participants must be at least 14 years old and have the legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Participants must not be residents of any country under U.S. sanctions or any country that does not allow participation in these types of programs are prohibited from participating in this Program\n* Fireblocks employee, family member of a Fireblocks employee, Fireblocks contractor, Fireblocks partners or Fireblocks service provider are prohibited from participating in this Program\n* **All submissions for bounties to Fireblocks must be through HackerOne. Anonymous reports are acceptable through HackerOne but are not eligible for rewards.**\n\n# Disclaimer\n**We reserve the right to modify the Program or cancel it at any time. **\n\n**Fireblocks reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.**\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-15T12:24:36.639Z"},{"id":3699570,"new_policy":"# MPC Bug Bounty Program \nThis program is for the disclosure of software security vulnerabilities only.\n\nThis policy governs the MPC Bug Bounty Program (the “Program”)\n\n# Introduction\nSecurity researchers play a crucial role in ensuring the safety of the blockchain industry as we build toward a common goal. Fireblocks actively encourages the responsible disclosure of security vulnerabilities through our Bug Bounty Program so that we may enable every business to manage their digital asset operations and build innovative businesses on the blockchain.\n\nWith the objective of securing the most widely used protocols and signature schemes, this Program focuses on the highest priority signature scheme, the MPC protocol for ECDSA signatures used in Bitcoin, Ethereum, and additional blockchains, in addition, the protocol for EdDSA.\n\nTo qualify for a reward, a report must clearly demonstrate a software vulnerability that harms Fireblocks and its customers. Such a report is considered a valid, in-scope report. Fireblocks will determine, at its sole discretion, whether a report meets the eligibility criteria for a bounty and the amount of the reward.\n\n# Program Rules\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses. Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not use the vulnerability for any purpose, such as publicly disclosing or making a profit, other than receiving a reward through this Program.\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) \n* Any public disclosure of any vulnerabilities is prohibited without our consent. We will not approve public disclosure requests until the vulnerability has been resolved.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit only one vulnerability per submission unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a report,  you agree to be bound by these rules.\n\n# Report Evaluation\nIn order for a report to be deemed valid, a report must demonstrate a vulnerability within the scope. \nA report must be a valid, in scope report in order to qualify for a bounty.\n\nIf the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to the reproducibility and severity of the vulnerability, and the amount of the reward may be reduced.\n\nAwards bounties are based on severity of the vulnerability. \n\nFor your reported vulnerability to be eligible, you must:\n* Discover a previously unreported, non-public vulnerability\n* Provide sufficient information to enable Fireblocks’ team to reproduce and fix the vulnerability.\n* Submit a vulnerability on an issue that was not already rewarded under this Program.\n\n| **Vulnerability Tier** | **Example Vulnerability** |\n| - | - |\n| **Critical** | **Retrieving the key or rogue signature without triggering any failures or aborts, regardless of the number of transactions involved. Obtaining the key/rogue signature by causing fewer than 1000 failures/aborts.** |\n| **High** | **Obtaining the key/rogue signature by causing fewer than 1 billion failures/aborts.** |\n| **Medium** | **Leaking bits of the private key or causing memory corruption.** |\n| **Low** | **Exploit exposure to a smaller subset of non-critical systems and/or data** |\n\n| **Vulnerability Tier** | **Reward** |\n| - | - |\n| **Critical** | **Up to 250000$** |\n| **High** | **Up to 100000$** |\n| **Medium** | **Up to 40000$** | \n| **Low** | **Up to 5,000$** | \n\nThe rewards listed next to each tier are maximum bounties for each tier. The specific amount of the bug will vary according to:\n* The impact of the bug.\n* The cause of the bug.\n* Whether or not the report submitted suggests a solution to the bug or helps in its resolution.\n* The process through which the bug was discovered. \n\n# Report Closure\nFireblocks reviews all findings that are reported via this Program. Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Fireblocks may request additional information from the reporter. After all information is aggregated; the report submission goes through an internal review and scoring process. After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports. Failure to provide a detailed report will result in delayed triage and/or ticket closure. Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited.\n\n# Scope\n* Only the MPC is eligible for this Program.\n* Only an issue identified within the scope qualifies for the Program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n\n# Non-Qualifying Vulnerabilities\n* Unexploitable hypothetical side-channel attack\n* Vulnerability discovered in a third party library that is utilized in the MPC cryptography source code\n\n# Qualifying Vulnerabilities\nWe are looking to find security issues affecting our blockchain protocol such as:\n\n* Bugs in our implementation of the cryptographic primitives\n* Bugs in our implementation of the cryptographic protocol\n* Remote Code Execution\n* Vulnerabilities that disrupt the consensus result and performance\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,individual node, or the reference wallet implementation\n* Vulnerabilities in a dependent 3rd party library (openssl)\n\n\n# Participation Eligibility\n**Please review the following participation eligibility criteria before participating in the Program:**\n* Participants must be at least 14 years old and have the legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Participants must not be residents of any country under U.S. sanctions or any country that does not allow participation in these types of programs are prohibited from participating in this Program\n* Fireblocks employee, family member of a Fireblocks employee, Fireblocks contractor, Fireblocks partners or Fireblocks service provider are prohibited from participating in this Program\n* **All submissions for bounties to Fireblocks must be through HackerOne. Anonymous reports are acceptable through HackerOne but are not eligible for rewards.**\n\n# Disclaimer\n**We reserve the right to modify the Program or cancel it at any time. **\n\n**Fireblocks reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.**\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-07T18:41:40.450Z"},{"id":3699426,"new_policy":"# MPC Bug Bounty Program \nThis program is for the disclosure of software security vulnerabilities only.\n\nThis policy governs the MPC Bug Bounty Program (the “Program”)\n\n# Introduction\nSecurity researchers play a crucial role in ensuring the safety of the blockchain industry as we build toward a common goal. Fireblocks actively encourages the responsible disclosure of security vulnerabilities through our Bug Bounty Program so that we may enable every business to manage their digital asset operations and build innovative businesses on the blockchain.\n\nWith the objective of securing the most widely used protocols and signature schemes, this Program focuses on the highest priority signature scheme, the MPC protocol for ECDSA signatures used in Bitcoin, Ethereum, and additional blockchains, in addition, the protocol for EdDSA.\n\nTo qualify for a reward, a report must clearly demonstrate a software vulnerability that harms Fireblocks and its customers. Such a report is considered a valid, in-scope report. Fireblocks will determine, at its sole discretion, whether a report meets the eligibility criteria for a bounty and the amount of the reward.\n\n# Program Rules\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses. Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not use the vulnerability for any purpose, such as publicly disclosing or making a profit, other than receiving a reward through this Program.\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) \n* Any public disclosure of any vulnerabilities is prohibited without our consent. We will not approve public disclosure requests until the vulnerability has been resolved.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit only one vulnerability per submission unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a report,  you agree to be bound by these rules.\n\n# Report Evaluation\nIn order for a report to be deemed valid, a report must demonstrate a vulnerability within the scope. \nA report must be a valid, in scope report in order to qualify for a bounty.\n\nIf the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to the reproducibility and severity of the vulnerability, and the amount of the reward may be reduced.\n\nAwards bounties are based on severity of the vulnerability. \n\nFor your reported vulnerability to be eligible, you must:\n* Discover a previously unreported, non-public vulnerability\n* Provide sufficient information to enable Fireblocks’ team to reproduce and fix the vulnerability.\n* Submit a vulnerability on an issue that was not already rewarded under this Program.\n\n| **Vulnerability Tier** | **Example Vulnerability** |\n| - | - |\n| **Critical** | **Retrieving the key or rogue signature without triggering any failures or aborts, regardless of the number of transactions involved. Obtaining the key/rogue signature by causing fewer than 1000 failures/aborts.** |\n| **High** | **Obtaining the key/rogue signature by causing fewer than 1 billion failures/aborts.** |\n| **Medium** | **Leaking bits of the private key or causing memory corruption.** |\n| **Low** | **Exploit exposure to a smaller subset of non-critical systems and/or data** |\n\n| **Vulnerability Tier** | **Reward** |\n| - | - |\n| **Critical** | **Up to 250000$** |\n| **High** | **Up to 100000$** |\n| **Medium** | **Up to 40000$** | \n| **Low** | **Up to 5,000$** | \n\nThe rewards listed next to each tier are maximum bounties for each tier. The specific amount of the bug will vary according to:\n* The impact of the bug.\n* The cause of the bug.\n* Whether or not the report submitted suggests a solution to the bug or helps in its resolution.\n* The process through which the bug was discovered. \n\n# Report Closure\nFireblocks reviews all findings that are reported via this Program. Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Fireblocks may request additional information from the reporter. After all information is aggregated; the report submission goes through an internal review and scoring process. After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports. Failure to provide a detailed report will result in delayed triage and/or ticket closure. Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited.\n\n# Scope\n* Only the MPC is eligible for this Program.\n* Only an issue identified within the scope qualifies for the Program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n\n# Non-Qualifying Vulnerabilities\n* Unexploitable hypothetical side-channel attack\n* Vulnerability discovered in a third party library that is utilized in the MPC cryptography source code\n\n# Qualifying Vulnerabilities\nWe are looking to find security issues affecting our blockchain protocol such as:\n\n* Bugs in our implementation of the cryptographic primitives\n* Bugs in our implementation of the cryptographic protocol\n* Remote Code Execution\n* Vulnerabilities that disrupt the consensus result and performance\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,individual node, or the reference wallet implementation\n* Vulnerabilities in a dependent 3rd party library (openssl)\n\n\n# Participation Eligibility\n**Please review the following participation eligibility criteria before participating in the Program:**\n* Participants must be at least 14 years old and have the legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Participants must be residents of any country under U.S. sanctions or any country that does not allow participation in these types of programs are prohibited from participating in this Program\n* Fireblocks employee, family member of a Fireblocks employee, Fireblocks contractor, Fireblocks partners or Fireblocks service provider are prohibited from participating in this Program\n* **All submissions for bounties to Fireblocks must be through HackerOne. Anonymous reports are acceptable through HackerOne but are not eligible for rewards.**\n\n# Disclaimer\n**We reserve the right to modify the Program or cancel it at any time. **\n\n**Fireblocks reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.**\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-03T18:21:50.025Z"},{"id":3699423,"new_policy":"# MPC Bug Bounty Program \nThis program is for the disclosure of software security vulnerabilities only.\n\nThis policy governs the MPC Bug Bounty Program (the “Program”)\n\n# Introduction\nFireblocks acknowledges the crucial role played by security researchers in ensuring the safety of our community. We actively encourage the responsible disclosure of security vulnerabilities through this Program, which aligns with our core values and mission of enabling secure digital asset operations.\n\nWith the motivation of securing the most widely used protocols and signature schemes, this Program focuses on the highest priority signature scheme, the MPC protocol for ECDSA signatures used in Bitcoin, Ethereum, and additional blockchains, in addition, the protocol for EdDSA.\n\nTo qualify for a reward, a report must clearly demonstrate a software vulnerability that harms Fireblocks and its customers. Such a report is considered a valid, in-scope report. Fireblocks will determine, at its sole discretion, whether a report meets the eligibility criteria for a bounty and the amount of the reward.\n\n# Program Rules\n* Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our businesses. Only interact with accounts you own or with the explicit permission of the account holder.\n* Do not use the vulnerability for any purpose, such as publicly disclosing or making a profit, other than receiving a reward through this Program.\n* Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines) \n* Any public disclosure of any vulnerabilities is prohibited without our consent. We will not approve public disclosure requests until the vulnerability has been resolved.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit only one vulnerability per submission unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.\n* In case we receive duplicate reports of a specific vulnerability, only the first report is eligible for a reward.\n* By submitting a report,  you agree to be bound by these rules.\n\n# Report Evaluation\nIn order for a report to be deemed valid, a report must demonstrate a vulnerability within the scope. \nA report must be a valid, in scope report in order to qualify for a bounty.\n\nIf the Report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to the reproducibility and severity of the vulnerability, and the amount of the reward may be reduced.\n\nAwards bounties are based on severity of the vulnerability. \n\nFor your reported vulnerability to be eligible, you must:\n* Discover a previously unreported, non-public vulnerability\n* Provide sufficient information to enable Fireblocks’ team to reproduce and fix the vulnerability.\n* Submit a vulnerability on an issue that was not already rewarded under this Program.\n\n| **Vulnerability Tier** | **Example Vulnerability** |\n| - | - |\n| **Critical** | **Retrieving the key or rogue signature without triggering any failures or aborts, regardless of the number of transactions involved. Obtaining the key/rogue signature by causing fewer than 1000 failures/aborts.** |\n| **High** | **Obtaining the key/rogue signature by causing fewer than 1 billion failures/aborts.** |\n| **Medium** | **Leaking bits of the private key or causing memory corruption.** |\n| **Low** | **Exploit exposure to a smaller subset of non-critical systems and/or data** |\n\n| **Vulnerability Tier** | **Reward** |\n| - | - |\n| **Critical** | **Up to 250000$** |\n| **High** | **Up to 100000$** |\n| **Medium** | **Up to 40000$** | \n| **Low** | **Up to 5,000$** | \n\nThe rewards listed next to each tier are maximum bounties for each tier. The specific amount of the bug will vary according to:\n* The impact of the bug.\n* The cause of the bug.\n* Whether or not the report submitted suggests a solution to the bug or helps in its resolution.\n* The process through which the bug was discovered. \n\n# Report Closure\nFireblocks reviews all findings that are reported via this Program. Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Fireblocks may request additional information from the reporter. After all information is aggregated; the report submission goes through an internal review and scoring process. After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.\n\nPLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports. Failure to provide a detailed report will result in delayed triage and/or ticket closure. Additionally, report disclosed or submitted outside of the HackerOne platform will not be considered for bounty and are strictly prohibited.\n\n# Scope\n* Only the MPC is eligible for this Program.\n* Only an issue identified within the scope qualifies for the Program. Once the report has been triaged as valid, it’s considered for the bug bounty.\n\n# Non-Qualifying Vulnerabilities\n* Unexploitable hypothetical side-channel attack\n* Vulnerability discovered in a third party library that is utilized in the MPC cryptography source code\n\n# Qualifying Vulnerabilities\nWe are looking to find security issues affecting our blockchain protocol such as:\n\n* Bugs in our implementation of the cryptographic primitives\n* Bugs in our implementation of the cryptographic protocol\n* Remote Code Execution\n* Vulnerabilities that disrupt the consensus result and performance\n* Vulnerabilities that affect the stability, connectivity, or availability of the whole network,individual node, or the reference wallet implementation\n* Vulnerabilities in a dependent 3rd party library (openssl)\n\n\n# Participation Eligibility\n**Please review the following participation eligibility criteria before participating in the Program:**\n* Participants must be at least 14 years old and have the legal capacity to agree to these terms and participate in the Bug Bounty Program\n* Participants must be residents of any country under U.S. sanctions or any country that does not allow participation in these types of programs are prohibited from participating in this Program\n* Fireblocks employee, family member of a Fireblocks employee, Fireblocks contractor, Fireblocks partners or Fireblocks service provider are prohibited from participating in this Program\n* **All submissions for bounties to Fireblocks must be through HackerOne. Anonymous reports are acceptable through HackerOne but are not eligible for rewards.**\n\n# Disclaimer\n**We reserve the right to modify the Program or cancel it at any time. **\n\n**Fireblocks reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.**\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-03T17:37:51.377Z"}]