[{"id":3663136,"new_policy":"# Program Update\nWe are temporarily pausing all submissions and will have more information in the coming weeks.\n\n\n# Introduction\n\nThe bug bounty program from the Maker Protocol currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:\n\n1. Smart contracts for Multi-Collateral Dai\n2. Infrastructure for select public facing domains (**please see the \"Ineligible Bugs\" section below, especially regarding third party software, before submitting a report**)\n\nThe program may be expanded in the future to include more asset types such as frontends and apps.\n\n# Risk rating methodology\n\nWe generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.\n\n# Report policy\n\nA bug report may qualify for a reward only when:\n\n- It makes the Maker team aware of the bug for the first time.\n- The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public.\n- The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document, or allowed anyone else to profit outside the bug bounty program.\n- A bug is reported without any conditions, demands, or threats.\n- The investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n- The reporter makes a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n- A detailed report increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n    - The conditions on which reproducing the bug is contingent.\n    - The steps needed to reproduce the bug or, better yet, a proof-of-concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid.\n    - The potential implications of the vulnerability being abused.\n- Multiples or duplicates\n    - Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n    - When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n    - Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\nLet us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n\n# Ineligible methods\n\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n- Social engineering\n- DDOS attack\n- Spamming\n- Any physical attacks against Maker infrastructure\n- Automated tools\n- Compromising or misusing third party systems or services\n\n# Ineligible bugs\n\n- Vulnerabilities already known to the public or to the Maker team including previous findings from another participant in the bug bounty program.\n- Vulnerabilities in outdated software from Maker or which affects only outdated third party software.\n- Bugs that are not reproducible.\n- Bugs disclosed to other parties without consent from the Maker team.\n- Issues which we cannot reasonably be expected to be able to do anything about.\n- Cookies missing security flags (for non-sensitive cookies).\n- Additional missing security controls often considered “Best practice”, such as:\n    - Content Security Policy (CSP) HTTP header\n    - HTTP Public Key Pinning (HPKP)\n    - Subresource integrity\n    - Referrer Policy\n- The following vulnerabilities in a vendor we integrate with:\n    - Cross-site Scripting (XSS)\n    - Cross-Site Request Forgery (CSRF)\n    - Cross Frame Scripting\n    - Content Spoofing\n- Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.\n- Weak TLS and SSL cyphers (we are already aware of)\n\n# Time to response\n\nPlease allow 5 business days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n# Fine Print\n\nThis bug bounty program may be canceled or revised at any time. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to infosec+bugbounty@makerdao.com\n\nMaker team, their close family members, any other affiliated persons, as well as anyone who belonged to the aforementioned categories at any time during the past 6 months, are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n\n# SMART CONTRACTS PROGRAM\n\n## Introduction\n\nThe smart contracts bug bounty program will develop in iterations:\n\n- The scope of contracts will increase. Contracts already in scope may be updated on a bi-weekly basis as shown on [changelog.makerdao.com](http://changelog.makerdao.com/)\n- Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely.\n\nThe scope is a selection of the core smart contracts of MCD as deployed on the Ethereum Kovan testnet, while more contracts will be added as needed.\n\nThe minimum amounts will also increase in future iterations of the bug bounty program.\n\n## Special Requirements for Critical Smart Contract bugs\n\nLike the rest of the program, the smart contracts program generally uses the OWASP risk rating methodology for classifying bugs. One exception pertains to Critical bugs which must meet the following requirements:\n\n- The bug must allow a user to steal Collateral tokens, Dai or MKR representing at least 10% of the value of all collateral tokens from the system.\n- The attack must be triggered through an attack vector that is more than just theoretical.\n- The system must be in normal operational mode or emergency shutdown mode. This excludes for example any states during deployment or shortly after when the system is not fully initialized.\n\n**Note: All Smart Contract bugs must include a PoC implementation with reproducible steps. This can be the form of a Solidity or JavaScript test or a list of actions that clearly shows how the bug occurs.** We recommend using [Dapp tools](https://github.com/dapphub/dapptools) for testing.\n\n## Smart Contracts Scope\n\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Multi-Collateral Dai as listed below.\n\nExploits may be grouped as following:\n\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n- **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n- **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n- **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n- **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n- **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - English Auction Liquidator\n- **[Dog](https://github.com/makerdao/dss/blob/master/src/dog.sol)** (`MCD_DOG`) - Dutch Auction Liquidator\n- **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n- **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n- **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - English Collateral Auction\n- **[Clipper](https://github.com/makerdao/dss/blob/master/src/clip.sol)** (`MCD_CLIP`) - Dutch Collateral Auction\n- **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n- **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n- **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is `dss/Dai.sol`)\n- **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n- All [gem join adapters](https://github.com/makerdao/dss-gem-joins/) are in scope.\n- **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n- Note: For all adapters, we are aware that the balance (ETH or token) of the contract may be different than the total amount that is joined through the contract if users send tokens or ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of tokens 'join'ed out of scope.\n\n**Instant Access Modules**\n\n- **[OsmMom](https://github.com/makerdao/osm-mom/blob/master/src/OsmMom.sol)** (`OSM_MOM`) - allows oracle price updates to be halted without a governance delay\n- **[FlipperMom](https://github.com/makerdao/flipper-mom/blob/master/src/FlipperMom.sol)** (`FLIPPER_MOM`) - allows liquidations to be enabled and disabled without a governance delay for collaterals using the English auction system\n- **[ClipperMom](https://github.com/makerdao/clipper-mom/blob/master/src/ClipperMom.sol)** (`CLIPPER_MOM`) - allows liquidations to be enabled and disabled without a governance delay for collaterals using the Dutch auction system; also allows permissionless disabling of liquidations for such collaterals if the Oracle module indicates that the price will fall by more than a specified per-collateral percentage\n- **[Debt Ceiling Instant Access Module](https://github.com/makerdao/dss-auto-line/blob/master/src/DssAutoLine.sol)** (`MCD_IAM_AUTO_LINE`) - allows the debt ceilings of configured collaterals to be raised and lowered permissionlessly in a constrained fashion\n\n**Oracles**\n\n- **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n- **[OSM](https://github.com/makerdao/osm)** (`PIP_ETH`, `PIP_BAT`, `PIP_WBTC`, `PIP_ZRX`, `PIP_KNC`, `PIP_MANA`, `PIP_USDT`, `PIP_COMP`, `PIP_LRC`, `PIP_LINK`, `PIP_BAL`, `PIP_UNI`, `PIP_RENBTC`, `PIP_AAVE`) Oracle Security Module\n- **[LP Token OSM](https://github.com/makerdao/univ2-lp-oracle)** (`PIP_UNIV2DAIETH`, `PIP_UNIV2WBTCETH`, `PIP_UNIV2USDCETH`, `PIP_UNIV2DAIUSDC`, `PIP_UNIV2ETHUSDT`, `PIP_UNIV2LINKETH`, `PIP_UNIV2UNIETH`, `PIP_UNIV2WBTCDAI`, `PIP_UNIV2AAVEETH`, `PIP_UNIV2DAIUSDT`) Uniswap V2 LP Token Oracle Security Module\n\n**Governance**\n\nThe smart contracts included for \"governance\" have special limitations on the types of bugs that are currently considered in scope.  For instance, it is a known design aspect of governance that governance has \"root\" access to the MCD system and with this permission is able to manipulate system parameters in such a way that it could take actions that would qualify under this program scope.  We have recently added the Governance Security Module (see pause scope below) to provide a delay in governance actions and additional protection against malicious governance proposals.  Generic \"Governance could be malicious\" reports **are not in scope**.\n\nHowever, bugs in the [DS-Chief contract](https://github.com/makerdao/ds-chief/blob/master/src/chief.sol) that result in the voting with, locking, or theft of MKR tokens that are not owned by the attacker are considered in scope. A bug that shows an attacker locking, voting with, or stealing another user's MKR through a bug in the Chief would be considered **critical**.\n\nAdditionally, bugs in the [Pause](https://github.com/dapphub/ds-pause/blob/master/src/pause.sol#L21) or [Pause Proxy](https://github.com/dapphub/ds-pause/blob/master/src/pause.sol#L109) contracts or MCD system permissions that allow a Governance proposal to be enacted without waiting for the pause would be considered in scope.  Specifically excluded from this scope would be an attack that relies on clogging the Ethereum network, colluding with miners, or Governance not noticing or being overwhelmed by malicious proposals long enough for the delay to pass. A bug that allows governance to act instantaneously through the pause contract or to directly affect some permissionned part of the MCD system is in scope unless done via an Instant Access Module (IAM). IAMs are smart contracts with permissions that permit bypassing of the governance delay for specific actions, which are either deemed to be safe, or to be necessary as emergency defenses. Any behavior of an instant access module that violates the intent of that module is still a bug.\n\n**Attacks Leveraging Other DeFi Protocols**\n\nAttacks in the DeFi space sometimes combine multiple protocols (e.g. utilizing flash loans from a margin protocol or manipulating the spot prices on a DEX). PoCs or descriptions of bug exploits may utilize such mechanisms, either to make an attack more severe than it would be in isolation, or to achieve an attack that would otherwise be impossible or infeasible. However, they will only be considered in-scope so long as:\n\n1. Losses or other negative effects of the attack are inflicted upon Maker ecosystem participants—MKR holders, DAI holders, Vault holders, or Keepers. If the losses or negative effects are inflicted solely upon other (external) protocols, the attack is not in scope for this bounty program (though we would encourage you to responsibly disclose to those protocols).\n2. The losses or other negative effects could be prevented via changes to the MCD smart contracts already included in the bounty scope.\n3. The additional DeFi protocols used exist as smart contracts on the Ethereum mainnet and can reasonably be expected to have enough liquidity in various assets to allow the attack to succeed (when there is insufficient liquidity to achieve the claimed severity level but the attack is still possible, it will still be considered in-scope but with a downgraded severity level).\n\n## Smart Contracts Releases\n\nAs-needed deployments of the latest versions of the smart contracts to the Kovan testnet and mainnet will continue. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements, unless otherwise noted.\n\nThe bug bounty program will be applicable only to the releases specified in this policy. Submissions should indicate to which release they relate.\n\n**The only current release eligible for vulnerability reports is the [active mainnet release](https://changelog.makerdao.com/releases/mainnet/active/contracts.json). Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all releases are available from [changelog.makerdao.com](https://changelog.makerdao.com/)\n\n## Smart Contracts Investigation Tools\n\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within MCD.\n\n- [https://docs.makerdao.com/maker-protocol-101](https://docs.makerdao.com/maker-protocol-101)\n\n**Official Documentation**\nThe full documentation of the Maker protocol, including smart contracts.\n\n- [https://docs.makerdao.com/](https://docs.makerdao.com/)\n\n**Source Code**\nThe MCD core contracts and some additional documentation can be found here:\n\n- [https://github.com/makerdao/clipper-mom](https://github.com/makerdao/clipper-mom)\n- [https://github.com/makerdao/esm](https://github.com/makerdao/esm)\n- [https://github.com/makerdao/dss](https://github.com/makerdao/dss)\n- [https://github.com/makerdao/dss-cdp-manager](https://github.com/makerdao/dss-cdp-manager)\n- [https://github.com/makerdao/dss-chief](https://github.com/makerdao/dss-chief)\n- [https://github.com/makerdao/dss-gem-joins](https://github.com/makerdao/dss-gem-joins)\n- [https://github.com/makerdao/osm-mom](https://github.com/makerdao/osm-mom)\n- [https://github.com/makerdao/dss-proxy-actions](https://github.com/makerdao/dss-proxy-actions)\n- [https://github.com/makerdao/dss/wiki](https://github.com/makerdao/dss/wiki)\n\nIf reading the codebase for the first time, we recommend overlaying our annotations for easier comprehension:\n\n- [https://docs.makerdao.com/other-documentation/smart-contract-annotations](https://docs.makerdao.com/other-documentation/smart-contract-annotations)\n\nDeployment Scripts:\n\n- [https://github.com/makerdao/dss-deploy](https://github.com/makerdao/dss-deploy)\n- [https://github.com/makerdao/dss-deploy-scripts](https://github.com/makerdao/dss-deploy-scripts)\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n\n- [https://dapp.tools/seth/](https://dapp.tools/seth/)\n- [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD.\n\n- [https://github.com/makerdao/mcd-cli](https://github.com/makerdao/mcd-cli)\n- [Guide](https://github.com/makerdao/developerguides/blob/master/mcd/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md)\n\n**Faucet**\nA faucet is available to facilitate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com/) to get the faucet address for the relevant deployment (`FAUCET`).\n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address.\n\n# INFRASTRUCTURE PROGRAM\n\nLike the rest of the bug bounty program, the infrastructure program will evaluate bug reports based on the OWASP Risk Rating methodology. **However, only Critical bugs are currently in scope.**\n\n## Infrastructure Scope\n\nThe scope of our program focuses on exploiting specific externally facing Maker team infrastructure. This program covers security vulnerabilities discovered within the Maker public infrastructure including select websites and DNS configurations.\n\nSystems in scope with this program are listed below. We expect to include more domains in the future.\n\n- [forum.makerdao.com](http://forum.makerdao.com/)\n- [chat.makerdao.com](http://chat.makerdao.com/)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-17T13:24:54.140Z"},{"id":3658137,"new_policy":"# Introduction\n\nThe bug bounty program from the Maker Protocol currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:\n\n1. Smart contracts for Multi-Collateral Dai\n2. Infrastructure for select public facing domains (**please see the \"Ineligible Bugs\" section below, especially regarding third party software, before submitting a report**)\n\nThe program may be expanded in the future to include more asset types such as frontends and apps.\n\n# Risk rating methodology\n\nWe generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.\n\n# Report policy\n\nA bug report may qualify for a reward only when:\n\n- It makes the Maker team aware of the bug for the first time.\n- The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public.\n- The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document, or allowed anyone else to profit outside the bug bounty program.\n- A bug is reported without any conditions, demands, or threats.\n- The investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n- The reporter makes a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n- A detailed report increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n    - The conditions on which reproducing the bug is contingent.\n    - The steps needed to reproduce the bug or, better yet, a proof-of-concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid.\n    - The potential implications of the vulnerability being abused.\n- Multiples or duplicates\n    - Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n    - When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n    - Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\nLet us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n\n# Ineligible methods\n\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n- Social engineering\n- DDOS attack\n- Spamming\n- Any physical attacks against Maker infrastructure\n- Automated tools\n- Compromising or misusing third party systems or services\n\n# Ineligible bugs\n\n- Vulnerabilities already known to the public or to the Maker team including previous findings from another participant in the bug bounty program.\n- Vulnerabilities in outdated software from Maker or which affects only outdated third party software.\n- Bugs that are not reproducible.\n- Bugs disclosed to other parties without consent from the Maker team.\n- Issues which we cannot reasonably be expected to be able to do anything about.\n- Cookies missing security flags (for non-sensitive cookies).\n- Additional missing security controls often considered “Best practice”, such as:\n    - Content Security Policy (CSP) HTTP header\n    - HTTP Public Key Pinning (HPKP)\n    - Subresource integrity\n    - Referrer Policy\n- The following vulnerabilities in a vendor we integrate with:\n    - Cross-site Scripting (XSS)\n    - Cross-Site Request Forgery (CSRF)\n    - Cross Frame Scripting\n    - Content Spoofing\n- Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.\n- Weak TLS and SSL cyphers (we are already aware of)\n\n# Time to response\n\nPlease allow 5 business days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n# Fine Print\n\nThis bug bounty program may be canceled or revised at any time. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to infosec+bugbounty@makerdao.com\n\nMaker team, their close family members, any other affiliated persons, as well as anyone who belonged to the aforementioned categories at any time during the past 6 months, are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n\n# SMART CONTRACTS PROGRAM\n\n## Introduction\n\nThe smart contracts bug bounty program will develop in iterations:\n\n- The scope of contracts will increase. Contracts already in scope may be updated on a bi-weekly basis as shown on [changelog.makerdao.com](http://changelog.makerdao.com/)\n- Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely.\n\nThe scope is a selection of the core smart contracts of MCD as deployed on the Ethereum Kovan testnet, while more contracts will be added as needed.\n\nThe minimum amounts will also increase in future iterations of the bug bounty program.\n\n## Special Requirements for Critical Smart Contract bugs\n\nLike the rest of the program, the smart contracts program generally uses the OWASP risk rating methodology for classifying bugs. One exception pertains to Critical bugs which must meet the following requirements:\n\n- The bug must allow a user to steal Collateral tokens, Dai or MKR representing at least 10% of the value of all collateral tokens from the system.\n- The attack must be triggered through an attack vector that is more than just theoretical.\n- The system must be in normal operational mode or emergency shutdown mode. This excludes for example any states during deployment or shortly after when the system is not fully initialized.\n\n**Note: All Smart Contract bugs must include a PoC implementation with reproducible steps. This can be the form of a Solidity or JavaScript test or a list of actions that clearly shows how the bug occurs.** We recommend using [Dapp tools](https://github.com/dapphub/dapptools) for testing.\n\n## Smart Contracts Scope\n\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Multi-Collateral Dai as listed below.\n\nExploits may be grouped as following:\n\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n- **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n- **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n- **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n- **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n- **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - English Auction Liquidator\n- **[Dog](https://github.com/makerdao/dss/blob/master/src/dog.sol)** (`MCD_DOG`) - Dutch Auction Liquidator\n- **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n- **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n- **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - English Collateral Auction\n- **[Clipper](https://github.com/makerdao/dss/blob/master/src/clip.sol)** (`MCD_CLIP`) - Dutch Collateral Auction\n- **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n- **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n- **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is `dss/Dai.sol`)\n- **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n- All [gem join adapters](https://github.com/makerdao/dss-gem-joins/) are in scope.\n- **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n- Note: For all adapters, we are aware that the balance (ETH or token) of the contract may be different than the total amount that is joined through the contract if users send tokens or ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of tokens 'join'ed out of scope.\n\n**Instant Access Modules**\n\n- **[OsmMom](https://github.com/makerdao/osm-mom/blob/master/src/OsmMom.sol)** (`OSM_MOM`) - allows oracle price updates to be halted without a governance delay\n- **[FlipperMom](https://github.com/makerdao/flipper-mom/blob/master/src/FlipperMom.sol)** (`FLIPPER_MOM`) - allows liquidations to be enabled and disabled without a governance delay for collaterals using the English auction system\n- **[ClipperMom](https://github.com/makerdao/clipper-mom/blob/master/src/ClipperMom.sol)** (`CLIPPER_MOM`) - allows liquidations to be enabled and disabled without a governance delay for collaterals using the Dutch auction system; also allows permissionless disabling of liquidations for such collaterals if the Oracle module indicates that the price will fall by more than a specified per-collateral percentage\n- **[Debt Ceiling Instant Access Module](https://github.com/makerdao/dss-auto-line/blob/master/src/DssAutoLine.sol)** (`MCD_IAM_AUTO_LINE`) - allows the debt ceilings of configured collaterals to be raised and lowered permissionlessly in a constrained fashion\n\n**Oracles**\n\n- **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n- **[OSM](https://github.com/makerdao/osm)** (`PIP_ETH`, `PIP_BAT`, `PIP_WBTC`, `PIP_ZRX`, `PIP_KNC`, `PIP_MANA`, `PIP_USDT`, `PIP_COMP`, `PIP_LRC`, `PIP_LINK`, `PIP_BAL`, `PIP_UNI`, `PIP_RENBTC`, `PIP_AAVE`) Oracle Security Module\n- **[LP Token OSM](https://github.com/makerdao/univ2-lp-oracle)** (`PIP_UNIV2DAIETH`, `PIP_UNIV2WBTCETH`, `PIP_UNIV2USDCETH`, `PIP_UNIV2DAIUSDC`, `PIP_UNIV2ETHUSDT`, `PIP_UNIV2LINKETH`, `PIP_UNIV2UNIETH`, `PIP_UNIV2WBTCDAI`, `PIP_UNIV2AAVEETH`, `PIP_UNIV2DAIUSDT`) Uniswap V2 LP Token Oracle Security Module\n\n**Governance**\n\nThe smart contracts included for \"governance\" have special limitations on the types of bugs that are currently considered in scope.  For instance, it is a known design aspect of governance that governance has \"root\" access to the MCD system and with this permission is able to manipulate system parameters in such a way that it could take actions that would qualify under this program scope.  We have recently added the Governance Security Module (see pause scope below) to provide a delay in governance actions and additional protection against malicious governance proposals.  Generic \"Governance could be malicious\" reports **are not in scope**.\n\nHowever, bugs in the [DS-Chief contract](https://github.com/makerdao/ds-chief/blob/master/src/chief.sol) that result in the voting with, locking, or theft of MKR tokens that are not owned by the attacker are considered in scope. A bug that shows an attacker locking, voting with, or stealing another user's MKR through a bug in the Chief would be considered **critical**.\n\nAdditionally, bugs in the [Pause](https://github.com/dapphub/ds-pause/blob/master/src/pause.sol#L21) or [Pause Proxy](https://github.com/dapphub/ds-pause/blob/master/src/pause.sol#L109) contracts or MCD system permissions that allow a Governance proposal to be enacted without waiting for the pause would be considered in scope.  Specifically excluded from this scope would be an attack that relies on clogging the Ethereum network, colluding with miners, or Governance not noticing or being overwhelmed by malicious proposals long enough for the delay to pass. A bug that allows governance to act instantaneously through the pause contract or to directly affect some permissionned part of the MCD system is in scope unless done via an Instant Access Module (IAM). IAMs are smart contracts with permissions that permit bypassing of the governance delay for specific actions, which are either deemed to be safe, or to be necessary as emergency defenses. Any behavior of an instant access module that violates the intent of that module is still a bug.\n\n**Attacks Leveraging Other DeFi Protocols**\n\nAttacks in the DeFi space sometimes combine multiple protocols (e.g. utilizing flash loans from a margin protocol or manipulating the spot prices on a DEX). PoCs or descriptions of bug exploits may utilize such mechanisms, either to make an attack more severe than it would be in isolation, or to achieve an attack that would otherwise be impossible or infeasible. However, they will only be considered in-scope so long as:\n\n1. Losses or other negative effects of the attack are inflicted upon Maker ecosystem participants—MKR holders, DAI holders, Vault holders, or Keepers. If the losses or negative effects are inflicted solely upon other (external) protocols, the attack is not in scope for this bounty program (though we would encourage you to responsibly disclose to those protocols).\n2. The losses or other negative effects could be prevented via changes to the MCD smart contracts already included in the bounty scope.\n3. The additional DeFi protocols used exist as smart contracts on the Ethereum mainnet and can reasonably be expected to have enough liquidity in various assets to allow the attack to succeed (when there is insufficient liquidity to achieve the claimed severity level but the attack is still possible, it will still be considered in-scope but with a downgraded severity level).\n\n## Smart Contracts Releases\n\nAs-needed deployments of the latest versions of the smart contracts to the Kovan testnet and mainnet will continue. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements, unless otherwise noted.\n\nThe bug bounty program will be applicable only to the releases specified in this policy. Submissions should indicate to which release they relate.\n\n**The only current release eligible for vulnerability reports is the [active mainnet release](https://changelog.makerdao.com/releases/mainnet/active/contracts.json). Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all releases are available from [changelog.makerdao.com](https://changelog.makerdao.com/)\n\n## Smart Contracts Investigation Tools\n\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within MCD.\n\n- [https://docs.makerdao.com/maker-protocol-101](https://docs.makerdao.com/maker-protocol-101)\n\n**Official Documentation**\nThe full documentation of the Maker protocol, including smart contracts.\n\n- [https://docs.makerdao.com/](https://docs.makerdao.com/)\n\n**Source Code**\nThe MCD core contracts and some additional documentation can be found here:\n\n- [https://github.com/makerdao/clipper-mom](https://github.com/makerdao/clipper-mom)\n- [https://github.com/makerdao/esm](https://github.com/makerdao/esm)\n- [https://github.com/makerdao/dss](https://github.com/makerdao/dss)\n- [https://github.com/makerdao/dss-cdp-manager](https://github.com/makerdao/dss-cdp-manager)\n- [https://github.com/makerdao/dss-chief](https://github.com/makerdao/dss-chief)\n- [https://github.com/makerdao/dss-gem-joins](https://github.com/makerdao/dss-gem-joins)\n- [https://github.com/makerdao/osm-mom](https://github.com/makerdao/osm-mom)\n- [https://github.com/makerdao/dss-proxy-actions](https://github.com/makerdao/dss-proxy-actions)\n- [https://github.com/makerdao/dss/wiki](https://github.com/makerdao/dss/wiki)\n\nIf reading the codebase for the first time, we recommend overlaying our annotations for easier comprehension:\n\n- [https://docs.makerdao.com/other-documentation/smart-contract-annotations](https://docs.makerdao.com/other-documentation/smart-contract-annotations)\n\nDeployment Scripts:\n\n- [https://github.com/makerdao/dss-deploy](https://github.com/makerdao/dss-deploy)\n- [https://github.com/makerdao/dss-deploy-scripts](https://github.com/makerdao/dss-deploy-scripts)\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n\n- [https://dapp.tools/seth/](https://dapp.tools/seth/)\n- [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD.\n\n- [https://github.com/makerdao/mcd-cli](https://github.com/makerdao/mcd-cli)\n- [Guide](https://github.com/makerdao/developerguides/blob/master/mcd/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md)\n\n**Faucet**\nA faucet is available to facilitate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com/) to get the faucet address for the relevant deployment (`FAUCET`).\n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address.\n\n# INFRASTRUCTURE PROGRAM\n\nLike the rest of the bug bounty program, the infrastructure program will evaluate bug reports based on the OWASP Risk Rating methodology. **However, only Critical bugs are currently in scope.**\n\n## Infrastructure Scope\n\nThe scope of our program focuses on exploiting specific externally facing Maker team infrastructure. This program covers security vulnerabilities discovered within the Maker public infrastructure including select websites and DNS configurations.\n\nSystems in scope with this program are listed below. We expect to include more domains in the future.\n\n- [forum.makerdao.com](http://forum.makerdao.com/)\n- [chat.makerdao.com](http://chat.makerdao.com/)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-10T10:27:05.728Z"},{"id":3651134,"new_policy":"# Introduction\n\nThe bug bounty program from the Maker Foundation currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:\n\n1. Smart contracts for Multi-Collateral Dai\n2. Infrastructure for select public facing domains (**please see the \"Ineligible Bugs\" section below, especially regarding third party software, before submitting a report**)\n\nThe program may be expanded in the future to include more asset types such as frontends and apps.\n\n# Risk rating methodology\n\nWe generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.\n\n# Report policy\n\nA bug report may qualify for a reward only when:\n\n- It makes the Maker team aware of the bug for the first time.\n- The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public.\n- The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document, or allowed anyone else to profit outside the bug bounty program.\n- A bug is reported without any conditions, demands, or threats.\n- The investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n- The reporter makes a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n- A detailed report increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n    - The conditions on which reproducing the bug is contingent.\n    - The steps needed to reproduce the bug or, better yet, a proof-of-concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid.\n    - The potential implications of the vulnerability being abused.\n- Multiples or duplicates\n    - Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n    - When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n    - Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\nLet us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n\n# Ineligible methods\n\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n- Social engineering\n- DDOS attack\n- Spamming\n- Any physical attacks against Maker Foundation property, data centers or employees\n- Automated tools\n- Compromising or misusing third party systems or services\n\n# Ineligible bugs\n\n- Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program.\n- Vulnerabilities in outdated software from Maker or which affects only outdated third party software.\n- Bugs that are not reproducible.\n- Bugs disclosed to other parties without consent from the Maker team.\n- Issues which we cannot reasonably be expected to be able to do anything about.\n- Cookies missing security flags (for non-sensitive cookies).\n- Additional missing security controls often considered “Best practice”, such as:\n    - Content Security Policy (CSP) HTTP header\n    - HTTP Public Key Pinning (HPKP)\n    - Subresource integrity\n    - Referrer Policy\n- The following vulnerabilities in a vendor we integrate with:\n    - Cross-site Scripting (XSS)\n    - Cross-Site Request Forgery (CSRF)\n    - Cross Frame Scripting\n    - Content Spoofing\n- Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.\n- Weak TLS and SSL cyphers (we are already aware of)\n\n# Time to response\n\nPlease allow 5 business days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n# Fine Print\n\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker Foundation team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to infosec+bugbounty@makerdao.com\n\nOur employees, contractors, their close family members, any other affiliated persons, as well as anyone who belonged to the aforementioned categories at any time during the past 6 months, are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n\n# SMART CONTRACTS PROGRAM\n\n## Introduction\n\nThe smart contracts bug bounty program will develop in iterations:\n\n- The scope of contracts will increase. Contracts already in scope may be updated on a bi-weekly basis as shown on [changelog.makerdao.com](http://changelog.makerdao.com/)\n- Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely.\n\nThe scope is a selection of the core smart contracts of MCD as deployed on the Ethereum Kovan testnet, while more contracts will be added as needed.\n\nThe minimum amounts will also increase in future iterations of the bug bounty program.\n\n## Special Requirements for Critical Smart Contract bugs\n\nLike the rest of the program, the smart contracts program generally uses the OWASP risk rating methodology for classifying bugs. One exception pertains to Critical bugs which must meet the following requirements:\n\n- The bug must allow a user to steal Collateral tokens, Dai or MKR representing at least 10% of the value of all collateral tokens from the system.\n- The attack must be triggered through an attack vector that is more than just theoretical.\n- The system must be in normal operational mode or emergency shutdown mode. This excludes for example any states during deployment or shortly after when the system is not fully initialized.\n\n**Note: All Smart Contract bugs must include a PoC implementation with reproducible steps. This can be the form of a Solidity or JavaScript test or a list of actions that clearly shows how the bug occurs.** We recommend using [Dapp tools](https://github.com/dapphub/dapptools) for testing.\n\n## Smart Contracts Scope\n\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Multi-Collateral Dai as listed below.\n\nExploits may be grouped as following:\n\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n- **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n- **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n- **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n- **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n- **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - English Auction Liquidator\n- **[Dog](https://github.com/makerdao/dss/blob/master/src/dog.sol)** (`MCD_DOG`) - Dutch Auction Liquidator\n- **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n- **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n- **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - English Collateral Auction\n- **[Clipper](https://github.com/makerdao/dss/blob/master/src/clip.sol)** (`MCD_CLIP`) - Dutch Collateral Auction\n- **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n- **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n- **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is `dss/Dai.sol`)\n- **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n- All [gem join adapters](https://github.com/makerdao/dss-gem-joins/) are in scope.\n- **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n- Note: For all adapters, we are aware that the balance (ETH or token) of the contract may be different than the total amount that is joined through the contract if users send tokens or ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of tokens 'join'ed out of scope.\n\n**Instant Access Modules**\n\n- **[OsmMom](https://github.com/makerdao/osm-mom/blob/master/src/OsmMom.sol)** (`OSM_MOM`) - allows oracle price updates to be halted without a governance delay\n- **[FlipperMom](https://github.com/makerdao/flipper-mom/blob/master/src/FlipperMom.sol)** (`FLIPPER_MOM`) - allows liquidations to be enabled and disabled without a governance delay for collaterals using the English auction system\n- **[ClipperMom](https://github.com/makerdao/clipper-mom/blob/master/src/ClipperMom.sol)** (`CLIPPER_MOM`) - allows liquidations to be enabled and disabled without a governance delay for collaterals using the Dutch auction system; also allows permissionless disabling of liquidations for such collaterals if the Oracle module indicates that the price will fall by more than a specified per-collateral percentage\n- **[Debt Ceiling Instant Access Module](https://github.com/makerdao/dss-auto-line/blob/master/src/DssAutoLine.sol)** (`MCD_IAM_AUTO_LINE`) - allows the debt ceilings of configured collaterals to be raised and lowered permissionlessly in a constrained fashion\n\n**Oracles**\n\n- **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n- **[OSM](https://github.com/makerdao/osm)** (`PIP_ETH`, `PIP_BAT`, `PIP_WBTC`, `PIP_ZRX`, `PIP_KNC`, `PIP_MANA`, `PIP_USDT`, `PIP_COMP`, `PIP_LRC`, `PIP_LINK`, `PIP_BAL`, `PIP_UNI`, `PIP_RENBTC`, `PIP_AAVE`) Oracle Security Module\n- **[LP Token OSM](https://github.com/makerdao/univ2-lp-oracle)** (`PIP_UNIV2DAIETH`, `PIP_UNIV2WBTCETH`, `PIP_UNIV2USDCETH`, `PIP_UNIV2DAIUSDC`, `PIP_UNIV2ETHUSDT`, `PIP_UNIV2LINKETH`, `PIP_UNIV2UNIETH`, `PIP_UNIV2WBTCDAI`, `PIP_UNIV2AAVEETH`, `PIP_UNIV2DAIUSDT`) Uniswap V2 LP Token Oracle Security Module\n\n**Governance**\n\nThe smart contracts included for \"governance\" have special limitations on the types of bugs that are currently considered in scope.  For instance, it is a known design aspect of governance that governance has \"root\" access to the MCD system and with this permission is able to manipulate system parameters in such a way that it could take actions that would qualify under this program scope.  We have recently added the Governance Security Module (see pause scope below) to provide a delay in governance actions and additional protection against malicious governance proposals.  Generic \"Governance could be malicious\" reports **are not in scope**.\n\nHowever, bugs in the [DS-Chief contract](https://github.com/makerdao/ds-chief/blob/master/src/chief.sol) that result in the voting with, locking, or theft of MKR tokens that are not owned by the attacker are considered in scope. A bug that shows an attacker locking, voting with, or stealing another user's MKR through a bug in the Chief would be considered **critical**.\n\nAdditionally, bugs in the [Pause](https://github.com/dapphub/ds-pause/blob/master/src/pause.sol#L21) or [Pause Proxy](https://github.com/dapphub/ds-pause/blob/master/src/pause.sol#L109) contracts or MCD system permissions that allow a Governance proposal to be enacted without waiting for the pause would be considered in scope.  Specifically excluded from this scope would be an attack that relies on clogging the Ethereum network, colluding with miners, or Governance not noticing or being overwhelmed by malicious proposals long enough for the delay to pass. A bug that allows governance to act instantaneously through the pause contract or to directly affect some permissionned part of the MCD system is in scope unless done via an Instant Access Module (IAM). IAMs are smart contracts with permissions that permit bypassing of the governance delay for specific actions, which are either deemed to be safe, or to be necessary as emergency defenses. Any behavior of an instant access module that violates the intent of that module is still a bug.\n\n**Attacks Leveraging Other DeFi Protocols**\n\nAttacks in the DeFi space sometimes combine multiple protocols (e.g. utilizing flash loans from a margin protocol or manipulating the spot prices on a DEX). PoCs or descriptions of bug exploits may utilize such mechanisms, either to make an attack more severe than it would be in isolation, or to achieve an attack that would otherwise be impossible or infeasible. However, they will only be considered in-scope so long as:\n\n1. Losses or other negative effects of the attack are inflicted upon Maker ecosystem participants—MKR holders, DAI holders, Vault holders, or Keepers. If the losses or negative effects are inflicted solely upon other (external) protocols, the attack is not in scope for this bounty program (though we would encourage you to responsibly disclose to those protocols).\n2. The losses or other negative effects could be prevented via changes to the MCD smart contracts already included in the bounty scope.\n3. The additional DeFi protocols used exist as smart contracts on the Ethereum mainnet and can reasonably be expected to have enough liquidity in various assets to allow the attack to succeed (when there is insufficient liquidity to achieve the claimed severity level but the attack is still possible, it will still be considered in-scope but with a downgraded severity level).\n\n## Smart Contracts Releases\n\nAs-needed deployments of the latest versions of the smart contracts to the Kovan testnet and mainnet will continue. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements, unless otherwise noted.\n\nThe bug bounty program will be applicable only to the releases specified in this policy. Submissions should indicate to which release they relate.\n\n**The only current release eligible for vulnerability reports is the [active mainnet release](https://changelog.makerdao.com/releases/mainnet/active/contracts.json). Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all releases are available from [changelog.makerdao.com](https://changelog.makerdao.com/)\n\n## Smart Contracts Investigation Tools\n\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within MCD.\n\n- [https://docs.makerdao.com/maker-protocol-101](https://docs.makerdao.com/maker-protocol-101)\n\n**Official Documentation**\nThe full documentation of the Maker protocol, including smart contracts.\n\n- [https://docs.makerdao.com/](https://docs.makerdao.com/)\n\n**Source Code**\nThe MCD core contracts and some additional documentation can be found here:\n\n- [https://github.com/makerdao/clipper-mom](https://github.com/makerdao/clipper-mom)\n- [https://github.com/makerdao/esm](https://github.com/makerdao/esm)\n- [https://github.com/makerdao/dss](https://github.com/makerdao/dss)\n- [https://github.com/makerdao/dss-cdp-manager](https://github.com/makerdao/dss-cdp-manager)\n- [https://github.com/makerdao/dss-chief](https://github.com/makerdao/dss-chief)\n- [https://github.com/makerdao/dss-gem-joins](https://github.com/makerdao/dss-gem-joins)\n- [https://github.com/makerdao/osm-mom](https://github.com/makerdao/osm-mom)\n- [https://github.com/makerdao/dss-proxy-actions](https://github.com/makerdao/dss-proxy-actions)\n- [https://github.com/makerdao/dss/wiki](https://github.com/makerdao/dss/wiki)\n\nIf reading the codebase for the first time, we recommend overlaying our annotations for easier comprehension:\n\n- [https://docs.makerdao.com/other-documentation/smart-contract-annotations](https://docs.makerdao.com/other-documentation/smart-contract-annotations)\n\nDeployment Scripts:\n\n- [https://github.com/makerdao/dss-deploy](https://github.com/makerdao/dss-deploy)\n- [https://github.com/makerdao/dss-deploy-scripts](https://github.com/makerdao/dss-deploy-scripts)\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n\n- [https://dapp.tools/seth/](https://dapp.tools/seth/)\n- [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD.\n\n- [https://github.com/makerdao/mcd-cli](https://github.com/makerdao/mcd-cli)\n- [Guide](https://github.com/makerdao/developerguides/blob/master/mcd/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md)\n\n**Faucet**\nA faucet is available to facilitate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com/) to get the faucet address for the relevant deployment (`FAUCET`).\n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address.\n\n# INFRASTRUCTURE PROGRAM\n\nLike the rest of the bug bounty program, the infrastructure program will evaluate bug reports based on the OWASP Risk Rating methodology. **However, only Critical bugs are currently in scope.**\n\n## Infrastructure Scope\n\nThe scope of our program focuses on exploiting specific externally facing infrastructure owned by Maker Foundation. This program covers security vulnerabilities discovered within the Maker Foundation public infrastructure including select websites and DNS configurations.\n\nSystems in scope with this program are listed below. We expect to include more domains in the future.\n\n- [forum.makerdao.com](http://forum.makerdao.com/)\n- [chat.makerdao.com](http://chat.makerdao.com/)\n- [support.makerdao.com](http://support.makerdao.com/)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-04-14T19:08:29.136Z"},{"id":3649417,"new_policy":"# Introduction\n\nThe bug bounty program from the Maker Foundation currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:\n\n1. Smart contracts for Multi-Collateral Dai\n2. Infrastructure for select public facing domains (**please see the \"Ineligible Bugs\" section below, especially regarding third party software, before submitting a report**)\n\nThe program may be expanded in the future to include more asset types such as frontends and apps.\n\n# Risk rating methodology\n\nWe generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.\n\n# Report policy\n\nA bug report may qualify for a reward only when:\n\n- It makes the Maker team aware of the bug for the first time.\n- The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public.\n- The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document, or allowed anyone else to profit outside the bug bounty program.\n- A bug is reported without any conditions, demands, or threats.\n- The investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n- The reporter makes a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n- A detailed report increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n    - The conditions on which reproducing the bug is contingent.\n    - The steps needed to reproduce the bug or, better yet, a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid.\n    - The potential implications of the vulnerability being abused.\n- Multiples or duplicates\n    - Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n    - When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n    - Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\nLet us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n\n# Ineligible methods\n\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n- Social engineering\n- DDOS attack\n- Spamming\n- Any physical attacks against Maker Foundation property, data centers or employees\n- Automated tools\n- Compromising or misusing third party systems or services\n\n# Ineligible bugs\n\n- Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program.\n- Vulnerabilities in outdated software from Maker or which affects only outdated third party software.\n- Bugs that are not reproducible.\n- Bugs disclosed to other parties without consent from the Maker team.\n- Issues which we cannot reasonably be expected to be able to do anything about.\n- Cookies missing security flags (for non-sensitive cookies).\n- Additional missing security controls often considered “Best practice”, such as:\n    - Content Security Policy (CSP) HTTP header\n    - HTTP Public Key Pinning (HPKP)\n    - Subresource integrity\n    - Referrer Policy\n- The following vulnerabilities in a vendor we integrate with:\n    - Cross-site Scripting (XSS)\n    - Cross-Site Request Forgery (CSRF)\n    - Cross Frame Scripting\n    - Content Spoofing\n- Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.\n- Weak TLS and SSL cyphers (we are already aware of)\n\n# Time to response\n\nPlease allow 5 business days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n# Fine Print\n\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker Foundation team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to infosec+bugbounty@makerdao.com\n\nOur employees, contractors, their close family members, any other affiliated persons, as well as anyone who belonged to the aforementioned categories at any time during the past 6 months, are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n\n# SMART CONTRACTS PROGRAM\n\n## Introduction\n\nThe smart contracts bug bounty program will develop in iterations:\n\n- The scope of contracts will increase. Contracts already in scope may be updated on a bi-weekly basis as shown on [changelog.makerdao.com](http://changelog.makerdao.com/)\n- Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely.\n\nThe scope is a selection of the core smart contracts of MCD as deployed on the Ethereum Kovan testnet, while more contracts will be added as needed.\n\nThe minimum amounts will also increase in future iterations of the bug bounty program.\n\n## Special Requirements for Critical Smart Contract bugs\n\nLike the rest of the program, the smart contracts program generally uses the OWASP risk rating methodology for classifying bugs. One exception pertains to Critical bugs which must meet the following requirements:\n\n- The bug must allow a user to steal Collateral tokens, Dai or MKR representing at least 10% of the value of all collateral tokens from the system.\n- The attack must be triggered through an attack vector that is more than just theoretical.\n- The system must be in normal operational mode or emergency shutdown mode. This excludes for example any states during deployment or shortly after when the system is not fully initialized.\n\n**Note: All Smart Contract bugs must include a POC implementation with reproducible steps. This can be the form of a Solidity or JavaScript test or a list of actions that clearly shows how the bug occurs.** We recommend using [Dapp tools](https://github.com/dapphub/dapptools) or [Truffle](https://www.trufflesuite.com/) for testing\n\n## Smart Contracts Scope\n\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Multi-Collateral Dai as listed below.\n\nExploits may be grouped as following:\n\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n- **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n- **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n- **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n- **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n- **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n- **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n- **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n- **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n- **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n- **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n- **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is `dss/Dai.sol`)\n- **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n- **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n    - Note: We are aware that the balance of the contract may be different than the total amount that is deposited if users send ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of balanceOf values out of scope.\n- Adapters\n    - **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n    - **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n    - **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n    - **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n    - **[GemJoin](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)5** (`MCD_JOIN_USDC_A`) - USDC Adapter\n    - Note: For all adapters, we are aware that the balance (ETH or token) of the contract may be different than the total amount that is joined through the contract if users send tokens or ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of tokens 'join'ed out of scope.\n\n**Instant Access Modules**\n\n- **[OsmMom](https://github.com/makerdao/osm-mom/blob/master/src/OsmMom.sol)** (`OSM_MOM`) - allows oracle price updates to be halted without a governance delay\n- **[FlipperMom](https://github.com/makerdao/flipper-mom/blob/master/src/FlipperMom.sol)** (`FLIPPER_MOM`) - allows liquidations to be enabled and disabled without a governance delay\n\n**Oracles**\n\n- **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n- **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n**Governance**\n\nThe smart contracts included for \"governance\" have special limitations on the types of bugs that are currently considered in scope.  For instance, it is a known design aspect of governance that governance has \"root\" access to the MCD system and with this permission is able to manipulate system parameters in such as a way that it could take actions that would qualify under this program scope.  We have recently added the Governance Security Module (see pause scope below) to provide a delay in governance actions and additional protection against malicious governance proposals.  Generic \"Governance could be malicious\" reports **are not in scope**.\n\nHowever, bugs in the [DS-Chief contract](https://github.com/dapphub/ds-chief/blob/master/src/chief.sol) that result in the voting with, locking, or theft of MKR tokens that are not owned by the attacker are considered in scope. A bug that shows an attacker locking, voting with, or stealing another user's MKR through a bug in the Chief would be considered **critical**.\n\nAdditionally, bugs in the [Pause](https://github.com/dapphub/ds-pause/blob/master/src/pause.sol#L21) or [Pause Proxy](https://github.com/dapphub/ds-pause/blob/master/src/pause.sol#L109) contracts or MCD system permissions that allow a Governance proposal to be enacted without waiting for the pause would be considered in scope.  Specifically excluded from this scope would be an attack that relies on clogging the Ethereum network, colluding with miners, or Governance not noticing or being overwhelmed by malicious proposals long enough for the delay to pass. A bug that allows governance to act instantaneously through the pause contract or to directly affect some permissionned part of the MCD system is in scope unless done via an Instant Access Module (IAM). IAMs are smart contracts with permissions that permit bypassing of the governance delay for specific actions, which are either deemed to be safe, or to be necessary as emergency defenses. Any behavior of an instant access module that violates the intent of that module is still a bug.\n\n**Attacks Leveraging Other DeFi Protocols**\n\nAttacks in the DeFi space sometimes combine multiple protocols (e.g. utilizing flash loans from a margin protocol or manipulating the spot prices on a DEX). POCs or descriptions of bug exploits may utilize such mechanisms, either to make an attack more severe than it would be in isolation, or to achieve an attack that would otherwise be impossible or infeasible. However, they will only be considered in-scope so long as:\n\n1. Losses or other negative effects of the attack are inflicted upon Maker ecosystem participants—MKR holders, DAI holders, Vault holders, or Keepers. If the losses or negative effects are inflicted solely upon other (external) protocols, the attack is not in scope for this bounty program (though we would encourage you to responsibly disclose to those protocols).\n2. The losses or other negative effects could be prevented via changes to the MCD smart contracts already included in the bounty scope.\n3. The additional DeFi protocols used exist as smart contracts on the Ethereum mainnet and can reasonably be expected to have enough liquidity in various assets to allow the attack to succeed (when there is insufficient liquidity to achieve the claimed severity level but the attack is still possible, it will still be considered in-scope but with a downgraded severity level).\n\n## Smart Contracts Testnet Releases\n\nThe Maker Foundation will continue with as-needed deployments of the latest versions of the smart contracts to the Kovan testnet. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements, unless otherwise noted.\n\nThe bug bounty program will be applicable to only one release at a time as specified in this policy. Submissions should indicate to which release they relate.\n\n**The current release eligible for vulnerability reports is 1.0.4. Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com/)\n\n## Smart Contracts Investigation Tools\n\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within MCD.\n\n- [https://docs.makerdao.com/maker-protocol-101](https://docs.makerdao.com/maker-protocol-101)\n\n**Source Code**\nThe MCD core contracts and their documentation can be found here:\n\n- [https://github.com/makerdao/dss](https://github.com/makerdao/dss)\n- [https://github.com/makerdao/dss/wiki](https://github.com/makerdao/dss/wiki)\n\nIf reading the codebase for the first time, we recommend overlaying our annotations for easier comprehension:\n\n- [https://docs.makerdao.com/other-documentation/smart-contract-annotations](https://docs.makerdao.com/other-documentation/smart-contract-annotations)\n\nDeployment Scripts:\n\n- [https://github.com/makerdao/dss-deploy](https://github.com/makerdao/dss-deploy)\n- [https://github.com/makerdao/dss-deploy-scripts](https://github.com/makerdao/dss-deploy-scripts)\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n\n- [https://dapp.tools/seth/](https://dapp.tools/seth/)\n- [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD.\n\n- [https://github.com/makerdao/mcd-cli](https://github.com/makerdao/mcd-cli)\n- [Guide](https://github.com/makerdao/developerguides/blob/master/mcd/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md)\n\n**Faucet**\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com/) to get the faucet address for the relevant deployment (`FAUCET`).\n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address.\n\n# INFRASTRUCTURE PROGRAM\n\nLike the rest of the bug bounty program, the infrastructure program will evaluate bug reports based on the OWASP Risk Rating methodology. **However, only Critical bugs are currently in scope.**\n\n## Infrastructure Scope\n\nThe scope of our program focuses on exploiting specific externally facing infrastructure owned by Maker Foundation. This program covers security vulnerabilities discovered within the Maker Foundation public infrastructure including select websites and DNS configurations.\n\nSystems in scope with this program are listed below. We expect to include more domains in the future.\n\n- [forum.makerdao.com](http://forum.makerdao.com/)\n- [chat.makerdao.com](http://chat.makerdao.com/)\n- [support.makerdao.com](http://support.makerdao.com/)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-03T15:50:28.858Z"},{"id":3635887,"new_policy":"# Introduction\n\nThe bug bounty program from the Maker Foundation currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:\n\n1. Smart contracts for Multi-Collateral Dai\n2. Infrastructure for select public facing domains (**please see the \"Ineligible Bugs\" section below, especially regarding third party software, before submitting a report**)\n\nThe program may be expanded in the future to include more asset types such as frontends and apps.\n\n# Risk rating methodology\n\nWe generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.\n\n# Report policy\n\nA bug report may qualify for a reward only when:\n\n- It makes the Maker team aware of the bug for the first time.\n- The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public.\n- The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document, or allowed anyone else to profit outside the bug bounty program.\n- A bug is reported without any conditions, demands, or threats.\n- The investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n- The reporter makes a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n- A detailed report increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n    - The conditions on which reproducing the bug is contingent.\n    - The steps needed to reproduce the bug or, better yet, a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid.\n    - The potential implications of the vulnerability being abused.\n- Multiples or duplicates\n    - Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n    - When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n    - Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\nLet us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n\n# Ineligible methods\n\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n- Social engineering\n- DDOS attack\n- Spamming\n- Any physical attacks against Maker Foundation property, data centers or employees\n- Automated tools\n- Compromising or misusing third party systems or services\n\n# Ineligible bugs\n\n- Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program.\n- Vulnerabilities in outdated software from Maker or which affects only outdated third party software.\n- Bugs that are not reproducible.\n- Bugs disclosed to other parties without consent from the Maker team.\n- Issues which we cannot reasonably be expected to be able to do anything about.\n- Cookies missing security flags (for non-sensitive cookies).\n- Additional missing security controls often considered “Best practice”, such as:\n    - Content Security Policy (CSP) HTTP header\n    - HTTP Public Key Pinning (HPKP)\n    - Subresource integrity\n    - Referrer Policy\n- The following vulnerabilities in a vendor we integrate with:\n    - Cross-site Scripting (XSS)\n    - Cross-Site Request Forgery (CSRF)\n    - Cross Frame Scripting\n    - Content Spoofing\n- Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.\n- Weak TLS and SSL cyphers (we are already aware of)\n\n# Time to response\n\nPlease allow 5 business days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n# Fine Print\n\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker Foundation team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to infosec+bugbounty@makerdao.com\n\nOur employees, contractors, their close family members, any other affiliated persons, as well as anyone who belonged to the aforementioned categories at any time during the past 6 months, are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n\n# SMART CONTRACTS PROGRAM\n\n## Introduction\n\nThe smart contracts bug bounty program will develop in iterations:\n\n- The scope of contracts will increase. Contracts already in scope may be updated on a bi-weekly basis as shown on [changelog.makerdao.com](http://changelog.makerdao.com/)\n- Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely.\n\nThe scope is a selection of the core smart contracts of MCD as deployed on the Ethereum Kovan testnet, while more contracts will be added as needed.\n\nThe minimum amounts will also increase in future iterations of the bug bounty program.\n\n## Special Requirements for Critical Smart Contract bugs\n\nLike the rest of the program, the smart contracts program generally uses the OWASP risk rating methodology for classifying bugs. One exception pertains to Critical bugs which must meet the following requirements:\n\n- The bug must allow a user to steal Collateral tokens, Dai or MKR representing at least 10% of the value of all collateral tokens from the system.\n- The attack must be triggered through an attack vector that is more than just theoretical.\n- The system must be in normal operational mode or emergency shutdown mode. This excludes for example any states during deployment or shortly after when the system is not fully initialized.\n\n**Note: All Smart Contract bugs must include a POC implementation with reproducible steps. This can be the form of a Solidity or JavaScript test or a list of actions that clearly shows how the bug occurs.** We recommend using [Dapp tools](https://github.com/dapphub/dapptools) or [Truffle](https://www.trufflesuite.com/) for testing\n\n## Smart Contracts Scope\n\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Multi-Collateral Dai as listed below.\n\nExploits may be grouped as following:\n\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n- **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n- **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n- **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n- **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n- **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n- **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n- **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n- **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n- **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n- **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n- **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is `dss/Dai.sol`)\n- **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n- **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n    - Note: We are aware that the balance of the contract may be different than the total amount that is deposited if users send ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of balanceOf values out of scope.\n- Adapters\n    - **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n    - **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n    - **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n    - **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n    - **[GemJoin](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)5** (`MCD_JOIN_USDC_A`) - USDC Adapter\n    - Note: For all adapters, we are aware that the balance (ETH or token) of the contract may be different than the total amount that is joined through the contract if users send tokens or ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of tokens 'join'ed out of scope.\n\n**Instant Access Modules**\n\n- **[OsmMom](https://github.com/makerdao/osm-mom/blob/master/src/OsmMom.sol)** (`OSM_MOM`) - allows oracle price updates to be halted without a governance delay\n- **[FlipperMom](https://github.com/makerdao/flipper-mom/blob/master/src/FlipperMom.sol)** (`FLIPPER_MOM`) - allows liquidations to be enabled and disabled without a governance delay\n\n**Oracles**\n\n- **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n- **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n**Governance**\n\nThe smart contracts included for \"governance\" have special limitations on the types of bugs that are currently considered in scope.  For instance, it is a known design aspect of governance that governance has \"root\" access to the MCD system and with this permission is able to manipulate system parameters in such as a way that it could take actions that would qualify under this program scope.  We have recently added the Governance Security Module (see pause scope below) to provide a delay in governance actions and additional protection against malicious governance proposals.  Generic \"Governance could be malicious\" reports **are not in scope**.\n\nHowever, bugs in the [DS-Chief contract](https://github.com/dapphub/ds-chief/blob/master/src/chief.sol) that result in the voting with, locking, or theft of MKR tokens that are not owned by the attacker are considered in scope. A bug that shows an attacker locking, voting with, or stealing another user's MKR through a bug in the Chief would be considered **critical**.\n\nAdditionally, bugs in the [Pause](https://github.com/dapphub/ds-pause/blob/master/src/pause.sol#L21) or [Pause Proxy](https://github.com/dapphub/ds-pause/blob/master/src/pause.sol#L109) contracts or MCD system permissions that allow a Governance proposal to be enacted without waiting for the pause would be considered in scope.  Specifically excluded from this scope would be an attack that relies on clogging the Ethereum network, colluding with miners, or Governance not noticing or being overwhelmed by malicious proposals long enough for the delay to pass. A bug that allows governance to act instantaneously through the pause contract or to directly affect some permissionned part of the MCD system is in scope unless done via an Instant Access Module (IAM). IAMs are smart contracts with permissions that permit bypassing of the governance delay for specific actions, which are either deemed to be safe, or to be necessary as emergency defenses. Any behavior of an instant access module that violates the intent of that module is still a bug.\n\n**Attacks Leveraging Other DeFi Protocols**\n\nAttacks in the DeFi space sometimes combine multiple protocols (e.g. utilizing flash loans from a margin protocol or manipulating the spot prices on a DEX). POCs or descriptions of bug exploits may utilize such mechanisms, either to make an attack more severe than it would be in isolation, or to achieve an attack that would otherwise be impossible or infeasible. However, they will only be considered in-scope so long as:\n\n1. Losses or other negative effects of the attack are inflicted upon Maker ecosystem participants—MKR holders, DAI holders, Vault holders, or Keepers. If the losses or negative effects are inflicted solely upon other (external) protocols, the attack is not in scope for this bounty program (though we would encourage you to responsibly disclose to those protocols).\n2. The losses or other negative effects could be prevented via changes to the MCD smart contracts already included in the bounty scope.\n3. The additional DeFi protocols used exist as smart contracts on the Ethereum mainnet and can reasonably be expected to have enough liquidity in various assets to allow the attack to succeed (when there is insufficient liquidity to achieve the claimed severity level but the attack is still possible, it will still be considered in-scope but with a downgraded severity level).\n\n## Smart Contracts Testnet Releases\n\nThe Maker Foundation will continue with as-needed deployments of the latest versions of the smart contracts to the Kovan testnet. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements, unless otherwise noted.\n\nThe bug bounty program will be applicable to only one release at a time as specified in this policy. Submissions should indicate to which release they relate.\n\n**The current release eligible for vulnerability reports is 1.0.4. Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com/)\n\n## Smart Contracts Investigation Tools\n\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within MCD.\n\n- [https://docs.makerdao.com/maker-protocol-101](https://docs.makerdao.com/maker-protocol-101)\n\n**Source Code**\nThe MCD core contracts and their documentation can be found here:\n\n- [https://github.com/makerdao/dss](https://github.com/makerdao/dss)\n- [https://github.com/makerdao/dss/wiki](https://github.com/makerdao/dss/wiki)\n\nIf reading the codebase for the first time, we recommend overlaying our annotations for easier comprehension:\n\n- [https://docs.makerdao.com/other-documentation/smart-contract-annotations](https://docs.makerdao.com/other-documentation/smart-contract-annotations)\n\nDeployment Scripts:\n\n- [https://github.com/makerdao/dss-deploy](https://github.com/makerdao/dss-deploy)\n- [https://github.com/makerdao/dss-deploy-scripts](https://github.com/makerdao/dss-deploy-scripts)\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n\n- [https://dapp.tools/seth/](https://dapp.tools/seth/)\n- [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD.\n\n- [https://github.com/makerdao/mcd-cli](https://github.com/makerdao/mcd-cli)\n- [Guide](https://github.com/makerdao/developerguides/blob/master/mcd/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md)\n\n**Faucet**\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com/) to get the faucet address for the relevant deployment (`FAUCET`).\n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address.\n\n# INFRASTRUCTURE PROGRAM\n\nLike the rest of the bug bounty program, the infrastructure program will evaluate bug reports based on the OWASP Risk Rating methodology. **However, only Critical bugs are currently in scope.**\n\n## Infrastructure Scope\n\nThe scope of our program focuses on exploiting specific externally facing infrastructure owned by Maker Foundation. This program covers security vulnerabilities discovered within the Maker Foundation public infrastructure including select websites and DNS configurations.\n\nSystems in scope with this program are listed below. We expect to include more domains in the future.\n\n- [forum.makerdao.com](http://forum.makerdao.com/)\n- [chat.makerdao.com](http://chat.makerdao.com/)\n- [blog.makerdao.com](http://blog.makerdao.com/)\n- [support.makerdao.com](http://support.makerdao.com/)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-05-06T12:48:05.811Z"},{"id":3634916,"new_policy":"# Introduction\n\nThe bug bounty program from the Maker Foundation currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:\n\n1. Smart contracts for Multi-Collateral Dai\n2. Infrastructure for select public facing domains (**please see the \"Ineligible Bugs\" section below, especially regarding third party software, before submitting a report**)\n\nThe program may be expanded in the future to include more asset types such as frontends and apps.\n\n# Risk rating methodology\n\nWe generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.\n\n# Report policy\n\nA bug report may qualify for a reward only when:\n\n- It makes the Maker team aware of the bug for the first time.\n- The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public.\n- The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document, or allowed anyone else to profit outside the bug bounty program.\n- A bug is reported without any conditions, demands, or threats.\n- The investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n- The reporter makes a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n- A detailed report increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n    - The conditions on which reproducing the bug is contingent.\n    - The steps needed to reproduce the bug or, better yet, a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid.\n    - The potential implications of the vulnerability being abused.\n- Multiples or duplicates\n    - Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n    - When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n    - Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\nLet us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n\n# Ineligible methods\n\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n- Social engineering\n- DDOS attack\n- Spamming\n- Any physical attacks against Maker Foundation property, data centers or employees\n- Automated tools\n- Compromising or misusing third party systems or services\n\n# Ineligible bugs\n\n- Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program.\n- Vulnerabilities in outdated software from Maker or which affects only outdated third party software.\n- Bugs that are not reproducible.\n- Bugs disclosed to other parties without consent from the Maker team.\n- Issues which we cannot reasonably be expected to be able to do anything about.\n- Cookies missing security flags (for non-sensitive cookies).\n- Additional missing security controls often considered “Best practice”, such as:\n    - Content Security Policy (CSP) HTTP header\n    - HTTP Public Key Pinning (HPKP)\n    - Subresource integrity\n    - Referrer Policy\n- The following vulnerabilities in a vendor we integrate with:\n    - Cross-site Scripting (XSS)\n    - Cross-Site Request Forgery (CSRF)\n    - Cross Frame Scripting\n    - Content Spoofing\n- Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.\n- Weak TLS and SSL cyphers (we are already aware of)\n\n# Time to response\n\nPlease allow 5 business days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n# Fine Print\n\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker Foundation team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to integrate+bugbounty@makerdao.com\n\nOur employees, contractors, their close family members, any other affiliated persons, as well as anyone who belonged to the aforementioned categories at any time during the past 6 months, are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n\n# SMART CONTRACTS PROGRAM\n\n## Introduction\n\nThe smart contracts bug bounty program will develop in iterations:\n\n- The scope of contracts will increase. Contracts already in scope may be updated on a bi-weekly basis as shown on [changelog.makerdao.com](http://changelog.makerdao.com/)\n- Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely.\n\nThe scope is a selection of the core smart contracts of MCD as deployed on the Ethereum Kovan testnet, while more contracts will be added as needed.\n\nThe minimum amounts will also increase in future iterations of the bug bounty program.\n\n## Special Requirements for Critical Smart Contract bugs\n\nLike the rest of the program, the smart contracts program generally uses the OWASP risk rating methodology for classifying bugs. One exception pertains to Critical bugs which must meet the following requirements:\n\n- The bug must allow a user to steal Collateral tokens, Dai or MKR representing at least 10% of the value of all collateral tokens from the system.\n- The attack must be triggered through an attack vector that is more than just theoretical.\n- The system must be in normal operational mode or emergency shutdown mode. This excludes for example any states during deployment or shortly after when the system is not fully initialized.\n\n**Note: All Smart Contract bugs must include a POC implementation with reproducible steps. This can be the form of a Solidity or JavaScript test or a list of actions that clearly shows how the bug occurs.** We recommend using [Dapp tools](https://github.com/dapphub/dapptools) or [Truffle](https://www.trufflesuite.com/) for testing\n\n## Smart Contracts Scope\n\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Multi-Collateral Dai as listed below.\n\nExploits may be grouped as following:\n\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n- **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n- **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n- **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n- **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n- **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n- **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n- **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n- **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n- **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n- **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n- **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is `dss/Dai.sol`)\n- **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n- **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n    - Note: We are aware that the balance of the contract may be different than the total amount that is deposited if users send ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of balanceOf values out of scope.\n- Adapters\n    - **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n    - **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n    - **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n    - **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n    - **[GemJoin](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)5** (`MCD_JOIN_USDC_A`) - USDC Adapter\n    - Note: For all adapters, we are aware that the balance (ETH or token) of the contract may be different than the total amount that is joined through the contract if users send tokens or ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of tokens 'join'ed out of scope.\n\n**Instant Access Modules**\n\n- **[OsmMom](https://github.com/makerdao/osm-mom/blob/master/src/OsmMom.sol)** (`OSM_MOM`) - allows oracle price updates to be halted without a governance delay\n- **[FlipperMom](https://github.com/makerdao/flipper-mom/blob/master/src/FlipperMom.sol)** (`FLIPPER_MOM`) - allows liquidations to be enabled and disabled without a governance delay\n\n**Oracles**\n\n- **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n- **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n**Governance**\n\nThe smart contracts included for \"governance\" have special limitations on the types of bugs that are currently considered in scope.  For instance, it is a known design aspect of governance that governance has \"root\" access to the MCD system and with this permission is able to manipulate system parameters in such as a way that it could take actions that would qualify under this program scope.  We have recently added the Governance Security Module (see pause scope below) to provide a delay in governance actions and additional protection against malicious governance proposals.  Generic \"Governance could be malicious\" reports **are not in scope**.\n\nHowever, bugs in the [DS-Chief contract](https://github.com/dapphub/ds-chief/blob/master/src/chief.sol) that result in the voting with, locking, or theft of MKR tokens that are not owned by the attacker are considered in scope. A bug that shows an attacker locking, voting with, or stealing another user's MKR through a bug in the Chief would be considered **critical**.\n\nAdditionally, bugs in the [Pause](https://github.com/dapphub/ds-pause/blob/master/src/pause.sol#L21) or [Pause Proxy](https://github.com/dapphub/ds-pause/blob/master/src/pause.sol#L109) contracts or MCD system permissions that allow a Governance proposal to be enacted without waiting for the pause would be considered in scope.  Specifically excluded from this scope would be an attack that relies on clogging the Ethereum network, colluding with miners, or Governance not noticing or being overwhelmed by malicious proposals long enough for the delay to pass. A bug that allows governance to act instantaneously through the pause contract or to directly affect some permissionned part of the MCD system is in scope unless done via an Instant Access Module (IAM). IAMs are smart contracts with permissions that permit bypassing of the governance delay for specific actions, which are either deemed to be safe, or to be necessary as emergency defenses. Any behavior of an instant access module that violates the intent of that module is still a bug.\n\n**Attacks Leveraging Other DeFi Protocols**\n\nAttacks in the DeFi space sometimes combine multiple protocols (e.g. utilizing flash loans from a margin protocol or manipulating the spot prices on a DEX). POCs or descriptions of bug exploits may utilize such mechanisms, either to make an attack more severe than it would be in isolation, or to achieve an attack that would otherwise be impossible or infeasible. However, they will only be considered in-scope so long as:\n\n1. Losses or other negative effects of the attack are inflicted upon Maker ecosystem participants—MKR holders, DAI holders, Vault holders, or Keepers. If the losses or negative effects are inflicted solely upon other (external) protocols, the attack is not in scope for this bounty program (though we would encourage you to responsibly disclose to those protocols).\n2. The losses or other negative effects could be prevented via changes to the MCD smart contracts already included in the bounty scope.\n3. The additional DeFi protocols used exist as smart contracts on the Ethereum mainnet and can reasonably be expected to have enough liquidity in various assets to allow the attack to succeed (when there is insufficient liquidity to achieve the claimed severity level but the attack is still possible, it will still be considered in-scope but with a downgraded severity level).\n\n## Smart Contracts Testnet Releases\n\nThe Maker Foundation will continue with as-needed deployments of the latest versions of the smart contracts to the Kovan testnet. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements, unless otherwise noted.\n\nThe bug bounty program will be applicable to only one release at a time as specified in this policy. Submissions should indicate to which release they relate.\n\n**The current release eligible for vulnerability reports is 1.0.4. Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com/)\n\n## Smart Contracts Investigation Tools\n\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within MCD.\n\n- [https://docs.makerdao.com/maker-protocol-101](https://docs.makerdao.com/maker-protocol-101)\n\n**Source Code**\nThe MCD core contracts and their documentation can be found here:\n\n- [https://github.com/makerdao/dss](https://github.com/makerdao/dss)\n- [https://github.com/makerdao/dss/wiki](https://github.com/makerdao/dss/wiki)\n\nIf reading the codebase for the first time, we recommend overlaying our annotations for easier comprehension:\n\n- [https://docs.makerdao.com/other-documentation/smart-contract-annotations](https://docs.makerdao.com/other-documentation/smart-contract-annotations)\n\nDeployment Scripts:\n\n- [https://github.com/makerdao/dss-deploy](https://github.com/makerdao/dss-deploy)\n- [https://github.com/makerdao/dss-deploy-scripts](https://github.com/makerdao/dss-deploy-scripts)\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n\n- [https://dapp.tools/seth/](https://dapp.tools/seth/)\n- [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD.\n\n- [https://github.com/makerdao/mcd-cli](https://github.com/makerdao/mcd-cli)\n- [Guide](https://github.com/makerdao/developerguides/blob/master/mcd/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md)\n\n**Faucet**\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com/) to get the faucet address for the relevant deployment (`FAUCET`).\n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address.\n\n# INFRASTRUCTURE PROGRAM\n\nLike the rest of the bug bounty program, the infrastructure program will evaluate bug reports based on the OWASP Risk Rating methodology. **However, only Critical bugs are currently in scope.**\n\n## Infrastructure Scope\n\nThe scope of our program focuses on exploiting specific externally facing infrastructure owned by Maker Foundation. This program covers security vulnerabilities discovered within the Maker Foundation public infrastructure including select websites and DNS configurations.\n\nSystems in scope with this program are listed below. We expect to include more domains in the future.\n\n- [forum.makerdao.com](http://forum.makerdao.com/)\n- [chat.makerdao.com](http://chat.makerdao.com/)\n- [blog.makerdao.com](http://blog.makerdao.com/)\n- [support.makerdao.com](http://support.makerdao.com/)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-13T13:48:56.529Z"},{"id":3634915,"new_policy":"# Introduction\n\nThe bug bounty program from the Maker Foundation currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:\n\n1. Smart contracts for Multi-Collateral Dai\n2. Infrastructure for select public facing domains (**please see the \"Ineligible Bugs\" section below, especially regarding third party software, before submitting a report**)\n\nThe program may be expanded in the future to include more asset types such as frontends and apps.\n\n# Risk rating methodology\n\nWe generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.\n\n# Report policy\n\nA bug report may qualify for a reward only when:\n\n- It makes the Maker team aware of the bug for the first time.\n- The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public.\n- The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document, or allowed anyone else to profit outside the bug bounty program.\n- A bug is reported without any conditions, demands, or threats.\n- The investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n- The reporter makes a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n- A detailed report increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n    - The conditions on which reproducing the bug is contingent.\n    - The steps needed to reproduce the bug or, better yet, a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid.\n    - The potential implications of the vulnerability being abused.\n- Multiples or duplicates\n    - Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n    - When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n    - Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\nLet us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n\n# Ineligible methods\n\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n- Social engineering\n- DDOS attack\n- Spamming\n- Any physical attacks against Maker Foundation property, data centers or employees\n- Automated tools\n- Compromising or misusing third party systems or services\n\n# Ineligible bugs\n\n- Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program.\n- Vulnerabilities in outdated software from Maker or which affects only outdated third party software.\n- Bugs that are not reproducible.\n- Bugs disclosed to other parties without consent from the Maker team.\n- Issues which we cannot reasonably be expected to be able to do anything about.\n- Cookies missing security flags (for non-sensitive cookies).\n- Additional missing security controls often considered “Best practice”, such as:\n    - Content Security Policy (CSP) HTTP header\n    - HTTP Public Key Pinning (HPKP)\n    - Subresource integrity\n    - Referrer Policy\n- The following vulnerabilities in a vendor we integrate with:\n    - Cross-site Scripting (XSS)\n    - Cross-Site Request Forgery (CSRF)\n    - Cross Frame Scripting\n    - Content Spoofing\n- Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.\n- Weak TLS and SSL cyphers (we are already aware of)\n\n# Time to response\n\nPlease allow 5 business days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n# Fine Print\n\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker Foundation team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to [integrate+bugbounty@makerdao.com](mailto:integrate+bugbounty@makerdao.com).\n\nOur employees, contractors, their close family members, any other affiliated persons, as well as anyone who belonged to the aforementioned categories at any time during the past 6 months, are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n\n# SMART CONTRACTS PROGRAM\n\n## Introduction\n\nThe smart contracts bug bounty program will develop in iterations:\n\n- The scope of contracts will increase. Contracts already in scope may be updated on a bi-weekly basis as shown on [changelog.makerdao.com](http://changelog.makerdao.com/)\n- Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely.\n\nThe scope is a selection of the core smart contracts of MCD as deployed on the Ethereum Kovan testnet, while more contracts will be added as needed.\n\nThe minimum amounts will also increase in future iterations of the bug bounty program.\n\n## Special Requirements for Critical Smart Contract bugs\n\nLike the rest of the program, the smart contracts program generally uses the OWASP risk rating methodology for classifying bugs. One exception pertains to Critical bugs which must meet the following requirements:\n\n- The bug must allow a user to steal Collateral tokens, Dai or MKR representing at least 10% of the value of all collateral tokens from the system.\n- The attack must be triggered through an attack vector that is more than just theoretical.\n- The system must be in normal operational mode or emergency shutdown mode. This excludes for example any states during deployment or shortly after when the system is not fully initialized.\n\n**Note: All Smart Contract bugs must include a POC implementation with reproducible steps. This can be the form of a Solidity or JavaScript test or a list of actions that clearly shows how the bug occurs.** We recommend using [Dapp tools](https://github.com/dapphub/dapptools) or [Truffle](https://www.trufflesuite.com/) for testing\n\n## Smart Contracts Scope\n\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Multi-Collateral Dai as listed below.\n\nExploits may be grouped as following:\n\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n- **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n- **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n- **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n- **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n- **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n- **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n- **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n- **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n- **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n- **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n- **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is `dss/Dai.sol`)\n- **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n- **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n    - Note: We are aware that the balance of the contract may be different than the total amount that is deposited if users send ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of balanceOf values out of scope.\n- Adapters\n    - **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n    - **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n    - **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n    - **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n    - **[GemJoin](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)5** (`MCD_JOIN_USDC_A`) - USDC Adapter\n    - Note: For all adapters, we are aware that the balance (ETH or token) of the contract may be different than the total amount that is joined through the contract if users send tokens or ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of tokens 'join'ed out of scope.\n\n**Instant Access Modules**\n\n- **[OsmMom](https://github.com/makerdao/osm-mom/blob/master/src/OsmMom.sol)** (`OSM_MOM`) - allows oracle price updates to be halted without a governance delay\n- **[FlipperMom](https://github.com/makerdao/flipper-mom/blob/master/src/FlipperMom.sol)** (`FLIPPER_MOM`) - allows liquidations to be enabled and disabled without a governance delay\n\n**Oracles**\n\n- **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n- **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n**Governance**\n\nThe smart contracts included for \"governance\" have special limitations on the types of bugs that are currently considered in scope.  For instance, it is a known design aspect of governance that governance has \"root\" access to the MCD system and with this permission is able to manipulate system parameters in such as a way that it could take actions that would qualify under this program scope.  We have recently added the Governance Security Module (see pause scope below) to provide a delay in governance actions and additional protection against malicious governance proposals.  Generic \"Governance could be malicious\" reports **are not in scope**.\n\nHowever, bugs in the [DS-Chief contract](https://github.com/dapphub/ds-chief/blob/master/src/chief.sol) that result in the voting with, locking, or theft of MKR tokens that are not owned by the attacker are considered in scope. A bug that shows an attacker locking, voting with, or stealing another user's MKR through a bug in the Chief would be considered **critical**.\n\nAdditionally, bugs in the [Pause](https://github.com/dapphub/ds-pause/blob/master/src/pause.sol#L21) or [Pause Proxy](https://github.com/dapphub/ds-pause/blob/master/src/pause.sol#L109) contracts or MCD system permissions that allow a Governance proposal to be enacted without waiting for the pause would be considered in scope.  Specifically excluded from this scope would be an attack that relies on clogging the Ethereum network, colluding with miners, or Governance not noticing or being overwhelmed by malicious proposals long enough for the delay to pass. A bug that allows governance to act instantaneously through the pause contract or to directly affect some permissionned part of the MCD system is in scope unless done via an Instant Access Module (IAM). IAMs are smart contracts with permissions that permit bypassing of the governance delay for specific actions, which are either deemed to be safe, or to be necessary as emergency defenses. Any behavior of an instant access module that violates the intent of that module is still a bug.\n\n**Attacks Leveraging Other DeFi Protocols**\n\nAttacks in the DeFi space sometimes combine multiple protocols (e.g. utilizing flash loans from a margin protocol or manipulating the spot prices on a DEX). POCs or descriptions of bug exploits may utilize such mechanisms, either to make an attack more severe than it would be in isolation, or to achieve an attack that would otherwise be impossible or infeasible. However, they will only be considered in-scope so long as:\n\n1. Losses or other negative effects of the attack are inflicted upon Maker ecosystem participants—MKR holders, DAI holders, Vault holders, or Keepers. If the losses or negative effects are inflicted solely upon other (external) protocols, the attack is not in scope for this bounty program (though we would encourage you to responsibly disclose to those protocols).\n2. The losses or other negative effects could be prevented via changes to the MCD smart contracts already included in the bounty scope.\n3. The additional DeFi protocols used exist as smart contracts on the Ethereum mainnet and can reasonably be expected to have enough liquidity in various assets to allow the attack to succeed (when there is insufficient liquidity to achieve the claimed severity level but the attack is still possible, it will still be considered in-scope but with a downgraded severity level).\n\n## Smart Contracts Testnet Releases\n\nThe Maker Foundation will continue with as-needed deployments of the latest versions of the smart contracts to the Kovan testnet. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements, unless otherwise noted.\n\nThe bug bounty program will be applicable to only one release at a time as specified in this policy. Submissions should indicate to which release they relate.\n\n**The current release eligible for vulnerability reports is 1.0.4. Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com/)\n\n## Smart Contracts Investigation Tools\n\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within MCD.\n\n- [https://docs.makerdao.com/maker-protocol-101](https://docs.makerdao.com/maker-protocol-101)\n\n**Source Code**\nThe MCD core contracts and their documentation can be found here:\n\n- [https://github.com/makerdao/dss](https://github.com/makerdao/dss)\n- [https://github.com/makerdao/dss/wiki](https://github.com/makerdao/dss/wiki)\n\nIf reading the codebase for the first time, we recommend overlaying our annotations for easier comprehension:\n\n- [https://docs.makerdao.com/other-documentation/smart-contract-annotations](https://docs.makerdao.com/other-documentation/smart-contract-annotations)\n\nDeployment Scripts:\n\n- [https://github.com/makerdao/dss-deploy](https://github.com/makerdao/dss-deploy)\n- [https://github.com/makerdao/dss-deploy-scripts](https://github.com/makerdao/dss-deploy-scripts)\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n\n- [https://dapp.tools/seth/](https://dapp.tools/seth/)\n- [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD.\n\n- [https://github.com/makerdao/mcd-cli](https://github.com/makerdao/mcd-cli)\n- [Guide](https://github.com/makerdao/developerguides/blob/master/mcd/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md)\n\n**Faucet**\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com/) to get the faucet address for the relevant deployment (`FAUCET`).\n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address.\n\n# INFRASTRUCTURE PROGRAM\n\nLike the rest of the bug bounty program, the infrastructure program will evaluate bug reports based on the OWASP Risk Rating methodology. **However, only Critical bugs are currently in scope.**\n\n## Infrastructure Scope\n\nThe scope of our program focuses on exploiting specific externally facing infrastructure owned by Maker Foundation. This program covers security vulnerabilities discovered within the Maker Foundation public infrastructure including select websites and DNS configurations.\n\nSystems in scope with this program are listed below. We expect to include more domains in the future.\n\n- [forum.makerdao.com](http://forum.makerdao.com/)\n- [chat.makerdao.com](http://chat.makerdao.com/)\n- [blog.makerdao.com](http://blog.makerdao.com/)\n- [support.makerdao.com](http://support.makerdao.com/)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-13T13:47:45.704Z"},{"id":3634914,"new_policy":"# Bug Bounty Scope revision\n\n# Introduction\n\nThe bug bounty program from the Maker Foundation currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:\n\n1. Smart contracts for Multi-Collateral Dai\n2. Infrastructure for select public facing domains (**please see the \"Ineligible Bugs\" section below, especially regarding third party software, before submitting a report**)\n\nThe program may be expanded in the future to include more asset types such as frontends and apps.\n\n# Risk rating methodology\n\nWe generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.\n\n# Report policy\n\nA bug report may qualify for a reward only when:\n\n- It makes the Maker team aware of the bug for the first time.\n- The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public.\n- The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document, or allowed anyone else to profit outside the bug bounty program.\n- A bug is reported without any conditions, demands, or threats.\n- The investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n- The reporter makes a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n- A detailed report increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n    - The conditions on which reproducing the bug is contingent.\n    - The steps needed to reproduce the bug or, better yet, a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid.\n    - The potential implications of the vulnerability being abused.\n- Multiples or duplicates\n    - Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n    - When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n    - Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\nLet us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n\n# Ineligible methods\n\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n- Social engineering\n- DDOS attack\n- Spamming\n- Any physical attacks against Maker Foundation property, data centers or employees\n- Automated tools\n- Compromising or misusing third party systems or services\n\n# Ineligible bugs\n\n- Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program.\n- Vulnerabilities in outdated software from Maker or which affects only outdated third party software.\n- Bugs that are not reproducible.\n- Bugs disclosed to other parties without consent from the Maker team.\n- Issues which we cannot reasonably be expected to be able to do anything about.\n- Cookies missing security flags (for non-sensitive cookies).\n- Additional missing security controls often considered “Best practice”, such as:\n    - Content Security Policy (CSP) HTTP header\n    - HTTP Public Key Pinning (HPKP)\n    - Subresource integrity\n    - Referrer Policy\n- The following vulnerabilities in a vendor we integrate with:\n    - Cross-site Scripting (XSS)\n    - Cross-Site Request Forgery (CSRF)\n    - Cross Frame Scripting\n    - Content Spoofing\n- Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.\n- Weak TLS and SSL cyphers (we are already aware of)\n\n# Time to response\n\nPlease allow 5 business days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n# Fine Print\n\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker Foundation team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to [integrate+bugbounty@makerdao.com](mailto:integrate+bugbounty@makerdao.com).\n\nOur employees, contractors, their close family members, any other affiliated persons, as well as anyone who belonged to the aforementioned categories at any time during the past 6 months, are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n\n# SMART CONTRACTS PROGRAM\n\n## Introduction\n\nThe smart contracts bug bounty program will develop in iterations:\n\n- The scope of contracts will increase. Contracts already in scope may be updated on a bi-weekly basis as shown on [changelog.makerdao.com](http://changelog.makerdao.com/)\n- Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely.\n\nThe scope is a selection of the core smart contracts of MCD as deployed on the Ethereum Kovan testnet, while more contracts will be added as needed.\n\nThe minimum amounts will also increase in future iterations of the bug bounty program.\n\n## Special Requirements for Critical Smart Contract bugs\n\nLike the rest of the program, the smart contracts program generally uses the OWASP risk rating methodology for classifying bugs. One exception pertains to Critical bugs which must meet the following requirements:\n\n- The bug must allow a user to steal Collateral tokens, Dai or MKR representing at least 10% of the value of all collateral tokens from the system.\n- The attack must be triggered through an attack vector that is more than just theoretical.\n- The system must be in normal operational mode or emergency shutdown mode. This excludes for example any states during deployment or shortly after when the system is not fully initialized.\n\n**Note: All Smart Contract bugs must include a POC implementation with reproducible steps. This can be the form of a Solidity or JavaScript test or a list of actions that clearly shows how the bug occurs.** We recommend using [Dapp tools](https://github.com/dapphub/dapptools) or [Truffle](https://www.trufflesuite.com/) for testing\n\n## Smart Contracts Scope\n\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Multi-Collateral Dai as listed below.\n\nExploits may be grouped as following:\n\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n- **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n- **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n- **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n- **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n- **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n- **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n- **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n- **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n- **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n- **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n- **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is `dss/Dai.sol`)\n- **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n- **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n    - Note: We are aware that the balance of the contract may be different than the total amount that is deposited if users send ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of balanceOf values out of scope.\n- Adapters\n    - **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n    - **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n    - **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n    - **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n    - **[GemJoin](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)5** (`MCD_JOIN_USDC_A`) - USDC Adapter\n    - Note: For all adapters, we are aware that the balance (ETH or token) of the contract may be different than the total amount that is joined through the contract if users send tokens or ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of tokens 'join'ed out of scope.\n\n**Instant Access Modules**\n\n- **[OsmMom](https://github.com/makerdao/osm-mom/blob/master/src/OsmMom.sol)** (`OSM_MOM`) - allows oracle price updates to be halted without a governance delay\n- **[FlipperMom](https://github.com/makerdao/flipper-mom/blob/master/src/FlipperMom.sol)** (`FLIPPER_MOM`) - allows liquidations to be enabled and disabled without a governance delay\n\n**Oracles**\n\n- **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n- **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n**Governance**\n\nThe smart contracts included for \"governance\" have special limitations on the types of bugs that are currently considered in scope.  For instance, it is a known design aspect of governance that governance has \"root\" access to the MCD system and with this permission is able to manipulate system parameters in such as a way that it could take actions that would qualify under this program scope.  We have recently added the Governance Security Module (see pause scope below) to provide a delay in governance actions and additional protection against malicious governance proposals.  Generic \"Governance could be malicious\" reports **are not in scope**.\n\nHowever, bugs in the [DS-Chief contract](https://github.com/dapphub/ds-chief/blob/master/src/chief.sol) that result in the voting with, locking, or theft of MKR tokens that are not owned by the attacker are considered in scope. A bug that shows an attacker locking, voting with, or stealing another user's MKR through a bug in the Chief would be considered **critical**.\n\nAdditionally, bugs in the [Pause](https://github.com/dapphub/ds-pause/blob/master/src/pause.sol#L21) or [Pause Proxy](https://github.com/dapphub/ds-pause/blob/master/src/pause.sol#L109) contracts or MCD system permissions that allow a Governance proposal to be enacted without waiting for the pause would be considered in scope.  Specifically excluded from this scope would be an attack that relies on clogging the Ethereum network, colluding with miners, or Governance not noticing or being overwhelmed by malicious proposals long enough for the delay to pass. A bug that allows governance to act instantaneously through the pause contract or to directly affect some permissionned part of the MCD system is in scope unless done via an Instant Access Module (IAM). IAMs are smart contracts with permissions that permit bypassing of the governance delay for specific actions, which are either deemed to be safe, or to be necessary as emergency defenses. Any behavior of an instant access module that violates the intent of that module is still a bug.\n\n**Attacks Leveraging Other DeFi Protocols**\n\nAttacks in the DeFi space sometimes combine multiple protocols (e.g. utilizing flash loans from a margin protocol or manipulating the spot prices on a DEX). POCs or descriptions of bug exploits may utilize such mechanisms, either to make an attack more severe than it would be in isolation, or to achieve an attack that would otherwise be impossible or infeasible. However, they will only be considered in-scope so long as:\n\n1. Losses or other negative effects of the attack are inflicted upon Maker ecosystem participants—MKR holders, DAI holders, Vault holders, or Keepers. If the losses or negative effects are inflicted solely upon other (external) protocols, the attack is not in scope for this bounty program (though we would encourage you to responsibly disclose to those protocols).\n2. The losses or other negative effects could be prevented via changes to the MCD smart contracts already included in the bounty scope.\n3. The additional DeFi protocols used exist as smart contracts on the Ethereum mainnet and can reasonably be expected to have enough liquidity in various assets to allow the attack to succeed (when there is insufficient liquidity to achieve the claimed severity level but the attack is still possible, it will still be considered in-scope but with a downgraded severity level).\n\n## Smart Contracts Testnet Releases\n\nThe Maker Foundation will continue with as-needed deployments of the latest versions of the smart contracts to the Kovan testnet. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements, unless otherwise noted.\n\nThe bug bounty program will be applicable to only one release at a time as specified in this policy. Submissions should indicate to which release they relate.\n\n**The current release eligible for vulnerability reports is 1.0.4. Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com/)\n\n## Smart Contracts Investigation Tools\n\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within MCD.\n\n- [https://docs.makerdao.com/maker-protocol-101](https://docs.makerdao.com/maker-protocol-101)\n\n**Source Code**\nThe MCD core contracts and their documentation can be found here:\n\n- [https://github.com/makerdao/dss](https://github.com/makerdao/dss)\n- [https://github.com/makerdao/dss/wiki](https://github.com/makerdao/dss/wiki)\n\nIf reading the codebase for the first time, we recommend overlaying our annotations for easier comprehension:\n\n- [https://docs.makerdao.com/other-documentation/smart-contract-annotations](https://docs.makerdao.com/other-documentation/smart-contract-annotations)\n\nDeployment Scripts:\n\n- [https://github.com/makerdao/dss-deploy](https://github.com/makerdao/dss-deploy)\n- [https://github.com/makerdao/dss-deploy-scripts](https://github.com/makerdao/dss-deploy-scripts)\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n\n- [https://dapp.tools/seth/](https://dapp.tools/seth/)\n- [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD.\n\n- [https://github.com/makerdao/mcd-cli](https://github.com/makerdao/mcd-cli)\n- [Guide](https://github.com/makerdao/developerguides/blob/master/mcd/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md)\n\n**Faucet**\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com/) to get the faucet address for the relevant deployment (`FAUCET`).\n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address.\n\n# INFRASTRUCTURE PROGRAM\n\nLike the rest of the bug bounty program, the infrastructure program will evaluate bug reports based on the OWASP Risk Rating methodology. **However, only Critical bugs are currently in scope.**\n\n## Infrastructure Scope\n\nThe scope of our program focuses on exploiting specific externally facing infrastructure owned by Maker Foundation. This program covers security vulnerabilities discovered within the Maker Foundation public infrastructure including select websites and DNS configurations.\n\nSystems in scope with this program are listed below. We expect to include more domains in the future.\n\n- [forum.makerdao.com](http://forum.makerdao.com/)\n- [chat.makerdao.com](http://chat.makerdao.com/)\n- [blog.makerdao.com](http://blog.makerdao.com/)\n- [support.makerdao.com](http://support.makerdao.com/)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-13T13:44:20.927Z"},{"id":3634323,"new_policy":"# Introduction\nThe bug bounty program from the Maker Foundation currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:\n1. Smart contracts for Multi-Collateral Dai\n2. Infrastructure for select public facing domains (**please see the \"Ineligible Bugs\" section below, especially regarding third party software, before submitting a report**)\n\nThe program may be expanded in the future to include more asset types such as frontends and apps.\n\n# Risk rating methodology\nWe generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.\n\n# Report policy\nA bug report may qualify for a reward only when:\n\n* It makes the Maker team aware of the bug for the first time\n* The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public\n* The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document, or allowed anyone else to profit outside the bug bounty program\n* A bug is reported without any conditions, demands, or threats\n* The investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n* The reporter makes a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n* A detailed report increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n    * The conditions on which reproducing the bug is contingent.\n    * The steps needed to reproduce the bug or, better yet, a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid.\n    * The potential implications of the vulnerability being abused.\n* Multiples or duplicates\n    * Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n    * When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n    * Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\nLet us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n\n\n# Ineligible methods\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n* Social engineering\n* DDOS attack\n* Spamming\n* Any physical attacks against Maker Foundation property, data centers or employees\n* Automated tools\n* Compromising or misusing third party systems or services\n\n\n# Ineligible bugs\n* Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program\n* Vulnerabilities in outdated software from Maker or which affects only outdated third party software\n* Bugs that are not reproducible\n* Bugs disclosed to other parties without consent from the Maker team\n* Issues which we cannot reasonably be expected to be able to do anything about\n* Cookie's missing security flags (for non-sensitive cookies).\n* Additional missing security controls often considered “Best practice”, such as\n    * Content Security Policy (CSP) HTTP header\n    * HTTP Public Key Pinning (HPKP)\n    * Subresource integrity\n    * Referrer Policy\n* The following vulnerabilities in a vendor we integrate with:\n    * Cross-site Scripting (XSS)\n    * Cross-Site Request Forgery (CSRF)\n    * Cross Frame Scripting\n    * Content Spoofing\n* Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.\n* Weak TLS and SSL cyphers (we are already aware of) \n\n# Time to response\nPlease allow 5 days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n# Fine Print\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to infosec@makerdao.com.\n\nOur employees, contractors, their close family members, any other affiliated persons, as well as anyone who belonged to the aforementioned categories at any time during the past 6 months, are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n \n# SMART CONTRACTS PROGRAM\n## Introduction\nThe smart contracts bug bounty program will develop in iterations: \n* The scope of contracts will increase. Contracts already in scope may be updated on a bi-weekly basis as shown on changelog.makerdao.com\n* Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely.\n\nThe scope is initially a selection of the core smart contracts of MCD as deployed on the Ethereum Kovan testnet, while more contracts will be added as needed.\n\nThe minimum amounts will also increase in future iterations of the bug bounty program.\n\n## Special Requirements for Critical Smart Contract bugs\nLike the rest of the program, the smart contracts program generally uses the OWASP risk rating methodology for classifying bugs. One exception pertains to Critical bugs which must meet the following requirements:\n* The bug must allow a user to steal collateral tokens representing at least 10% of the value of all collateral tokens from the system.\n* The attack must be triggered through an attack vector that is more than just theoretical.\n* The system must be in normal operational mode or emergency shutdown mode. This excludes for example any states during deployment or shortly after when the system is not fully initialized.\n\n**Note: All Smart Contract bugs must include a POC implementation with reproducible steps.  This can be the form of a Solidity or JavaScript test or a list of actions that clearly shows how the bug occurs.** We recommend using [Dapp tools](https://github.com/dapphub/dapptools) or [Truffle](https://www.trufflesuite.com/) for testing\n\n## Smart Contracts Scope\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Multi-Collateral Dai as listed below.\n\nExploits may be grouped as following:\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n* **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n* **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n* **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n* **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n* **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n* **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n* **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n* **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n* **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n* **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n* **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is `dss/Dai.sol`)\n* **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n* **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n    * Note: We are aware that the balance of the contract may be different than the total amount that is deposited if users send ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of balanceOf values out of scope.\n* Adapters\n    * **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n    * **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n    * **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n    * **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n    * Note: For all adapters, we are aware that the balance (ETH or token) of the contract may be different than the total amount that is joined through the contract if users send tokens or ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of tokens 'join'ed out of scope.\n\n**Oracles**\n\n* **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n* **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n## Smart Contracts Bi-weekly Releases\n\nThe Maker Foundation will continue with as-needed deployments of the latest versions of the smart contracts to the Kovan testnet. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements, unless otherwise noted.\n\n The bug bounty program will be applicable to only one release at a time as specified in this policy. Submissions should indicate to which release they relate.\n\n**The current release eligible for vulnerability reports is [1.0.2](https://changelog.makerdao.com/releases/kovan/1.0.2/index.html). Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com)\n\n## Smart Contracts Investigation Tools\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within MCD. \n* https://docs.makerdao.com/maker-protocol-101\n\n**Source Code**\nThe MCD core contracts and their documentation can be found here:\n* https://github.com/makerdao/dss\n* https://github.com/makerdao/dss/wiki\n\nIf reading the codebase for the first time, we recommend overlaying our annotations for easier comprehension:\n* https://docs.makerdao.com/other-documentation/smart-contract-annotations\n\nDeployment Scripts:\n* https://github.com/makerdao/dss-deploy\n* https://github.com/makerdao/dss-deploy-scripts\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n* https://dapp.tools/seth/\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD. \n* https://github.com/makerdao/mcd-cli\n* [Guide](https://github.com/makerdao/developerguides/blob/master/mcd/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md) \n\n**Faucet**\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com) to get the faucet address for the relevant deployment (`FAUCET`). \n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address. \n\n# INFRASTRUCTURE PROGRAM\nLike the rest of the bug bounty program, the infrastructure program will evaluate bug reports based on the OWASP Risk Rating methodology. **However, only Critical bugs are currently in scope.**\n\n## Infrastructure Scope\nThe scope of our program focuses on exploiting specific externally facing infrastructure owned by Maker Foundation. This program covers security vulnerabilities discovered within the Maker Foundation public infrastructure including select websites and DNS configurations.\n\nSystems in scope with this program are listed below. We expect to include more domains in the future.\n\n* forum.makerdao.com\n* chat.makerdao.com\n* blog.makerdao.com\n* support.makerdao.com\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-31T13:13:35.351Z"},{"id":3629378,"new_policy":"# Introduction\nThe bug bounty program from the Maker Foundation currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:\n1. Smart contracts for Multi-Collateral Dai\n2. Infrastructure for select public facing domains (**please see the \"Ineligible Bugs\" section below, especially regarding third party software, before submitting a report**)\n\nThe program may be expanded in the future to include more asset types such as frontends and apps.\n\n# Risk rating methodology\nWe generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.\n\n# Report policy\nA bug report may qualify for a reward only when:\n\n* It makes the Maker team aware of the bug for the first time\n* The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public\n* The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document, or allowed anyone else to profit outside the bug bounty program\n* A bug is reported without any conditions, demands, or threats\n* The investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n* The reporter makes a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n* A detailed report increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n    * The conditions on which reproducing the bug is contingent.\n    * The steps needed to reproduce the bug or, better yet, a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid.\n    * The potential implications of the vulnerability being abused.\n* Multiples or duplicates\n    * Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n    * When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n    * Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\nLet us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n\n\n# Ineligible methods\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n* Social engineering\n* DDOS attack\n* Spamming\n* Any physical attacks against Maker Foundation property, data centers or employees\n* Automated tools\n* Compromising or misusing third party systems or services\n\n\n# Ineligible bugs\n* Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program\n* Vulnerabilities in outdated software from Maker or which affects only outdated third party software\n* Bugs that are not reproducible\n* Bugs disclosed to other parties without consent from the Maker team\n* Issues which we cannot reasonably be expected to be able to do anything about\n* Cookie's missing security flags (for non-sensitive cookies).\n* Additional missing security controls often considered “Best practice”, such as\n    * Content Security Policy (CSP) HTTP header\n    * HTTP Public Key Pinning (HPKP)\n    * Subresource integrity\n    * Referrer Policy\n* The following vulnerabilities in a vendor we integrate with:\n    * Cross-site Scripting (XSS)\n    * Cross-Site Request Forgery (CSRF)\n    * Cross Frame Scripting\n    * Content Spoofing\n* Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.\n* Weak TLS and SSL cyphers (we are already aware of) \n\n# Time to response\nPlease allow 5 days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n# Fine Print\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to integrate+bugbounty@makerdao.com.\n\nOur employees, contractors, their close family members, any other affiliated persons, as well as anyone who belonged to the aforementioned categories at any time during the past 6 months, are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n \n# SMART CONTRACTS PROGRAM\n## Introduction\nThe smart contracts bug bounty program will develop in iterations: \n* The scope of contracts will increase. Contracts already in scope may be updated on a bi-weekly basis as shown on changelog.makerdao.com\n* Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely.\n\nThe scope is initially a selection of the core smart contracts of MCD as deployed on the Ethereum Kovan testnet, while more contracts will be added as needed.\n\nThe minimum amounts will also increase in future iterations of the bug bounty program.\n\n## Special Requirements for Critical Smart Contract bugs\nLike the rest of the program, the smart contracts program generally uses the OWASP risk rating methodology for classifying bugs. One exception pertains to Critical bugs which must meet the following requirements:\n* The bug must allow a user to steal collateral tokens representing at least 10% of the value of all collateral tokens from the system.\n* The attack must be triggered through an attack vector that is more than just theoretical.\n* The system must be in normal operational mode or emergency shutdown mode. This excludes for example any states during deployment or shortly after when the system is not fully initialized.\n\n**Note: All Smart Contract bugs must include a POC implementation with reproducible steps.  This can be the form of a Solidity or JavaScript test or a list of actions that clearly shows how the bug occurs.** We recommend using [Dapp tools](https://github.com/dapphub/dapptools) or [Truffle](https://www.trufflesuite.com/) for testing\n\n## Smart Contracts Scope\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Multi-Collateral Dai as listed below.\n\nExploits may be grouped as following:\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n* **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n* **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n* **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n* **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n* **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n* **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n* **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n* **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n* **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n* **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n* **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is `dss/Dai.sol`)\n* **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n* **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n    * Note: We are aware that the balance of the contract may be different than the total amount that is deposited if users send ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of balanceOf values out of scope.\n* Adapters\n    * **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n    * **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n    * **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n    * **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n    * Note: For all adapters, we are aware that the balance (ETH or token) of the contract may be different than the total amount that is joined through the contract if users send tokens or ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of tokens 'join'ed out of scope.\n\n**Oracles**\n\n* **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n* **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n## Smart Contracts Bi-weekly Releases\n\nThe Maker Foundation will continue with as-needed deployments of the latest versions of the smart contracts to the Kovan testnet. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements, unless otherwise noted.\n\n The bug bounty program will be applicable to only one release at a time as specified in this policy. Submissions should indicate to which release they relate.\n\n**The current release eligible for vulnerability reports is [1.0.2](https://changelog.makerdao.com/releases/kovan/1.0.2/index.html). Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com)\n\n## Smart Contracts Investigation Tools\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within MCD. \n* https://docs.makerdao.com/maker-protocol-101\n\n**Source Code**\nThe MCD core contracts and their documentation can be found here:\n* https://github.com/makerdao/dss\n* https://github.com/makerdao/dss/wiki\n\nIf reading the codebase for the first time, we recommend overlaying our annotations for easier comprehension:\n* https://docs.makerdao.com/other-documentation/smart-contract-annotations\n\nDeployment Scripts:\n* https://github.com/makerdao/dss-deploy\n* https://github.com/makerdao/dss-deploy-scripts\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n* https://dapp.tools/seth/\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD. \n* https://github.com/makerdao/mcd-cli\n* [Guide](https://github.com/makerdao/developerguides/blob/master/mcd/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md) \n\n**Faucet**\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com) to get the faucet address for the relevant deployment (`FAUCET`). \n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address. \n\n# INFRASTRUCTURE PROGRAM\nLike the rest of the bug bounty program, the infrastructure program will evaluate bug reports based on the OWASP Risk Rating methodology. **However, only Critical bugs are currently in scope.**\n\n## Infrastructure Scope\nThe scope of our program focuses on exploiting specific externally facing infrastructure owned by Maker Foundation. This program covers security vulnerabilities discovered within the Maker Foundation public infrastructure including select websites and DNS configurations.\n\nSystems in scope with this program are listed below. We expect to include more domains in the future.\n\n* forum.makerdao.com\n* chat.makerdao.com\n* blog.makerdao.com\n* support.makerdao.com\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-28T16:15:22.481Z"},{"id":3629017,"new_policy":"# Introduction\nThe bug bounty program from the Maker Foundation currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:\n1. Smart contracts for Multi-Collateral Dai\n2. Infrastructure for select public facing domains (**please see the \"Ineligible Bugs\" section below, especially regarding third party software, before submitting a report**)\n\nThe program may be expanded in the future to include more asset types such as frontends and apps.\n\n# Risk rating methodology\nWe generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.\n\n# Report policy\nA bug report may qualify for a reward only when:\n\n* It makes the Maker team aware of the bug for the first time\n* The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public\n* The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document, or allowed anyone else to profit outside the bug bounty program\n* A bug is reported without any conditions, demands, or threats\n* The investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n* The reporter makes a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n* A detailed report increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n    * The conditions on which reproducing the bug is contingent.\n    * The steps needed to reproduce the bug or, better yet, a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid.\n    * The potential implications of the vulnerability being abused.\n* Multiples or duplicates\n    * Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n    * When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n    * Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\nLet us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n\n\n# Ineligible methods\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n* Social engineering\n* DDOS attack\n* Spamming\n* Any physical attacks against Maker Foundation property, data centers or employees\n* Automated tools\n* Compromising or misusing third party systems or services\n\n\n# Ineligible bugs\n* Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program\n* Vulnerabilities in outdated software from Maker or which affects only outdated third party software\n* Bugs that are not reproducible\n* Bugs disclosed to other parties without consent from the Maker team\n* Issues which we cannot reasonably be expected to be able to do anything about\n* Cookie's missing security flags (for non-sensitive cookies).\n* Additional missing security controls often considered “Best practice”, such as\n    * Content Security Policy (CSP) HTTP header\n    * HTTP Public Key Pinning (HPKP)\n    * Subresource integrity\n    * Referrer Policy\n* The following vulnerabilities in a vendor we integrate with:\n    * Cross-site Scripting (XSS)\n    * Cross-Site Request Forgery (CSRF)\n    * Cross Frame Scripting\n    * Content Spoofing\n* Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.\n* Weak TLS and SSL cyphers (we are already aware of) \n\n# Time to response\nPlease allow 5 days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n# Fine Print\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to integrate+bugbounty@makerdao.com.\n\nOur employees, contractors, their close family members, any other affiliated persons, as well as anyone who belonged to the aforementioned categories at any time during the past 6 months, are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n \n# SMART CONTRACTS PROGRAM\n## Introduction\nThe smart contracts bug bounty program will develop in iterations towards the launch of Multi-Collateral Dai (MCD) where: \n* The scope of contracts will increase. Contracts already in scope may be updated on a bi-weekly basis as shown on changelog.makerdao.com\n* Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely after launch of MCD.\n\nThe scope is initially a selection of the core smart contracts of MCD as deployed on Ethereum Kovan/Görli testnets, while more contracts will be added towards MCD launch.\n\nThe minimum amounts will also increase in iterations of the bug bounty program towards the launch of Multi-Collateral Dai.\n\n## Special Requirements for Critical Smart Contract bugs\nLike the rest of the program, the smart contracts program generally uses the OWASP risk rating methodology for classifying bugs. One exception pertains to Critical bugs which must meet the following requirements:\n* The bug must allow a user to steal collateral tokens representing at least 10% of the value of all collateral tokens from the system.\n* The attack must be triggered through an attack vector that is more than just theoretical.\n* The system must be in normal operational mode or emergency shutdown mode. This excludes for example any states during deployment or shortly after when the system is not fully initialized.\n\n**Note: All Smart Contract bugs must include a POC implementation with reproducible steps.  This can be the form of a Solidity or JavaScript test or a list of actions that clearly shows how the bug occurs.** We recommend using [Dapp tools](https://github.com/dapphub/dapptools) or [Truffle](https://www.trufflesuite.com/) for testing\n\n## Smart Contracts Scope\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Multi-Collateral Dai as listed below.\n\nExploits may be grouped as following:\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n* **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n* **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n* **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n* **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n* **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n* **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n* **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n* **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n* **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n* **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n* **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is `dss/Dai.sol`)\n* **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n* **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n    * Note: We are aware that the balance of the contract may be different than the total amount that is deposited if users send ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of balanceOf values out of scope.\n* Adapters\n    * **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n    * **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n    * **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n    * **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n    * Note: For all adapters, we are aware that the balance (ETH or token) of the contract may be different than the total amount that is joined through the contract if users send tokens or ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of tokens 'join'ed out of scope.\n\n**Oracles**\n\n* **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n* **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n## Smart Contracts Bi-weekly Releases\n\nUntil MCD launch, the Maker Foundation will continue with bi-weekly deployments of the latest versions of the smart contracts to either the Kovan or Görli testnets. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements. \n\nThe bug bounty program will be applicable to only one release at a time, and this release is also expected to update approximately bi-weekly though with a delay relative to deployment.\n\n**The current release eligible for vulnerability reports is [1.0.2](https://changelog.makerdao.com/releases/kovan/1.0.2/index.html). Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com)\n\n## Smart Contracts Investigation Tools\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within MCD. \n* https://docs.makerdao.com/maker-protocol-101\n\n**Source Code**\nThe MCD core contracts and their documentation can be found here:\n* https://github.com/makerdao/dss\n* https://github.com/makerdao/dss/wiki\n\nIf reading the codebase for the first time, we recommend overlaying our annotations for easier comprehension:\n* https://docs.makerdao.com/other-documentation/smart-contract-annotations\n\nDeployment Scripts:\n* https://github.com/makerdao/dss-deploy\n* https://github.com/makerdao/dss-deploy-scripts\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n* https://dapp.tools/seth/\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD. \n* https://github.com/makerdao/mcd-cli\n* [Guide](https://github.com/makerdao/developerguides/blob/master/mcd/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md) \n\n**Faucet**\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com) to get the faucet address for the relevant deployment (`FAUCET`). \n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address. \n\n# INFRASTRUCTURE PROGRAM\nLike the rest of the bug bounty program, the infrastructure program will evaluate bug reports based on the OWASP Risk Rating methodology. **However, only Critical bugs are currently in scope.**\n\n## Infrastructure Scope\nThe scope of our program focuses on exploiting specific externally facing infrastructure owned by Maker Foundation. This program covers security vulnerabilities discovered within the Maker Foundation public infrastructure including select websites and DNS configurations.\n\nSystems in scope with this program are listed below. We expect to include more domains in the future.\n\n* forum.makerdao.com\n* chat.makerdao.com\n* blog.makerdao.com\n* support.makerdao.com\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-23T17:43:08.153Z"},{"id":3628810,"new_policy":"# Introduction\nThe bug bounty program from the Maker Foundation currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:\n1. Smart contracts for Multi-Collateral Dai\n2. Infrastructure for select public facing domains (**please see the \"Ineligible Bugs\" section below, especially regarding third party software, before submitting a report**)\n\nThe program may be expanded in the future to include more asset types such as frontends and apps.\n\n# Risk rating methodology\nWe generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.\n\n# Report policy\nA bug report may qualify for a reward only when:\n\n* It makes the Maker team aware of the bug for the first time\n* The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public\n* The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document, or allowed anyone else to profit outside the bug bounty program\n* A bug is reported without any conditions, demands, or threats\n* The investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n* The reporter makes a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n* A detailed report increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n    * The conditions on which reproducing the bug is contingent.\n    * The steps needed to reproduce the bug or, better yet, a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid.\n    * The potential implications of the vulnerability being abused.\n* Multiples or duplicates\n    * Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n    * When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n    * Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\nLet us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n\n\n# Ineligible methods\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n* Social engineering\n* DDOS attack\n* Spamming\n* Any physical attacks against Maker Foundation property, data centers or employees\n* Automated tools\n* Compromising or misusing third party systems or services\n\n\n# Ineligible bugs\n* Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program\n* Vulnerabilities in outdated software from Maker or which affects only outdated third party software\n* Bugs that are not reproducible\n* Bugs disclosed to other parties without consent from the Maker team\n* Issues which we cannot reasonably be expected to be able to do anything about\n* Cookie's missing security flags (for non-sensitive cookies).\n* Additional missing security controls often considered “Best practice”, such as\n    * Content Security Policy (CSP) HTTP header\n    * HTTP Public Key Pinning (HPKP)\n    * Subresource integrity\n    * Referrer Policy\n* The following vulnerabilities in a vendor we integrate with:\n    * Cross-site Scripting (XSS)\n    * Cross-Site Request Forgery (CSRF)\n    * Cross Frame Scripting\n    * Content Spoofing\n* Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.\n* Weak TLS and SSL cyphers (we are already aware of) \n\n# Time to response\nPlease allow 5 days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n# Fine Print\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to integrate+bugbounty@makerdao.com.\n\nOur employees, contractors, their close family members, any other affiliated persons, as well as anyone who belonged to the aforementioned categories at any time during the past 6 months, are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n \n# SMART CONTRACTS PROGRAM\n## Introduction\nThe smart contracts bug bounty program will develop in iterations towards the launch of Multi-Collateral Dai (MCD) where: \n* The scope of contracts will increase. Contracts already in scope may be updated on a bi-weekly basis as shown on changelog.makerdao.com\n* Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely after launch of MCD.\n\nThe scope is initially a selection of the core smart contracts of MCD as deployed on Ethereum Kovan/Görli testnets, while more contracts will be added towards MCD launch.\n\nThe minimum amounts will also increase in iterations of the bug bounty program towards the launch of Multi-Collateral Dai.\n\n## Special Requirements for Critical Smart Contract bugs\nLike the rest of the program, the smart contracts program generally uses the OWASP risk rating methodology for classifying bugs. One exception pertains to Critical bugs which must meet the following requirements:\n* The bug must allow a user to steal collateral tokens representing at least 10% of the value of all collateral tokens from the system.\n* The attack must be triggered through an attack vector that is more than just theoretical.\n* The system must be in normal operational mode or emergency shutdown mode. This excludes for example any states during deployment or shortly after when the system is not fully initialized.\n* Qualification for Critical will require a POC implementation and reproducible steps.\n\n## Smart Contracts Scope\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Multi-Collateral Dai as listed below.\n\nExploits may be grouped as following:\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n* **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n* **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n* **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n* **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n* **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n* **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n* **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n* **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n* **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n* **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n* **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is `dss/Dai.sol`)\n* **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n* **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n    * Note: We are aware that the balance of the contract may be different than the total amount that is deposited if users send ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of balanceOf values out of scope.\n* Adapters\n    * **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n    * **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n    * **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n    * **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n    * Note: For all adapters, we are aware that the balance (ETH or token) of the contract may be different than the total amount that is joined through the contract if users send tokens or ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of tokens 'join'ed out of scope.\n\n**Oracles**\n\n* **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n* **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n## Smart Contracts Bi-weekly Releases\n\nUntil MCD launch, the Maker Foundation will continue with bi-weekly deployments of the latest versions of the smart contracts to either the Kovan or Görli testnets. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements. \n\nThe bug bounty program will be applicable to only one release at a time, and this release is also expected to update approximately bi-weekly though with a delay relative to deployment.\n\n**The current release eligible for vulnerability reports is [1.0.2](https://changelog.makerdao.com/releases/kovan/1.0.2/index.html). Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com)\n\n## Smart Contracts Investigation Tools\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within MCD. \n* https://docs.makerdao.com/maker-protocol-101\n\n**Source Code**\nThe MCD core contracts and their documentation can be found here:\n* https://github.com/makerdao/dss\n* https://github.com/makerdao/dss/wiki\n\nIf reading the codebase for the first time, we recommend overlaying our annotations for easier comprehension:\n* https://docs.makerdao.com/other-documentation/smart-contract-annotations\n\nDeployment Scripts:\n* https://github.com/makerdao/dss-deploy\n* https://github.com/makerdao/dss-deploy-scripts\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n* https://dapp.tools/seth/\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD. \n* https://github.com/makerdao/mcd-cli\n* [Guide](https://github.com/makerdao/developerguides/blob/master/mcd/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md) \n\n**Faucet**\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com) to get the faucet address for the relevant deployment (`FAUCET`). \n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address. \n\n# INFRASTRUCTURE PROGRAM\nLike the rest of the bug bounty program, the infrastructure program will evaluate bug reports based on the OWASP Risk Rating methodology. **However, only Critical bugs are currently in scope.**\n\n## Infrastructure Scope\nThe scope of our program focuses on exploiting specific externally facing infrastructure owned by Maker Foundation. This program covers security vulnerabilities discovered within the Maker Foundation public infrastructure including select websites and DNS configurations.\n\nSystems in scope with this program are listed below. We expect to include more domains in the future.\n\n* forum.makerdao.com\n* chat.makerdao.com\n* blog.makerdao.com\n* support.makerdao.com\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-21T17:30:04.421Z"},{"id":3624815,"new_policy":"# Introduction\nThe bug bounty program from the Maker Foundation currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:\n1. Smart contracts for Multi-Collateral Dai\n2. Infrastructure for select public facing domains (**please see the \"Ineligible Bugs\" section below, especially regarding third party software, before submitting a report**)\n\nThe program may be expanded in the future to include more asset types such as frontends and apps.\n\n# Risk rating methodology\nWe generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.\n\n# Report policy\nA bug report may qualify for a reward only when:\n\n* It makes the Maker team aware of the bug for the first time\n* The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public\n* The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document, or allowed anyone else to profit outside the bug bounty program\n* A bug is reported without any conditions, demands, or threats\n* The investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n* The reporter makes a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n* A detailed report increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n    * The conditions on which reproducing the bug is contingent.\n    * The steps needed to reproduce the bug or, better yet, a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid.\n    * The potential implications of the vulnerability being abused.\n* Multiples or duplicates\n    * Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n    * When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n    * Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\nLet us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n\n\n# Ineligible methods\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n* Social engineering\n* DDOS attack\n* Spamming\n* Any physical attacks against Maker Foundation property, data centers or employees\n* Automated tools\n* Compromising or misusing third party systems or services\n\n\n# Ineligible bugs\n* Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program\n* Vulnerabilities in outdated software from Maker or which affects only outdated third party software\n* Bugs that are not reproducible\n* Bugs disclosed to other parties without consent from the Maker team\n* Issues which we cannot reasonably be expected to be able to do anything about\n* Cookie's missing security flags (for non-sensitive cookies).\n* Additional missing security controls often considered “Best practice”, such as\n    * Content Security Policy (CSP) HTTP header\n    * HTTP Public Key Pinning (HPKP)\n    * Subresource integrity\n    * Referrer Policy\n* The following vulnerabilities in a vendor we integrate with:\n    * Cross-site Scripting (XSS)\n    * Cross-Site Request Forgery (CSRF)\n    * Cross Frame Scripting\n    * Content Spoofing\n* Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.\n* Weak TLS and SSL cyphers (we are already aware of) \n\n# Time to response\nPlease allow 5 days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n# Fine Print\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to integrate+bugbounty@makerdao.com.\n\nOur employees, contractors, their close family members, any other affiliated persons, as well as anyone who belonged to the aforementioned categories at any time during the past 6 months, are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n \n# SMART CONTRACTS PROGRAM\n## Introduction\nThe smart contracts bug bounty program will develop in iterations towards the launch of Multi-Collateral Dai (MCD) where: \n* The scope of contracts will increase. Contracts already in scope may be updated on a bi-weekly basis as shown on changelog.makerdao.com\n* Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely after launch of MCD.\n\nThe scope is initially a selection of the core smart contracts of MCD as deployed on Ethereum Kovan/Görli testnets, while more contracts will be added towards MCD launch.\n\nThe minimum amounts will also increase in iterations of the bug bounty program towards the launch of Multi-Collateral Dai.\n\n## Special Requirements for Critical Smart Contract bugs\nLike the rest of the program, the smart contracts program generally uses the OWASP risk rating methodology for classifying bugs. One exception pertains to Critical bugs which must meet the following requirements:\n* The bug must allow a user to steal collateral tokens representing at least 10% of the value of all collateral tokens from the system.\n* The attack must be triggered through an attack vector that is more than just theoretical.\n* The system must be in normal operational mode or emergency shutdown mode. This excludes for example any states during deployment or shortly after when the system is not fully initialized.\n* Qualification for Critical will require a POC implementation and reproducible steps.\n\n## Smart Contracts Scope\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Multi-Collateral Dai as listed below.\n\nExploits may be grouped as following:\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n* **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n* **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n* **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n* **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n* **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n* **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n* **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n* **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n* **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n* **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n* **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is `dss/Dai.sol`)\n* **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n* **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n    * Note: We are aware that the balance of the contract may be different than the total amount that is deposited if users send ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of balanceOf values out of scope.\n* Adapters\n    * **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n    * **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n    * **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n    * **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n    * Note: For all adapters, we are aware that the balance (ETH or token) of the contract may be different than the total amount that is joined through the contract if users send tokens or ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of tokens 'join'ed out of scope.\n\n**Oracles**\n\n* **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n* **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n## Smart Contracts Bi-weekly Releases\n\nUntil MCD launch, the Maker Foundation will continue with bi-weekly deployments of the latest versions of the smart contracts to either the Kovan or Görli testnets. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements. \n\nThe bug bounty program will be applicable to only one release at a time, and this release is also expected to update approximately bi-weekly though with a delay relative to deployment.\n\n**The current release eligible for vulnerability reports is [0.2.17](https://changelog.makerdao.com/releases/kovan/0.2.17/index.html). Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com)\n\n## Smart Contracts Investigation Tools\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within MCD. \n* https://docs.makerdao.com/maker-protocol-101\n\n**Source Code**\nThe MCD core contracts and their documentation can be found here:\n* https://github.com/makerdao/dss\n* https://github.com/makerdao/dss/wiki\n\nIf reading the codebase for the first time, we recommend overlaying our annotations for easier comprehension:\n* https://docs.makerdao.com/other-documentation/smart-contract-annotations\n\nDeployment Scripts:\n* https://github.com/makerdao/dss-deploy\n* https://github.com/makerdao/dss-deploy-scripts\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n* https://dapp.tools/seth/\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD. \n* https://github.com/makerdao/mcd-cli\n* [Guide](https://github.com/makerdao/developerguides/blob/master/mcd/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md) \n\n**Faucet**\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com) to get the faucet address for the relevant deployment (`FAUCET`). \n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address. \n\n# INFRASTRUCTURE PROGRAM\nLike the rest of the bug bounty program, the infrastructure program will evaluate bug reports based on the OWASP Risk Rating methodology. **However, only Critical bugs are currently in scope.**\n\n## Infrastructure Scope\nThe scope of our program focuses on exploiting specific externally facing infrastructure owned by Maker Foundation. This program covers security vulnerabilities discovered within the Maker Foundation public infrastructure including select websites and DNS configurations.\n\nSystems in scope with this program are listed below. We expect to include more domains in the future.\n\n* forum.makerdao.com\n* chat.makerdao.com\n* blog.makerdao.com\n* support.makerdao.com\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-11-29T07:37:49.354Z"},{"id":3624783,"new_policy":"# Introduction\nThe bug bounty program from the Maker Foundation currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:\n1. Smart contracts for Multi-Collateral Dai\n2. Infrastructure for select public facing domains (**please see the \"Ineligible Bugs\" section below, especially regarding third party software, before submitting a report**)\n\nThe program may be expanded in the future to include more asset types such as frontends and apps.\n\n# Risk rating methodology\nWe generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.\n\n# Report policy\nA bug report may qualify for a reward only when:\n\n* It makes the Maker team aware of the bug for the first time\n* The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public\n* The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document, or allowed anyone else to profit outside the bug bounty program\n* A bug is reported without any conditions, demands, or threats\n* The investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n* The reporter makes a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n* A detailed report increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n    * The conditions on which reproducing the bug is contingent.\n    * The steps needed to reproduce the bug or, better yet, a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid.\n    * The potential implications of the vulnerability being abused.\n* Multiples or duplicates\n    * Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n    * When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n    * Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\nLet us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n\n\n# Ineligible methods\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n* Social engineering\n* DDOS attack\n* Spamming\n* Any physical attacks against Maker Foundation property, data centers or employees\n* Automated tools\n* Compromising or misusing third party systems or services\n\n\n# Ineligible bugs\n* Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program\n* Vulnerabilities in outdated software from Maker or which affects only outdated third party software\n* Bugs that are not reproducible\n* Bugs disclosed to other parties without consent from the Maker team\n* Issues which we cannot reasonably be expected to be able to do anything about\n* Cookie's missing security flags (for non-sensitive cookies).\n* Additional missing security controls often considered “Best practice”, such as\n    * Content Security Policy (CSP) HTTP header\n    * HTTP Public Key Pinning (HPKP)\n    * Subresource integrity\n    * Referrer Policy\n* The following vulnerabilities in a vendor we integrate with:\n    * Cross-site Scripting (XSS)\n    * Cross-Site Request Forgery (CSRF)\n    * Cross Frame Scripting\n    * Content Spoofing\n* Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.\n* Weak TLS and SSL cyphers (we are already aware of) \n\n# Time to response\nPlease allow 5 days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n# Fine Print\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to integrate+bugbounty@makerdao.com.\n\nOur employees, contractors, their close family members, any other affiliated persons, as well as anyone who belonged to the aforementioned categories at any time during the past 6 months, are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n \n# SMART CONTRACTS PROGRAM\n## Introduction\nThe smart contracts bug bounty program will develop in iterations towards the launch of Multi-Collateral Dai (MCD) where: \n* The scope of contracts will increase. Contracts already in scope may be updated on a bi-weekly basis as shown on changelog.makerdao.com\n* Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely after launch of MCD.\n\nThe scope is initially a selection of the core smart contracts of MCD as deployed on Ethereum Kovan/Görli testnets, while more contracts will be added towards MCD launch.\n\nThe minimum amounts will also increase in iterations of the bug bounty program towards the launch of Multi-Collateral Dai.\n\n## Special Requirements for Critical Smart Contract bugs\nLike the rest of the program, the smart contracts program generally uses the OWASP risk rating methodology for classifying bugs. One exception pertains to Critical bugs which must meet the following requirements:\n* The bug must allow a user to steal collateral tokens representing at least 10% of the value of all collateral tokens from the system.\n* The attack must be triggered through an attack vector that is more than just theoretical.\n* The system must be in normal operational mode or emergency shutdown mode. This excludes for example any states during deployment or shortly after when the system is not fully initialized.\n* Qualification for Critical will require a POC implementation and reproducible steps.\n\n## Smart Contracts Scope\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Multi-Collateral Dai as listed below.\n\nExploits may be grouped as following:\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n* **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n* **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n* **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n* **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n* **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n* **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n* **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n* **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n* **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n* **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n* **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is `dss/Dai.sol`)\n* **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n* **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n    * Note: We are aware that the balance of the contract may be different than the total amount that is deposited if users send ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of balanceOf values out of scope.\n* Adapters\n    * **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n    * **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n    * **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n    * **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n    * Note: For all adapters, we are aware that the balance (ETH or token) of the contract may be different than the total amount that is joined through the contract if users send tokens or ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of tokens 'join'ed out of scope.\n\n**Oracles**\n\n* **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n* **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n## Smart Contracts Bi-weekly Releases\n\nUntil MCD launch, the Maker Foundation will continue with bi-weekly deployments of the latest versions of the smart contracts to either the Kovan or Görli testnets. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements. \n\nThe bug bounty program will be applicable to only one release at a time, and this release is also expected to update approximately bi-weekly though with a delay relative to deployment.\n\n**The current release eligible for vulnerability reports is [0.2.17](https://changelog.makerdao.com/releases/kovan/0.2.17/index.html). Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com)\n\n## Smart Contracts Investigation Tools\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within MCD. \n* https://github.com/makerdao/developerguides/blob/master/mcd/mcd-101/mcd-101.md\n\n**Source Code**\nThe MCD core contracts and their documentation can be found here:\n* https://github.com/makerdao/dss\n* https://github.com/makerdao/dss/wiki\n\nIf reading the codebase for the first time, we recommend overlaying our annotations for easier comprehension:\n* https://docs.makerdao.com/other-documentation/smart-contract-annotations\n\nDeployment Scripts:\n* https://github.com/makerdao/dss-deploy\n* https://github.com/makerdao/dss-deploy-scripts\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n* https://dapp.tools/seth/\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD. \n* https://github.com/makerdao/mcd-cli\n* [Guide](https://github.com/makerdao/developerguides/blob/master/mcd/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md) \n\n**Faucet**\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com) to get the faucet address for the relevant deployment (`FAUCET`). \n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address. \n\n# INFRASTRUCTURE PROGRAM\nLike the rest of the bug bounty program, the infrastructure program will evaluate bug reports based on the OWASP Risk Rating methodology. **However, only Critical bugs are currently in scope.**\n\n## Infrastructure Scope\nThe scope of our program focuses on exploiting specific externally facing infrastructure owned by Maker Foundation. This program covers security vulnerabilities discovered within the Maker Foundation public infrastructure including select websites and DNS configurations.\n\nSystems in scope with this program are listed below. We expect to include more domains in the future.\n\n* forum.makerdao.com\n* chat.makerdao.com\n* blog.makerdao.com\n* support.makerdao.com\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-11-28T16:25:10.497Z"},{"id":3623631,"new_policy":"# Introduction\nThe bug bounty program from the Maker Foundation currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:\n1. Smart contracts for Multi-Collateral Dai\n2. Infrastructure for select public facing domains (**please see the \"Ineligible Bugs\" section below, especially regarding third party software, before submitting a report**)\n\nThe program may be expanded in the future to include more asset types such as frontends and apps.\n\n# Risk rating methodology\nWe generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.\n\n# Report policy\nA bug report may qualify for a reward only when:\n\n* It makes the Maker team aware of the bug for the first time\n* The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public\n* The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document, or allowed anyone else to profit outside the bug bounty program\n* A bug is reported without any conditions, demands, or threats\n* The investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n* The reporter makes a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n* A detailed report increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n    * The conditions on which reproducing the bug is contingent.\n    * The steps needed to reproduce the bug or, better yet, a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid.\n    * The potential implications of the vulnerability being abused.\n* Multiples or duplicates\n    * Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n    * When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n    * Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\nLet us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n\n\n# Ineligible methods\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n* Social engineering\n* DDOS attack\n* Spamming\n* Any physical attacks against Maker Foundation property, data centers or employees\n* Automated tools\n* Compromising or misusing third party systems or services\n\n\n# Ineligible bugs\n* Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program\n* Vulnerabilities in outdated software from Maker or which affects only outdated third party software\n* Bugs that are not reproducible\n* Bugs disclosed to other parties without consent from the Maker team\n* Issues which we cannot reasonably be expected to be able to do anything about\n* Cookie's missing security flags (for non-sensitive cookies).\n* Additional missing security controls often considered “Best practice”, such as\n    * Content Security Policy (CSP) HTTP header\n    * HTTP Public Key Pinning (HPKP)\n    * Subresource integrity\n    * Referrer Policy\n* The following vulnerabilities in a vendor we integrate with:\n    * Cross-site Scripting (XSS)\n    * Cross-Site Request Forgery (CSRF)\n    * Cross Frame Scripting\n    * Content Spoofing\n* Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.\n* Weak TLS and SSL cyphers (we are already aware of) \n\n# Time to response\nPlease allow 5 days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n# Fine Print\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to integrate+bugbounty@makerdao.com.\n\nOur employees, contractors, their close family members, any other affiliated persons, as well as anyone who belonged to the aforementioned categories at any time during the past 6 months, are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n \n# SMART CONTRACTS PROGRAM\n## Introduction\nThe smart contracts bug bounty program will develop in iterations towards the launch of Multi-Collateral Dai (MCD) where: \n* The scope of contracts will increase. Contracts already in scope may be updated on a bi-weekly basis as shown on changelog.makerdao.com\n* Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely after launch of MCD.\n\nThe scope is initially a selection of the core smart contracts of MCD as deployed on Ethereum Kovan/Görli testnets, while more contracts will be added towards MCD launch.\n\nThe minimum amounts will also increase in iterations of the bug bounty program towards the launch of Multi-Collateral Dai.\n\n## Special Requirements for Critical Smart Contract bugs\nLike the rest of the program, the smart contracts program generally uses the OWASP risk rating methodology for classifying bugs. One exception pertains to Critical bugs which must meet the following requirements:\n* The bug must allow a user to steal collateral tokens representing at least 10% of the value of all collateral tokens from the system.\n* The attack must be triggered through an attack vector that is more than just theoretical.\n* The system must be in normal operational mode or emergency shutdown mode. This excludes for example any states during deployment or shortly after when the system is not fully initialized.\n* Qualification for Critical will require a POC implementation and reproducible steps.\n\n## Smart Contracts Scope\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Multi-Collateral Dai as listed below.\n\nExploits may be grouped as following:\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n* **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n* **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n* **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n* **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n* **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n* **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n* **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n* **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n* **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n* **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n* **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is `dss/Dai.sol`)\n* **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n* **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n    * Note: We are aware that the balance of the contract may be different than the total amount that is deposited if users send ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of balanceOf values out of scope.\n* Adapters\n    * **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n    * **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n    * **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n    * **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n    * Note: For all adapters, we are aware that the balance (ETH or token) of the contract may be different than the total amount that is joined through the contract if users send tokens or ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of tokens 'join'ed out of scope.\n\n**Oracles**\n\n* **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n* **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n## Smart Contracts Bi-weekly Releases\n\nUntil MCD launch, the Maker Foundation will continue with bi-weekly deployments of the latest versions of the smart contracts to either the Kovan or Görli testnets. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements. \n\nThe bug bounty program will be applicable to only one release at a time, and this release is also expected to update approximately bi-weekly though with a delay relative to deployment.\n\n**The current release eligible for vulnerability reports is [0.2.17](https://changelog.makerdao.com/releases/kovan/0.2.17/index.html). Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com)\n\n## Smart Contracts Investigation Tools\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within MCD. \n* https://github.com/makerdao/developerguides/blob/master/mcd/mcd-101/mcd-101.md\n\n**Source Code**\nThe MCD core contracts and their documentation can be found here:\n* https://github.com/makerdao/dss\n* https://github.com/makerdao/dss/wiki\n\nDeployment Scripts:\n* https://github.com/makerdao/dss-deploy\n* https://github.com/makerdao/dss-deploy-scripts\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n* https://dapp.tools/seth/\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD. \n* https://github.com/makerdao/mcd-cli\n* [Guide](https://github.com/makerdao/developerguides/blob/master/mcd/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md) \n\n**Faucet**\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com) to get the faucet address for the relevant deployment (`FAUCET`). \n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address. \n\n# INFRASTRUCTURE PROGRAM\nLike the rest of the bug bounty program, the infrastructure program will evaluate bug reports based on the OWASP Risk Rating methodology. **However, only Critical bugs are currently in scope.**\n\n## Infrastructure Scope\nThe scope of our program focuses on exploiting specific externally facing infrastructure owned by Maker Foundation. This program covers security vulnerabilities discovered within the Maker Foundation public infrastructure including select websites and DNS configurations.\n\nSystems in scope with this program are listed below. We expect to include more domains in the future.\n\n* forum.makerdao.com\n* chat.makerdao.com\n* blog.makerdao.com\n* support.makerdao.com\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-11-14T08:29:56.175Z"},{"id":3622914,"new_policy":"# Introduction\nThe bug bounty program from the Maker Foundation currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:\n1. Smart contracts for Multi-Collateral Dai\n2. Infrastructure for select public facing domains (**please see the \"Ineligible Bugs\" section below, especially regarding third party software, before submitting a report**)\n\nThe program may be expanded in the future to include more asset types such as frontends and apps.\n\n# Risk rating methodology\nWe generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.\n\n# Report policy\nA bug report may qualify for a reward only when:\n\n* It makes the Maker team aware of the bug for the first time\n* The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public\n* The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document, or allowed anyone else to profit outside the bug bounty program\n* A bug is reported without any conditions, demands, or threats\n* The investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n* The reporter makes a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n* A detailed report increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n    * The conditions on which reproducing the bug is contingent.\n    * The steps needed to reproduce the bug or, better yet, a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid.\n    * The potential implications of the vulnerability being abused.\n* Multiples or duplicates\n    * Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n    * When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n    * Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\nLet us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n\n\n# Ineligible methods\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n* Social engineering\n* DDOS attack\n* Spamming\n* Any physical attacks against Maker Foundation property, data centers or employees\n* Automated tools\n* Compromising or misusing third party systems or services\n\n\n# Ineligible bugs\n* Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program\n* Vulnerabilities in outdated software from Maker or which affects only outdated third party software\n* Bugs that are not reproducible\n* Bugs disclosed to other parties without consent from the Maker team\n* Issues which we cannot reasonably be expected to be able to do anything about\n* Cookie's missing security flags (for non-sensitive cookies).\n* Additional missing security controls often considered “Best practice”, such as\n    * Content Security Policy (CSP) HTTP header\n    * HTTP Public Key Pinning (HPKP)\n    * Subresource integrity\n    * Referrer Policy\n* The following vulnerabilities in a vendor we integrate with:\n    * Cross-site Scripting (XSS)\n    * Cross-Site Request Forgery (CSRF)\n    * Cross Frame Scripting\n    * Content Spoofing\n* Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.\n* Weak TLS and SSL cyphers (we are already aware of) \n\n# Time to response\nPlease allow 5 days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n# Fine Print\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to integrate+bugbounty@makerdao.com.\n\nOur employees, contractors, their close family members, any other affiliated persons, as well as anyone who belonged to the aforementioned categories at any time during the past 6 months, are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n \n# SMART CONTRACTS PROGRAM\n## Introduction\nThe smart contracts bug bounty program will develop in iterations towards the launch of Multi-Collateral Dai (MCD) where: \n* The scope of contracts will increase. Contracts already in scope may be updated on a bi-weekly basis as shown on changelog.makerdao.com\n* Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely after launch of MCD.\n\nThe scope is initially a selection of the core smart contracts of MCD as deployed on Ethereum Kovan/Görli testnets, while more contracts will be added towards MCD launch.\n\nThe minimum amounts will also increase in iterations of the bug bounty program towards the launch of Multi-Collateral Dai.\n\n## Special Requirements for Critical Smart Contract bugs\nLike the rest of the program, the smart contracts program generally uses the OWASP risk rating methodology for classifying bugs. One exception pertains to Critical bugs which must meet the following requirements:\n* The bug must allow a user to steal collateral tokens representing at least 10% of the value of all collateral tokens from the system.\n* The attack must be triggered through an attack vector that is more than just theoretical.\n* The system must be in normal operational mode or emergency shutdown mode. This excludes for example any states during deployment or shortly after when the system is not fully initialized.\n* Qualification for Critical will require a POC implementation and reproducible steps.\n\n## Smart Contracts Scope\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Multi-Collateral Dai as listed below.\n\nExploits may be grouped as following:\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n* **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n* **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n* **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n* **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n* **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n* **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n* **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n* **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n* **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n* **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n* **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is `dss/Dai.sol`)\n* **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n* **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n    * Note: We are aware that the balance of the contract may be different than the total amount that is deposited if users send ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of balanceOf values out of scope.\n* Adapters\n    * **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n    * **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n    * **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n    * **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n    * Note: For all adapters, we are aware that the balance (ETH or token) of the contract may be different than the total amount that is joined through the contract if users send tokens or ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of tokens 'join'ed out of scope.\n\n**Oracles**\n\n* **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n* **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n## Smart Contracts Bi-weekly Releases\n\nUntil MCD launch, the Maker Foundation will continue with bi-weekly deployments of the latest versions of the smart contracts to either the Kovan or Görli testnets. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements. \n\nThe bug bounty program will be applicable to only one release at a time, and this release is also expected to update approximately bi-weekly though with a delay relative to deployment.\n\n**The current release eligible for vulnerability reports is [0.2.15](https://changelog.makerdao.com/releases/kovan/0.2.15/index.html). Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com)\n\n## Smart Contracts Investigation Tools\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within MCD. \n* https://github.com/makerdao/developerguides/blob/master/mcd/mcd-101/mcd-101.md\n\n**Source Code**\nThe MCD core contracts and their documentation can be found here:\n* https://github.com/makerdao/dss\n* https://github.com/makerdao/dss/wiki\n\nDeployment Scripts:\n* https://github.com/makerdao/dss-deploy\n* https://github.com/makerdao/dss-deploy-scripts\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n* https://dapp.tools/seth/\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD. \n* https://github.com/makerdao/mcd-cli\n* [Guide](https://github.com/makerdao/developerguides/blob/master/mcd/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md) \n\n**Faucet**\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com) to get the faucet address for the relevant deployment (`FAUCET`). \n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address. \n\n# INFRASTRUCTURE PROGRAM\nLike the rest of the bug bounty program, the infrastructure program will evaluate bug reports based on the OWASP Risk Rating methodology. **However, only Critical bugs are currently in scope.**\n\n## Infrastructure Scope\nThe scope of our program focuses on exploiting specific externally facing infrastructure owned by Maker Foundation. This program covers security vulnerabilities discovered within the Maker Foundation public infrastructure including select websites and DNS configurations.\n\nSystems in scope with this program are listed below. We expect to include more domains in the future.\n\n* forum.makerdao.com\n* chat.makerdao.com\n* blog.makerdao.com\n* support.makerdao.com\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-11-04T16:30:08.289Z"},{"id":3621786,"new_policy":"# Introduction\nThe bug bounty program from the Maker Foundation currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:\n1. Smart contracts for Multi-Collateral Dai\n2. Infrastructure for select public facing domains (**please see the \"Ineligible Bugs\" section below, especially regarding third party software, before submitting a report**)\n\nThe program may be expanded in the future to include more asset types such as frontends and apps.\n\n# Risk rating methodology\nWe generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.\n\n# Report policy\nA bug report may qualify for a reward only when:\n\n* It makes the Maker team aware of the bug for the first time\n* The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public\n* The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document, or allowed anyone else to profit outside the bug bounty program\n* A bug is reported without any conditions, demands, or threats\n* The investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n* The reporter makes a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n* A detailed report increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n    * The conditions on which reproducing the bug is contingent.\n    * The steps needed to reproduce the bug or, better yet, a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid.\n    * The potential implications of the vulnerability being abused.\n* Multiples or duplicates\n    * Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n    * When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n    * Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\nLet us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n\n\n# Ineligible methods\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n* Social engineering\n* DDOS attack\n* Spamming\n* Any physical attacks against Maker Foundation property, data centers or employees\n* Automated tools\n* Compromising or misusing third party systems or services\n\n\n# Ineligible bugs\n* Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program\n* Vulnerabilities in outdated software from Maker or which affects only outdated third party software\n* Bugs that are not reproducible\n* Bugs disclosed to other parties without consent from the Maker team\n* Issues which we cannot reasonably be expected to be able to do anything about\n* Cookie's missing security flags (for non-sensitive cookies).\n* Additional missing security controls often considered “Best practice”, such as\n    * Content Security Policy (CSP) HTTP header\n    * HTTP Public Key Pinning (HPKP)\n    * Subresource integrity\n    * Referrer Policy\n* The following vulnerabilities in a vendor we integrate with:\n    * Cross-site Scripting (XSS)\n    * Cross-Site Request Forgery (CSRF)\n    * Cross Frame Scripting\n    * Content Spoofing\n* Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.\n* Weak TLS and SSL cyphers (we are already aware of) \n\n# Time to response\nPlease allow 5 days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n# Fine Print\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to integrate+bugbounty@makerdao.com.\n\nOur employees, contractors, their close family members, any other affiliated persons, as well as anyone who belonged to the aforementioned categories at any time during the past 6 months, are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n \n# SMART CONTRACTS PROGRAM\n## Introduction\nThe smart contracts bug bounty program will develop in iterations towards the launch of Multi-Collateral Dai (MCD) where: \n* The scope of contracts will increase. Contracts already in scope may be updated on a bi-weekly basis as shown on changelog.makerdao.com\n* Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely after launch of MCD.\n\nThe scope is initially a selection of the core smart contracts of MCD as deployed on Ethereum Kovan/Görli testnets, while more contracts will be added towards MCD launch.\n\nThe minimum amounts will also increase in iterations of the bug bounty program towards the launch of Multi-Collateral Dai.\n\n## Special Requirements for Critical Smart Contract bugs\nLike the rest of the program, the smart contracts program generally uses the OWASP risk rating methodology for classifying bugs. One exception pertains to Critical bugs which must meet the following requirements:\n* The bug must allow a user to steal collateral tokens representing at least 10% of the value of all collateral tokens from the system.\n* The attack must be triggered through an attack vector that is more than just theoretical.\n* The system must be in normal operational mode or emergency shutdown mode. This excludes for example any states during deployment or shortly after when the system is not fully initialized.\n* Qualification for Critical will require a POC implementation and reproducible steps.\n\n## Smart Contracts Scope\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Multi-Collateral Dai as listed below.\n\nExploits may be grouped as following:\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n* **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n* **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n* **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n* **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n* **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n* **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n* **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n* **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n* **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n* **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n* **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is `dss/Dai.sol`)\n* **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n* **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n    * Note: We are aware that the balance of the contract may be different than the total amount that is deposited if users send ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of balanceOf values out of scope.\n* Adapters\n    * **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n    * **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n    * **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n    * **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n    * Note: For all adapters, we are aware that the balance (ETH or token) of the contract may be different than the total amount that is joined through the contract if users send tokens or ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of tokens 'join'ed out of scope.\n\n**Oracles**\n\n* **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n* **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n## Smart Contracts Bi-weekly Releases\n\nUntil MCD launch, the Maker Foundation will continue with bi-weekly deployments of the latest versions of the smart contracts to either the Kovan or Görli testnets. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements. \n\nThe bug bounty program will be applicable to only one release at a time, and this release is also expected to update approximately bi-weekly though with a delay relative to deployment.\n\n**The current release eligible for vulnerability reports is [0.2.10](https://changelog.makerdao.com/releases/0.2.10/index.html). Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com)\n\n## Smart Contracts Investigation Tools\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within MCD. \n* https://github.com/makerdao/developerguides/blob/master/mcd/mcd-101/mcd-101.md\n\n**Source Code**\nThe MCD core contracts and their documentation can be found here:\n* https://github.com/makerdao/dss\n* https://github.com/makerdao/dss/wiki\n\nDeployment Scripts:\n* https://github.com/makerdao/dss-deploy\n* https://github.com/makerdao/dss-deploy-scripts\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n* https://dapp.tools/seth/\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD. \n* https://github.com/makerdao/mcd-cli\n* [Guide](https://github.com/makerdao/developerguides/blob/master/mcd/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md) \n\n**Faucet**\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com) to get the faucet address for the relevant deployment (`FAUCET`). \n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address. \n\n# INFRASTRUCTURE PROGRAM\nLike the rest of the bug bounty program, the infrastructure program will evaluate bug reports based on the OWASP Risk Rating methodology. **However, only Critical bugs are currently in scope.**\n\n## Infrastructure Scope\nThe scope of our program focuses on exploiting specific externally facing infrastructure owned by Maker Foundation. This program covers security vulnerabilities discovered within the Maker Foundation public infrastructure including select websites and DNS configurations.\n\nSystems in scope with this program are listed below. We expect to include more domains in the future.\n\n* forum.makerdao.com\n* chat.makerdao.com\n* blog.makerdao.com\n* support.makerdao.com\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-21T14:24:46.464Z"},{"id":3618769,"new_policy":"# Introduction\nThe bug bounty program from the Maker Foundation currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:\n1. Smart contracts for Multi-Collateral Dai\n2. Infrastructure for select public facing domains (**please see the \"Ineligible Bugs\" section below, especially regarding third party software, before submitting a report**)\n\nThe program may be expanded in the future to include more asset types such as frontends and apps.\n\n# Risk rating methodology\nWe generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.\n\n# Report policy\nA bug report may qualify for a reward only when:\n\n* It makes the Maker team aware of the bug for the first time\n* The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public\n* The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document, or allowed anyone else to profit outside the bug bounty program\n* A bug is reported without any conditions, demands, or threats\n* The investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n* The reporter makes a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n* A detailed report increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n    * The conditions on which reproducing the bug is contingent.\n    * The steps needed to reproduce the bug or, better yet, a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid.\n    * The potential implications of the vulnerability being abused.\n* Multiples or duplicates\n    * Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n    * When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n    * Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\nLet us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n\n\n# Ineligible methods\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n* Social engineering\n* DDOS attack\n* Spamming\n* Any physical attacks against Maker Foundation property, data centers or employees\n* Automated tools\n* Compromising or misusing third party systems or services\n\n\n# Ineligible bugs\n* Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program\n* Vulnerabilities in outdated software from Maker or which affects only outdated third party software\n* Bugs that are not reproducible\n* Bugs disclosed to other parties without consent from the Maker team\n* Issues which we cannot reasonably be expected to be able to do anything about\n* Cookie's missing security flags (for non-sensitive cookies).\n* Additional missing security controls often considered “Best practice”, such as\n    * Content Security Policy (CSP) HTTP header\n    * HTTP Public Key Pinning (HPKP)\n    * Subresource integrity\n    * Referrer Policy\n* The following vulnerabilities in a vendor we integrate with:\n    * Cross-site Scripting (XSS)\n    * Cross-Site Request Forgery (CSRF)\n    * Cross Frame Scripting\n    * Content Spoofing\n* Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.\n* Weak TLS and SSL cyphers (we are already aware of) \n\n# Time to response\nPlease allow 5 days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n# Fine Print\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to integrate+bugbounty@makerdao.com.\n\nOur employees, contractors, their close family members, and any other affiliated persons are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n \n# SMART CONTRACTS PROGRAM\n## Introduction\nThe smart contracts bug bounty program will develop in iterations towards the launch of Multi-Collateral Dai (MCD) where: \n* The scope of contracts will increase. Contracts already in scope may be updated on a bi-weekly basis as shown on changelog.makerdao.com\n* Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely after launch of MCD.\n\nThe scope is initially a selection of the core smart contracts of MCD as deployed on Ethereum Kovan/Görli testnets, while more contracts will be added towards MCD launch.\n\nThe minimum amounts will also increase in iterations of the bug bounty program towards the launch of Multi-Collateral Dai.\n\n## Special Requirements for Critical Smart Contract bugs\nLike the rest of the program, the smart contracts program generally uses the OWASP risk rating methodology for classifying bugs. One exception pertains to Critical bugs which must meet the following requirements:\n* The bug must allow a user to steal collateral tokens representing at least 10% of the value of all collateral tokens from the system.\n* The attack must be triggered through an attack vector that is more than just theoretical.\n* The system must be in normal operational mode or emergency shutdown mode. This excludes for example any states during deployment or shortly after when the system is not fully initialized.\n* Qualification for Critical will require a POC implementation and reproducible steps.\n\n## Smart Contracts Scope\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Multi-Collateral Dai as listed below.\n\nExploits may be grouped as following:\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n* **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n* **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n* **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n* **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n* **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n* **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n* **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n* **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n* **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n* **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n* **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is `dss/Dai.sol`)\n* **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n* **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n    * Note: We are aware that the balance of the contract may be different than the total amount that is deposited if users send ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of balanceOf values out of scope.\n* Adapters\n    * **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n    * **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n    * **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n    * **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n    * Note: For all adapters, we are aware that the balance (ETH or token) of the contract may be different than the total amount that is joined through the contract if users send tokens or ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of tokens 'join'ed out of scope.\n\n**Oracles**\n\n* **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n* **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n## Smart Contracts Bi-weekly Releases\n\nUntil MCD launch, the Maker Foundation will continue with bi-weekly deployments of the latest versions of the smart contracts to either the Kovan or Görli testnets. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements. \n\nThe bug bounty program will be applicable to only one release at a time, and this release is also expected to update approximately bi-weekly though with a delay relative to deployment.\n\n**The current release eligible for vulnerability reports is [0.2.10](https://changelog.makerdao.com/releases/0.2.10/index.html). Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com)\n\n## Smart Contracts Investigation Tools\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within MCD. \n* https://github.com/makerdao/developerguides/blob/master/mcd/mcd-101/mcd-101.md\n\n**Source Code**\nThe MCD core contracts and their documentation can be found here:\n* https://github.com/makerdao/dss\n* https://github.com/makerdao/dss/wiki\n\nDeployment Scripts:\n* https://github.com/makerdao/dss-deploy\n* https://github.com/makerdao/dss-deploy-scripts\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n* https://dapp.tools/seth/\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD. \n* https://github.com/makerdao/mcd-cli\n* [Guide](https://github.com/makerdao/developerguides/blob/master/mcd/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md) \n\n**Faucet**\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com) to get the faucet address for the relevant deployment (`FAUCET`). \n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address. \n\n# INFRASTRUCTURE PROGRAM\nLike the rest of the bug bounty program, the infrastructure program will evaluate bug reports based on the OWASP Risk Rating methodology. **However, only Critical bugs are currently in scope.**\n\n## Infrastructure Scope\nThe scope of our program focuses on exploiting specific externally facing infrastructure owned by Maker Foundation. This program covers security vulnerabilities discovered within the Maker Foundation public infrastructure including select websites and DNS configurations.\n\nSystems in scope with this program are listed below. We expect to include more domains in the future.\n\n* forum.makerdao.com\n* chat.makerdao.com\n* blog.makerdao.com\n* support.makerdao.com\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-09-10T19:49:32.588Z"},{"id":3618706,"new_policy":"# Introduction\nThe bug bounty program from the Maker Foundation currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:\n1. Smart contracts for Multi-Collateral Dai\n2. Infrastructure for public facing domains\n\nThe program may be expanded in the future to include more asset types such as frontends and apps.\n\n# Risk rating methodology\nWe generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.\n\n# Report policy\nA bug report may qualify for a reward only when:\n\n* It makes the Maker team aware of the bug for the first time\n* The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public\n* The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document, or allowed anyone else to profit outside the bug bounty program\n* A bug is reported without any conditions, demands, or threats\n* The investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n* The reporter makes a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n* A detailed report increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n    * The conditions on which reproducing the bug is contingent.\n    * The steps needed to reproduce the bug or, better yet, a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid.\n    * The potential implications of the vulnerability being abused.\n* Multiples or duplicates\n    * Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n    * When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n    * Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\nLet us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n\n\n# Ineligible methods\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n* Social engineering\n* DDOS attack\n* Spamming\n* Any physical attacks against Maker Foundation property, data centers or employees\n* Automated tools\n* Compromising or misusing third party systems or services\n\n\n# Ineligible bugs\n* Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program\n* Vulnerabilities in outdated software from Maker or which affects only outdated third party software\n* Bugs that are not reproducible\n* Bugs disclosed to other parties without consent from the Maker team\n* Issues which we cannot reasonably be expected to be able to do anything about\n* Cookie's missing security flags (for non-sensitive cookies).\n* Additional missing security controls often considered “Best practice”, such as\n    * Content Security Policy (CSP) HTTP header\n    * HTTP Public Key Pinning (HPKP)\n    * Subresource integrity\n    * Referrer Policy\n* The following vulnerabilities in a vendor we integrate with:\n    * Cross-site Scripting (XSS)\n    * Cross-Site Request Forgery (CSRF)\n    * Cross Frame Scripting\n    * Content Spoofing\n* Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.\n* Weak TLS and SSL cyphers (we are already aware of) \n\n# Time to response\nPlease allow 5 days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n# Fine Print\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to integrate+bugbounty@makerdao.com.\n\nOur employees, contractors, their close family members, and any other affiliated persons are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n \n# SMART CONTRACTS PROGRAM\n## Introduction\nThe smart contracts bug bounty program will develop in iterations towards the launch of Multi-Collateral Dai (MCD) where: \n* The scope of contracts will increase. Contracts already in scope may be updated on a bi-weekly basis as shown on changelog.makerdao.com\n* Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely after launch of MCD.\n\nThe scope is initially a selection of the core smart contracts of MCD as deployed on Ethereum Kovan/Görli testnets, while more contracts will be added towards MCD launch.\n\nThe minimum amounts will also increase in iterations of the bug bounty program towards the launch of Multi-Collateral Dai.\n\n## Special Requirements for Critical Smart Contract bugs\nLike the rest of the program, the smart contracts program generally uses the OWASP risk rating methodology for classifying bugs. One exception pertains to Critical bugs which must meet the following requirements:\n* The bug must allow a user to steal collateral tokens representing at least 10% of the value of all collateral tokens from the system.\n* The attack must be triggered through an attack vector that is more than just theoretical.\n* The system must be in normal operational mode or emergency shutdown mode. This excludes for example any states during deployment or shortly after when the system is not fully initialized.\n* Qualification for Critical will require a POC implementation and reproducible steps.\n\n## Smart Contracts Scope\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Multi-Collateral Dai as listed below.\n\nExploits may be grouped as following:\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n* **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n* **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n* **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n* **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n* **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n* **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n* **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n* **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n* **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n* **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n* **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is `dss/Dai.sol`)\n* **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n* **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n    * Note: We are aware that the balance of the contract may be different than the total amount that is deposited if users send ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of balanceOf values out of scope.\n* Adapters\n    * **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n    * **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n    * **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n    * **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n    * Note: For all adapters, we are aware that the balance (ETH or token) of the contract may be different than the total amount that is joined through the contract if users send tokens or ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of tokens 'join'ed out of scope.\n\n**Oracles**\n\n* **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n* **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n## Smart Contracts Bi-weekly Releases\n\nUntil MCD launch, the Maker Foundation will continue with bi-weekly deployments of the latest versions of the smart contracts to either the Kovan or Görli testnets. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements. \n\nThe bug bounty program will be applicable to only one release at a time, and this release is also expected to update approximately bi-weekly though with a delay relative to deployment.\n\n**The current release eligible for vulnerability reports is [0.2.10](https://changelog.makerdao.com/releases/0.2.10/index.html). Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com)\n\n## Smart Contracts Investigation Tools\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within MCD. \n* https://github.com/makerdao/developerguides/blob/master/mcd/mcd-101/mcd-101.md\n\n**Source Code**\nThe MCD core contracts and their documentation can be found here:\n* https://github.com/makerdao/dss\n* https://github.com/makerdao/dss/wiki\n\nDeployment Scripts:\n* https://github.com/makerdao/dss-deploy\n* https://github.com/makerdao/dss-deploy-scripts\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n* https://dapp.tools/seth/\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD. \n* https://github.com/makerdao/mcd-cli\n* [Guide](https://github.com/makerdao/developerguides/blob/master/mcd/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md) \n\n**Faucet**\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com) to get the faucet address for the relevant deployment (`FAUCET`). \n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address. \n\n# INFRASTRUCTURE PROGRAM\nLike the rest of the bug bounty program, the infrastructure program will evaluate bug reports based on the OWASP Risk Rating methodology. **However, only Critical bugs are currently in scope.**\n\n## Infrastructure Scope\nThe scope of our program focuses on exploiting specific externally facing infrastructure owned by Maker Foundation. This program covers security vulnerabilities discovered within the Maker Foundation public infrastructure including select websites and DNS configurations.\n\nSystems in scope with this program are listed below. We expect to include more domains in the future.\n\n* forum.makerdao.com\n* chat.makerdao.com\n* blog.makerdao.com\n* support.makerdao.com\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-09-10T10:55:08.389Z"},{"id":3617397,"new_policy":"# Introduction\nThe bug bounty program from the Maker Foundation currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:\n1. Smart contracts for Multi-Collateral Dai\n2. Infrastructure for public facing domains\n\nThe program may be expanded in the future to include more asset types such as frontends and apps.\n\n# Risk rating methodology\nWe generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.\n\n# Report policy\nA bug report may qualify for a reward only when:\n\n* It makes the Maker team aware of the bug for the first time\n* The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public\n* The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document, or allowed anyone else to profit outside the bug bounty program\n* A bug is reported without any conditions, demands, or threats\n* The investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n* The reporter makes a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n* A detailed report increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n    * The conditions on which reproducing the bug is contingent.\n    * The steps needed to reproduce the bug or, better yet, a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid.\n    * The potential implications of the vulnerability being abused.\n* Multiples or duplicates\n    * Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n    * When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n    * Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\nLet us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n\n\n# Ineligible methods\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n* Social engineering\n* DDOS attack\n* Spamming\n* Any physical attacks against Maker Foundation property, data centers or employees\n* Automated tools\n* Compromising or misusing third party systems or services\n\n\n# Ineligible bugs\n* Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program\n* Vulnerabilities in outdated software from Maker or which affects only outdated third party software\n* Bugs that are not reproducible\n* Bugs disclosed to other parties without consent from the Maker team\n* Issues which we cannot reasonably be expected to be able to do anything about\n* Cookie's missing security flags (for non-sensitive cookies).\n* Additional missing security controls often considered “Best practice”, such as\n    * Content Security Policy (CSP) HTTP header\n    * HTTP Public Key Pinning (HPKP)\n    * Subresource integrity\n    * Referrer Policy\n* Vulnerabilities in a vendor we integrate with.\n* Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.\n* Weak TLS and SSL cyphers (we are already aware of) \n\n# Time to response\nPlease allow 5 days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n# Fine Print\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to integrate+bugbounty@makerdao.com.\n\nOur employees, contractors, their close family members, and any other affiliated persons are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n \n# SMART CONTRACTS PROGRAM\n## Introduction\nThe smart contracts bug bounty program will develop in iterations towards the launch of Multi-Collateral Dai (MCD) where: \n* The scope of contracts will increase. Contracts already in scope may be updated on a bi-weekly basis as shown on changelog.makerdao.com\n* Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely after launch of MCD.\n\nThe scope is initially a selection of the core smart contracts of MCD as deployed on Ethereum Kovan/Görli testnets, while more contracts will be added towards MCD launch.\n\nThe minimum amounts will also increase in iterations of the bug bounty program towards the launch of Multi-Collateral Dai.\n\n## Special Requirements for Critical Smart Contract bugs\nLike the rest of the program, the smart contracts program generally uses the OWASP risk rating methodology for classifying bugs. One exception pertains to Critical bugs which must meet the following requirements:\n* The bug must allow a user to steal collateral tokens representing at least 10% of the value of all collateral tokens from the system.\n* The attack must be triggered through an attack vector that is more than just theoretical.\n* The system must be in normal operational mode or emergency shutdown mode. This excludes for example any states during deployment or shortly after when the system is not fully initialized.\n* Qualification for Critical will require a POC implementation and reproducible steps.\n\n## Smart Contracts Scope\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Multi-Collateral Dai as listed below.\n\nExploits may be grouped as following:\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n* **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n* **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n* **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n* **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n* **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n* **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n* **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n* **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n* **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n* **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n* **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is `dss/Dai.sol`)\n* **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n* **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n    * Note: We are aware that the balance of the contract may be different than the total amount that is deposited if users send ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of balanceOf values out of scope.\n* Adapters\n    * **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n    * **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n    * **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n    * **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n    * Note: For all adapters, we are aware that the balance (ETH or token) of the contract may be different than the total amount that is joined through the contract if users send tokens or ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of tokens 'join'ed out of scope.\n\n**Oracles**\n\n* **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n* **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n## Smart Contracts Bi-weekly Releases\n\nUntil MCD launch, the Maker Foundation will continue with bi-weekly deployments of the latest versions of the smart contracts to either the Kovan or Görli testnets. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements. \n\nThe bug bounty program will be applicable to only one release at a time, and this release is also expected to update approximately bi-weekly though with a delay relative to deployment.\n\n**The current release eligible for vulnerability reports is [0.2.10](https://changelog.makerdao.com/releases/0.2.10/index.html). Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com)\n\n## Smart Contracts Investigation Tools\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within MCD. \n* https://github.com/makerdao/developerguides/blob/master/mcd/mcd-101/mcd-101.md\n\n**Source Code**\nThe MCD core contracts and their documentation can be found here:\n* https://github.com/makerdao/dss\n* https://github.com/makerdao/dss/wiki\n\nDeployment Scripts:\n* https://github.com/makerdao/dss-deploy\n* https://github.com/makerdao/dss-deploy-scripts\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n* https://dapp.tools/seth/\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD. \n* https://github.com/makerdao/mcd-cli\n* [Guide](https://github.com/makerdao/developerguides/blob/master/mcd/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md) \n\n**Faucet**\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com) to get the faucet address for the relevant deployment (`FAUCET`). \n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address. \n\n# INFRASTRUCTURE PROGRAM\nLike the rest of the bug bounty program, the infrastructure program will evaluate bug reports based on the OWASP Risk Rating methodology. **However, only Critical bugs are currently in scope.**\n\n## Infrastructure Scope\nThe scope of our program focuses on exploiting specific externally facing infrastructure owned by Maker Foundation. This program covers security vulnerabilities discovered within the Maker Foundation public infrastructure including select websites and DNS configurations.\n\nSystems in scope with this program are listed below. We expect to include more domains in the future.\n\n* forum.makerdao.com\n* chat.makerdao.com\n* blog.makerdao.com\n* support.makerdao.com\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-08-28T11:02:47.373Z"},{"id":3617396,"new_policy":"# Introduction\nThe bug bounty program from the Maker Foundation currently contains two separate scopes, which share the same rules with a few exceptions as noted below. The scopes are:\n1. Smart contracts for Multi-Collateral Dai\n2. Infrastructure for public facing domains\n\nThe program may be expanded in the future to include more asset types such as frontends and apps.\n\n# Risk rating methodology\nWe generally base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood. One exception to this is described in the Smart Contracts section.\n\n# Report policy\nA bug report may qualify for a reward only when:\n\n* It makes the Maker team aware of the bug for the first time\n* The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public\n* The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document, or allowed anyone else to profit outside the bug bounty program\n* A bug is reported without any conditions, demands, or threats\n* The investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n* The reporter makes a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n* A detailed report increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n    * The conditions on which reproducing the bug is contingent.\n    * The steps needed to reproduce the bug or, better yet, a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid.\n    * The potential implications of the vulnerability being abused.\n* Multiples or duplicates\n    * Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n    * When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n    * Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\nLet us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n\n\n# Ineligible methods\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n* Social engineering\n* DDOS attack\n* Spamming\n* Any physical attacks against Maker Foundation property, data centers or employees\n* Automated tools\n* Compromising or misusing third party systems or services\n\n\n# Ineligible bugs\n* Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program\n* Vulnerabilities in outdated software from Maker or which affects only outdated third party software\n* Bugs that are not reproducible\n* Bugs disclosed to other parties without consent from the Maker team\n* Issues which we cannot reasonably be expected to be able to do anything about\n* Cookie's missing security flags (for non-sensitive cookies).\n* Additional missing security controls often considered “Best practice”, such as\n    * Content Security Policy (CSP) HTTP header\n    * HTTP Public Key Pinning (HPKP)\n    * Subresource integrity\n    * Referrer Policy\n* Vulnerabilities in a vendor we integrate with.\n* Vulnerabilities only affecting users of outdated or un-patched browsers and platforms.\n* Weak TLS and SSL cyphers (we are already aware of) \n\n# Time to response\nPlease allow 5 days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n# Fine Print\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to integrate+bugbounty@makerdao.com.\n\nOur employees, contractors, their close family members, and any other affiliated persons are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n \n# SMART CONTRACTS PROGRAM\n## Introduction\nThe smart contracts bug bounty program will develop in iterations towards the launch of Multi-Collateral Dai (MCD) where: \n* The scope of contracts will increase. Contracts already in scope may be updated on a bi-weekly basis as shown on changelog.makerdao.com\n* Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely after launch of MCD.\n\nThe scope is initially a selection of the core smart contracts of MCD as deployed on Ethereum Kovan/Görli testnets, while more contracts will be added towards MCD launch.\n\nThe minimum amounts will also increase in iterations of the bug bounty program towards the launch of Multi-Collateral Dai.\n\n## Special Requirements for Critical Smart Contract bugs\nLike the rest of the program, the smart contracts program generally uses the OWASP risk rating methodology for classifying bugs. One exception pertains to Critical bugs which must meet the following requirements:\n* The bug must allow a user to steal collateral tokens representing at least 10% of the value of all collateral tokens from the system.\n* The attack must be triggered through an attack vector that is more than just theoretical.\n* The system must be in normal operational mode or emergency shutdown mode. This excludes for example any states during deployment or shortly after when the system is not fully initialized.\n* Qualification for Critical will require a POC implementation and reproducible steps.\n\n## Smart Contracts Scope\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for Multi-Collateral Dai as listed below.\n\nExploits may be grouped as following:\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n* **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n* **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n* **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n* **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n* **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n* **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n* **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n* **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n* **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n* **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n* **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is `dss/Dai.sol`)\n* **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n* **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n    * Note: We are aware that the balance of the contract may be different than the total amount that is deposited if users send ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of balanceOf values out of scope.\n* Adapters\n    * **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n    * **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n    * **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n    * **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n    * Note: For all adapters, we are aware that the balance (ETH or token) of the contract may be different than the total amount that is joined through the contract if users send tokens or ETH directly to the contract. We do not believe this has a negative impact on the system and so unless a report can show how having a higher balance does have negative consequences we will consider reports on the actual balance being higher than the sum of tokens 'join'ed out of scope.\n\n**Oracles**\n\n* **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n* **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n## Smart Contracts Bi-weekly Releases\n\nUntil MCD launch, the Maker Foundation will continue with bi-weekly deployments of the latest versions of the smart contracts to either the Kovan or Görli testnets. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements. \n\nThe bug bounty program will be applicable to only one release at a time, and this release is also expected to update approximately bi-weekly though with a delay relative to deployment.\n\n**The current release eligible for vulnerability reports is [0.2.10](https://changelog.makerdao.com/releases/0.2.10/index.html). Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com)\n\n## Smart Contracts Investigation Tools\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within MCD. \n* https://github.com/makerdao/developerguides/blob/master/mcd/mcd-101/mcd-101.md\n\n**Source Code**\nThe MCD core contracts and their documentation can be found here:\n* https://github.com/makerdao/dss\n* https://github.com/makerdao/dss/wiki\n\nDeployment Scripts:\n* https://github.com/makerdao/dss-deploy\n* https://github.com/makerdao/dss-deploy-scripts\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n* https://dapp.tools/seth/\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD. \n* https://github.com/makerdao/mcd-cli\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md) \n\n**Faucet**\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com) to get the faucet address for the relevant deployment (`FAUCET`). \n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address. \n\n# INFRASTRUCTURE PROGRAM\nLike the rest of the bug bounty program, the infrastructure program will evaluate bug reports based on the OWASP Risk Rating methodology. **However, only Critical bugs are currently in scope.**\n\n## Infrastructure Scope\nThe scope of our program focuses on exploiting specific externally facing infrastructure owned by Maker Foundation. This program covers security vulnerabilities discovered within the Maker Foundation public infrastructure including select websites and DNS configurations.\n\nSystems in scope with this program are listed below. We expect to include more domains in the future.\n\n* forum.makerdao.com\n* chat.makerdao.com\n* blog.makerdao.com\n* support.makerdao.com\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-08-28T09:39:42.192Z"},{"id":3614943,"new_policy":"# Introduction\nSystem security is paramount for the success of the Maker vision of an open financial system. In addition to multiple independent security audits and formal verification of our smart contracts for multi-collateral Dai (MCD), we also encourage responsible disclosure of security vulnerabilities via our bug bounty program as described in this document.\n\nThe bug bounty program will develop in iterations towards the launch of MCD where: \n* The scope of assets will increase. Assets already in scope may be updated on a bi-weekly basis as shown on changelog.makerdao.com\n* Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely after launch of MCD.\n\nThe scope is initially a selection of the core smart contracts of MCD as deployed on Ethereum Kovan/Görli testnets, while more contracts will be added towards MCD launch. The scope may also expand to include web applications, tools, etc.\n\nTo qualify for a reward, the investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n\n\n# Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n# Rewards\nWe base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood.\n\nMultiple issues caused by one underlying vulnerability may only qualify for one reward.\n\nA bug report may qualify for a reward only when:\n\n* It makes the Maker team aware of the bug for the first time\n* The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public\n* The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document or allowed anyone else to profit outside the bug bounty program\n* A bug is reported without any conditions, demands, or threats\n* It complies with the other conditions in this document\n\n# Scope\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for multi-collateral Dai as listed below. Other Maker products and services are currently not in scope but may be added at a later date. \n\nExploits may be grouped as following:\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n* **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n* **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n* **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n* **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n* **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n* **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n* **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n* **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n* **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n* **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n* **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is `dss/Dai.sol`)\n* **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n* **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n* **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n* **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n* **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n* **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n\n**Oracles**\n\n* **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n* **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n# Bi-weekly Releases\n\nUntil MCD launch, the Maker Foundation will continue with bi-weekly deployments of the latest versions of the smart contracts to either the Kovan or Görli testnets. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements. \n\nThe bug bounty program will be applicable to only one release at a time, and this release is also expected to update approximately bi-weekly though with a delay relative to deployment.\n\n**The current release eligible for vulnerability reports is [0.2.10](https://changelog.makerdao.com/releases/0.2.10/index.html). Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com)\n\n# Program Rules\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\n# Ineligible methods\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n* Social engineering\n* DDOS attack\n* Spamming\n* Any physical attacks against Maker Foundation property, data centers or employees\n* Automated tools\n* Compromising or misusing third party systems or services\n\n# Ineligible bugs\n* Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program\n* Vulnerabilities in outdated software from Maker or which affects only outdated third party software\n* Bugs that are not reproducible\n* Bugs disclosed to other parties without consent from the Maker team\n* Issues which we cannot reasonably be expected to be able to do anything about\n\n# Investigation Tools\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within MCD. \n* https://github.com/makerdao/developerguides/blob/master/mcd/mcd-101/mcd-101.md\n\n**Source Code**\nThe MCD core contracts and their documentation can be found here:\n* https://github.com/makerdao/dss\n* https://github.com/makerdao/dss/wiki\n\nDeployment Scripts:\n* https://github.com/makerdao/dss-deploy\n* https://github.com/makerdao/dss-deploy-scripts\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n* https://dapp.tools/seth/\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD. \n* https://github.com/makerdao/mcd-cli\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md) \n\n**Faucet**\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com) to get the faucet address for the relevant deployment (`FAUCET`). \n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address. \n\n# Responsible Reporting\nA detailed report with clear instructions on how to reproduce the vulnerability increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n\n* A description of the bug \n* The conditions on which reproducing the bug is contingent\n* The steps needed to reproduce the bug or a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid\n* The potential implications of the vulnerability being abused\n\nPlease allow 3 business days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n\n# Fine Print\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to integrate+bugbounty@makerdao.com.\n\nOur employees, contractors, their close family members, and any other affiliated persons are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-07-26T09:58:53.972Z"},{"id":3614873,"new_policy":"# Introduction\nSystem security is paramount for the success of the Maker vision of an open financial system. In addition to multiple independent security audits and formal verification of our smart contracts for multi-collateral Dai (MCD), we also encourage responsible disclosure of security vulnerabilities via our bug bounty program as described in this document.\n\nThe bug bounty program will develop in iterations towards the launch of MCD where: \n* The scope of assets will increase. Assets already in scope may be updated on a bi-weekly basis as shown on changelog.makerdao.com\n* Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely after launch of MCD.\n\nThe scope is initially a selection of the core smart contracts of MCD as deployed on Ethereum Kovan/Görli testnets, while more contracts will be added towards MCD launch. The scope may also expand to include web applications, tools, etc.\n\nTo qualify for a reward, the investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n\n\n# Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n# Rewards\nWe base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood.\n\nMultiple issues caused by one underlying vulnerability may only qualify for one reward.\n\nA bug report may qualify for a reward only when:\n\n* It makes the Maker team aware of the bug for the first time\n* The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public\n* The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document or allowed anyone else to profit outside the bug bounty program\n* A bug is reported without any conditions, demands, or threats\n* It complies with the other conditions in this document\n\n# Scope\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for multi-collateral Dai as listed below. Other Maker products and services are currently not in scope but may be added at a later date. \n\nExploits may be grouped as following:\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n* **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n* **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n* **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n* **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n* **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n* **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n* **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n* **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n* **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n* **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n* **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in a previous version of the bug bounty program this was DSToken. Currently it is `dss/Dai.sol`)\n* **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n* **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n* **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n* **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n* **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n* **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n\n**Oracles**\n\n* **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n* **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n# Bi-weekly Releases\n\nUntil MCD launch, the Maker Foundation will continue with bi-weekly deployments of the latest versions of the smart contracts to either the Kovan or Görli testnets. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements. \n\nThe bug bounty program will be applicable to only one release at a time, and this release is also expected to update approximately bi-weekly though with a delay relative to deployment.\n\n**The current release eligible for vulnerability reports is [0.2.10](https://changelog.makerdao.com/releases/0.2.10/index.html). Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com)\n\n# Program Rules\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\n# Ineligible methods\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n* Social engineering\n* DDOS attack\n* Spamming\n* Any physical attacks against Maker Foundation property, data centers or employees\n* Automated tools\n* Compromising or misusing third party systems or services\n\n# Ineligible bugs\n* Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program\n* Vulnerabilities in outdated software from Maker or which affects only outdated third party software\n* Bugs that are not reproducible\n* Bugs disclosed to other parties without consent from the Maker team\n* Issues which we cannot reasonably be expected to be able to do anything about\n\n# Investigation Tools\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within the Dai Credit System. \n* https://github.com/makerdao/developerguides/blob/master/mcd/mcd-101/mcd-101.md\n\n**Source Code**\nThe MCD core contracts and their documentation can be found here:\n* https://github.com/makerdao/dss\n* https://github.com/makerdao/dss/wiki\n\nDeployment Scripts:\n* https://github.com/makerdao/dss-deploy\n* https://github.com/makerdao/dss-deploy-scripts\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n* https://dapp.tools/seth/\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD. \n* https://github.com/makerdao/mcd-cli\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md) \n\n**Faucet**\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com) to get the faucet address for the relevant deployment (`FAUCET`). \n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address. \n\n# Responsible Reporting\nA detailed report with clear instructions on how to reproduce the vulnerability increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n\n* A description of the bug \n* The conditions on which reproducing the bug is contingent\n* The steps needed to reproduce the bug or a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid\n* The potential implications of the vulnerability being abused\n\nPlease allow 3 business days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n\n# Fine Print\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to integrate+bugbounty@makerdao.com.\n\nOur employees, contractors, their close family members, and any other affiliated persons are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-07-25T14:00:52.907Z"},{"id":3614867,"new_policy":"# Introduction\nSystem security is paramount for the success of the Maker vision of an open financial system. In addition to multiple independent security audits and formal verification of our smart contracts for multi-collateral Dai (MCD), we also encourage responsible disclosure of security vulnerabilities via our bug bounty program as described in this document.\n\nThe bug bounty program will develop in iterations towards the launch of MCD where: \n* The scope of assets will increase. Assets already in scope may be updated on a bi-weekly basis as shown on changelog.makerdao.com\n* Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely after launch of MCD.\n\nThe scope is initially a selection of the core smart contracts of MCD as deployed on Ethereum Kovan/Görli testnets, while more contracts will be added towards MCD launch. The scope may also expand to include web applications, tools, etc.\n\nTo qualify for a reward, the investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n\n\n# Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n# Rewards\nWe base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood.\n\nMultiple issues caused by one underlying vulnerability may only qualify for one reward.\n\nA bug report may qualify for a reward only when:\n\n* It makes the Maker team aware of the bug for the first time\n* The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public\n* The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document or allowed anyone else to profit outside the bug bounty program\n* A bug is reported without any conditions, demands, or threats\n* It complies with the other conditions in this document\n\n# Scope\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for multi-collateral Dai as listed below. Other Maker products and services are currently not in scope but may be added at a later date. \n\nExploits may be grouped as following:\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n* **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n* **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n* **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n* **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n* **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n* **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n* **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n* **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n* **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n* **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n* **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in Phase 1 this was DSToken, Phase 2 it is `dss/Dai.sol`\n* **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n* **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n* **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n* **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n* **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n* **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n\n**Oracles**\n\n* **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n* **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n# Bi-weekly Releases\n\nUntil MCD launch, the Maker Foundation will continue with bi-weekly deployments of the latest versions of the smart contracts to either the Kovan or Görli testnets. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements. \n\nThe bug bounty program will be applicable to only one release at a time, and this release is also expected to update approximately bi-weekly though with a delay relative to deployment.\n\n**The current release eligible for vulnerability reports is [0.2.10](https://changelog.makerdao.com/releases/0.2.10/index.html). Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com)\n\n# Program Rules\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\n# Ineligible methods\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n* Social engineering\n* DDOS attack\n* Spamming\n* Any physical attacks against Maker Foundation property, data centers or employees\n* Automated tools\n* Compromising or misusing third party systems or services\n\n# Ineligible bugs\n* Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program\n* Vulnerabilities in outdated software from Maker or which affects only outdated third party software\n* Bugs that are not reproducible\n* Bugs disclosed to other parties without consent from the Maker team\n* Issues which we cannot reasonably be expected to be able to do anything about\n\n# Investigation Tools\n**MCD 101 Guide**\nA comprehensive overview of the smart contracts within the Dai Credit System. \n* https://github.com/makerdao/developerguides/blob/master/mcd/mcd-101/mcd-101.md\n\n**Source Code**\nThe MCD core contracts and their documentation can be found here:\n* https://github.com/makerdao/dss\n* https://github.com/makerdao/dss/wiki\n\nDeployment Scripts:\n* https://github.com/makerdao/dss-deploy\n* https://github.com/makerdao/dss-deploy-scripts\n\n**Seth**\nEthereum command-line tool used by our deploy scripts:\n* https://dapp.tools/seth/\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\nCommand line-tool for interacting with MCD. \n* https://github.com/makerdao/mcd-cli\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md) \n\n**Faucet**\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com) to get the faucet address for the relevant deployment (`FAUCET`). \n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address. \n\n# Responsible Reporting\nA detailed report with clear instructions on how to reproduce the vulnerability increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n\n* A description of the bug \n* The conditions on which reproducing the bug is contingent\n* The steps needed to reproduce the bug or a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid\n* The potential implications of the vulnerability being abused\n\nPlease allow 3 business days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n\n# Fine Print\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to integrate+bugbounty@makerdao.com.\n\nOur employees, contractors, their close family members, and any other affiliated persons are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-07-25T12:48:48.302Z"},{"id":3614864,"new_policy":"# Introduction\nSystem security is paramount for the success of the Maker vision of an open financial system. In addition to multiple independent security audits and formal verification of our smart contracts for multi-collateral Dai (MCD), we also encourage responsible disclosure of security vulnerabilities via our bug bounty program as described in this document.\n\nThe bug bounty program will develop in iterations towards the launch of MCD where: \n* The scope of assets will increase. Assets already in scope may be updated on a bi-weekly basis as shown on changelog.makerdao.com\n* Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely after launch of MCD.\n\nThe scope is initially a selection of the core smart contracts of MCD as deployed on Ethereum Kovan/Görli testnets, while more contracts will be added towards MCD launch. The scope may also expand to include web applications, tools, etc.\n\nTo qualify for a reward, the investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n\n\n# Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n# Rewards\nWe base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood.\n\nMultiple issues caused by one underlying vulnerability may only qualify for one reward.\n\nA bug report may qualify for a reward only when:\n\n* It makes the Maker team aware of the bug for the first time\n* The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public\n* The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document or allowed anyone else to profit outside the bug bounty program\n* A bug is reported without any conditions, demands, or threats\n* It complies with the other conditions in this document\n\n# Scope\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for multi-collateral Dai as listed below. Other Maker products and services are currently not in scope but may be added at a later date. \n\nExploits may be grouped as following:\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n* **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n* **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n* **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n* **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n* **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n* **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n* **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n* **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n* **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n* **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n* **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in Phase 1 this was DSToken, Phase 2 it is `dss/Dai.sol`\n* **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n* **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n* **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n* **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n* **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n* **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n\n**Oracles**\n\n* **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n* **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n# Bi-weekly Releases\n\nUntil MCD launch, the Maker Foundation will continue with bi-weekly deployments of the latest versions of the smart contracts to either the Kovan or Görli testnets. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements. \n\nThe bug bounty program will be applicable to only one release at a time, and this release is also expected to update approximately bi-weekly though with a delay relative to deployment.\n\n**The current release eligible for vulnerability reports is [0.2.10](https://changelog.makerdao.com/releases/0.2.10/index.html). Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com)\n\n# Program Rules\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\n# Ineligible methods\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n* Social engineering\n* DDOS attack\n* Spamming\n* Any physical attacks against Maker Foundation property, data centers or employees\n* Automated tools\n* Compromising or misusing third party systems or services\n\n# Ineligible bugs\n* Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program\n* Vulnerabilities in outdated software from Maker or which affects only outdated third party software\n* Bugs that are not reproducible\n* Bugs disclosed to other parties without consent from the Maker team\n* Issues which we cannot reasonably be expected to be able to do anything about\n\n# Investigation Tools\n\n**Source Code**\n\nThe MCD core contracts and their documentation can be found here:\n* https://github.com/makerdao/dss\n* https://github.com/makerdao/dss/wiki\n\nDeployment Scripts:\n* https://github.com/makerdao/dss-deploy\n* https://github.com/makerdao/dss-deploy-scripts\n\n**Seth**\n\nEthereum command-line tool used by our deploy scripts:\n* https://dapp.tools/seth/\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\n\nCommand line-tool for interacting with MCD. \n* https://github.com/makerdao/mcd-cli\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md) \n\n**Faucet**\n\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com) to get the faucet address for the relevant deployment (`FAUCET`). \n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address. \n\n# Responsible Reporting\nA detailed report with clear instructions on how to reproduce the vulnerability increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n\n* A description of the bug \n* The conditions on which reproducing the bug is contingent\n* The steps needed to reproduce the bug or a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid\n* The potential implications of the vulnerability being abused\n\nPlease allow 3 business days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n\n# Fine Print\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to integrate+bugbounty@makerdao.com.\n\nOur employees, contractors, their close family members, and any other affiliated persons are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-07-25T12:06:30.999Z"},{"id":3614863,"new_policy":"# Introduction\nSystem security is paramount for the success of the Maker vision of an open financial system. In addition to multiple independent security audits and formal verification of our smart contracts for multi-collateral Dai (MCD), we also encourage responsible disclosure of security vulnerabilities via our bug bounty program as described in this document.\n\nThe bug bounty program will develop in iterations towards the launch of MCD where: \n* The scope of assets will increase. Assets already in scope may be updated on a bi-weekly basis as shown on changelog.makerdao.com\n* Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely after launch of MCD.\n\nThe scope is initially a selection of the core smart contracts of MCD as deployed on Ethereum Kovan/Görli testnets, while more contracts will be added towards MCD launch. The scope may also expand to include web applications, tools, etc.\n\nTo qualify for a reward, the investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n\n\n# Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n# Rewards\nWe base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood.\n\nMultiple issues caused by one underlying vulnerability may only qualify for one reward.\n\nA bug report may qualify for a reward only when:\n\n* It makes the Maker team aware of the bug for the first time\n* The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public\n* The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document or allowed anyone else to profit outside the bug bounty program\n* A bug is reported without any conditions, demands, or threats\n* It complies with the other conditions in this document\n\n# Scope\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for multi-collateral Dai as listed below. Other Maker products and services are currently not in scope but may be added at a later date. \n\nExploits may be grouped as following:\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n* **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n* **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n* **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n* **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n* **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n* **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n* **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n* **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n* **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n* **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n* **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in Phase 1 this was DSToken, Phase 2 it is `dss/Dai.sol`\n* **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n* **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n* **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n* **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n* **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n* **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n\n**Oracles**\n\n* **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n* **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n# Bi-weekly Releases\n\nUntil MCD launch, the Maker Foundation will continue with bi-weekly deployments of the latest versions of the smart contracts to either the Kovan or Görli testnets. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements. \n\nThe bug bounty program will be applicable to only one release at a time, and this release is also expected to update approximately bi-weekly though with a delay relative to deployment.\n\n**The current release eligible for vulnerability reports is [0.2.10](https://changelog.makerdao.com/releases/0.2.10/index.html). Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com)\n\n# Program Rules\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\n# Ineligible methods\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n* Social engineering\n* DDOS attack\n* Spamming\n* Any physical attacks against Maker Foundation property, data centers or employees\n* Automated tools\n* Compromising or misusing third party systems or services\n\n# Ineligible bugs\n* Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program\n* Vulnerabilities in outdated software from Maker or which affects only outdated third party software\n* Bugs that are not reproducible\n* Bugs disclosed to other parties without consent from the Maker team\n* Issues which we cannot reasonably be expected to be able to do anything about\n\n# Investigation Tools\n\n**Source Code**\n\nThe MCD core contracts and their documentation can be found here:\n* https://github.com/makerdao/dss\n* https://github.com/makerdao/dss/wiki\n\nDeployment Scripts:\n* https://github.com/makerdao/dss-deploy\n* https://github.com/makerdao/dss-deployment-scripts/\n\n**Seth**\n\nEthereum command-line tool used by our deploy scripts:\n* https://dapp.tools/seth/\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\n\nCommand line-tool for interacting with MCD. \n* https://github.com/makerdao/mcd-cli\n* [Guide](https://github.com/makerdao/developerguides/blob/master/devtools/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md) \n\n**Faucet**\n\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com) to get the faucet address for the relevant deployment (`FAUCET`). \n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address. \n\n# Responsible Reporting\nA detailed report with clear instructions on how to reproduce the vulnerability increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n\n* A description of the bug \n* The conditions on which reproducing the bug is contingent\n* The steps needed to reproduce the bug or a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid\n* The potential implications of the vulnerability being abused\n\nPlease allow 3 business days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n\n# Fine Print\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to integrate+bugbounty@makerdao.com.\n\nOur employees, contractors, their close family members, and any other affiliated persons are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-07-25T11:50:45.558Z"},{"id":3614773,"new_policy":"# Introduction\nSystem security is paramount for the success of the Maker vision of an open financial system. In addition to multiple independent security audits and formal verification of our smart contracts for multi-collateral Dai (MCD), we also encourage responsible disclosure of security vulnerabilities via our bug bounty program as described in this document.\n\nThe bug bounty program will develop in iterations towards the launch of MCD where: \n* The scope of assets will increase. Assets already in scope may be updated on a bi-weekly basis as shown on changelog.makerdao.com\n* Bug bounty amounts will increase.\n\nThe program is planned to be a long-running program that will continue indefinitely after launch of MCD.\n\nThe scope is initially a selection of the core smart contracts of MCD as deployed on Ethereum Kovan/Görli testnets, while more contracts will be added towards MCD launch. The scope may also expand to include web applications, tools, etc.\n\nTo qualify for a reward, the investigation method and vulnerability report must adhere to the guidelines in this document. It is ultimately our sole discretion whether a report meets the reward requirements.\n\n\n# Disclosure Policy \n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue. \n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. \n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder. \n\n# Rewards\nWe base our rewards on an OWASP Risk Rating Methodology score, factoring in both impact and likelihood.\n\nMultiple issues caused by one underlying vulnerability may only qualify for one reward.\n\nA bug report may qualify for a reward only when:\n\n* It makes the Maker team aware of the bug for the first time\n* The reporter allows the Maker team a reasonable amount of time to fix the vulnerability before disclosing it to other parties or to the public\n* The reporter has not used the bug to receive any reward or monetary gain outside of the bug bounty rewards described in this document or allowed anyone else to profit outside the bug bounty program\n* A bug is reported without any conditions, demands, or threats\n* It complies with the other conditions in this document\n\n# Scope\nAt this time, rewards will be paid out for vulnerabilities discovered in our core smart contracts for multi-collateral Dai as listed below. Other Maker products and services are currently not in scope but may be added at a later date. \n\nExploits may be grouped as following:\n1. Function-level (exploitable through a single entry-point)\n2. Contract-level (combining multiple entry-points)\n3. System-level (combining multiple contracts)\n4. Game-level (attacking the incentive mechanisms) *(currently not eligible for reward)*\n\nOnly exploits within groups 1-3 are currently eligible for rewards in this bug bounty program.\n\nThe following smart contracts are included in the bug bounty program. There may be redeployments of the contracts during the duration of the bug bounty program. Please see the section below for more information on the current release eligible for bug bounties.\n\n### Contracts\n\n**Core System Contracts**\n\n* **[Vat](https://github.com/makerdao/dss/blob/master/src/vat.sol)** (`MCD_VAT`) - Core CDP Engine\n* **[Spotter](https://github.com/makerdao/dss/blob/master/src/spot.sol)** (`MCD_SPOT`) - Price feed updater\n* **[Jug](https://github.com/makerdao/dss/blob/master/src/jug.sol)** (`MCD_JUG`) - Stability fee accumulator\n* **[Pot](https://github.com/makerdao/dss/blob/master/src/pot.sol)** (`MCD_POT`) - Dai Savings\n* **[Cat](https://github.com/makerdao/dss/blob/master/src/cat.sol)** (`MCD_CAT`) - Liquidation Module\n* **[End](https://github.com/makerdao/dss/blob/master/src/end.sol)** (`MCD_END`) - Global Settlement Module\n* **[Flapper](https://github.com/makerdao/dss/blob/master/src/flap.sol)** (`MCD_FLAP`) - Surplus Auction\n* **[Flipper](https://github.com/makerdao/dss/blob/master/src/flip.sol)** (`MCD_FLIP`) - Collateral Auction\n* **[Flopper](https://github.com/makerdao/dss/blob/master/src/flop.sol)** (`MCD_FLOP`) - Debt Auction\n* **[Vow](https://github.com/makerdao/dss/blob/master/src/vow.sol)** (`MCD_VOW`)- Dai Settlement\n\n**Dai**\n\n* **[Dai](https://github.com/makerdao/dss/blob/master/src/dai.sol)** (`MCD_DAI`) - Dai Token (note in Phase 1 this was DSToken, Phase 2 it is `dss/Dai.sol`\n* **[DaiJoin](https://github.com/makerdao/dss/blob/master/src/join.sol)** (`MCD_JOIN_DAI`) - Dai Token Adapter\n\n**Collateral**\n\n* **[WETH9_](https://github.com/dapphub/ds-weth/blob/master/src/weth9.sol)** (`MCD_ETH`) - ETH Token Wrapper\n* **[GemJoin1](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_BAT_A`, `MCD_JOIN_REP_A`, `MCD_JOIN_ETH_A`, `MCD_JOIN_ETH_B`, `MCD_JOIN_ETH_C`, `MCD_JOIN_ZRX_A`) - BAT, REP, WETH, ZRX Adapter\n* **[GemJoin2](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_OMG_A`) - OMG Adapter\n* **[GemJoin3](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_DGD_A`) - DGD Adapter\n* **[GemJoin4](https://github.com/makerdao/dss-deploy/blob/master/src/join.sol)** (`MCD_JOIN_GNT_A`) - GNT Adapter\n\n**Oracles**\n\n* **[Median](https://github.com/makerdao/median)** (to get address call for a specific OSM, for example `seth call $PIP_ETH 'src()(address)'`) Medianizer for Oracles\n* **[OSM](https://github.com/makerdao/osm/)** (`PIP_ETH`, `PIP_REP`, `PIP_ZRX`, `PIP_OMG`, `PIP_BAT`, `PIP_DGD`, `PIP_GNT`) Oracle Security Module\n\n# Bi-weekly Releases\n\nUntil MCD launch, the Maker Foundation will continue with bi-weekly deployments of the latest versions of the smart contracts to either the Kovan or Görli testnets. New deployments of contracts in scope for the program will only contain bug fixes or minor enhancements. \n\nThe bug bounty program will be applicable to only one release at a time, and this release is also expected to update approximately bi-weekly though with a delay relative to deployment.\n\n**The current release eligible for vulnerability reports is [0.2.10](https://changelog.makerdao.com/releases/0.2.10/index.html). Only vulnerabilities found in this deployment can currently be submitted for a reward.**\n\nContract details for all the latest releases are available from [changelog.makerdao.com](https://changelog.makerdao.com)\n\n# Program Rules\n* Follow HackerOne's disclosure guidelines.\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Rewards amounts mentioned in this document are the minimum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.\n\n# Ineligible methods\nVulnerabilities contingent on any of the following activities do not qualify for a reward in the bug bounty program:\n\n* Social engineering\n* DDOS attack\n* Spamming\n* Any physical attacks against Maker Foundation property, data centers or employees\n* Automated tools\n* Compromising or misusing third party systems or services\n\n# Ineligible bugs\n* Vulnerabilities already known to the public or to the Maker Foundation team including previous findings from another participant in the bug bounty program\n* Vulnerabilities in outdated software from Maker or which affects only outdated third party software\n* Bugs that are not reproducible\n* Bugs disclosed to other parties without consent from the Maker team\n* Issues which we cannot reasonably be expected to be able to do anything about\n\n# Investigation Tools\n\n**Source Code**\n\nThe MCD core contracts and their documentation can be found here:\n* https://github.com/makerdao/dss\n* https://github.com/makerdao/dss/wiki\n\nDeployment Scripts:\n* https://github.com/makerdao/dss-deploy\n* https://github.com/makerdao/dss-deployment-scripts/\n\n**Seth**\n\nEthereum command-line tool used by our deploy scripts:\n* https://dapp.tools/seth/\n* [Guide](https://github.com/makerdao/developerguides/blob/master/tools/seth/seth-guide-01/seth-guide-01.md)\n\n**MCD CLI**\n\nCommand line-tool for interacting with MCD. \n* https://github.com/makerdao/mcd-cli\n* [Guide](https://github.com/makerdao/developerguides/blob/master/tools/mcd-cli/mcd-cli-guide-01/mcd-cli-guide-01.md) \n\n**Faucet**\n\nA faucet is available to faciliate obtaining MKR and Collateral tokens on testnet. See the [changelog](https://changelog.makerdao.com) to get the faucet address for the relevant deployment (`FAUCET`). \n\nTo claim tokens use the following `seth` command:\n\n`seth send $FAUCET ‘gimme()’`\n\nThis will only work once per address. \n\n# Responsible Reporting\nA detailed report with clear instructions on how to reproduce the vulnerability increases the likelihood of a reward payout and may also increase the reward amount. Please include as much information about the vulnerability as possible, including:\n\n* A description of the bug \n* The conditions on which reproducing the bug is contingent\n* The steps needed to reproduce the bug or a proof of concept. If the amount of detail is not sufficient to reproduce the bug, no reward will be paid\n* The potential implications of the vulnerability being abused\n\nPlease allow 3 business days for our reply. We may follow up with additional questions regarding how to reproduce the bug, and to qualify for a reward the investigator must respond to these in a timely manner.\n\n\n# Fine Print\nThis bug bounty program may be canceled or revised at any time at the discretion of the Maker team. We pledge not to initiate legal action against investigators for security research conducted within the policies described in this document. If in doubt about the scope or conditions of the bug bounty program, please send your question to integrate+bugbounty@makerdao.com.\n\nOur employees, contractors, their close family members, and any other affiliated persons are ineligible to participate in this program.\n\nThank you for helping keep Maker safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-07-24T17:36:41.657Z"}]