[{"id":3733373,"new_policy":"# Polygon Labs Bug Bounty Program\n\nPolygon Labs looks forward to working with the security community to find security vulnerabilities to keep users safe.\n\n## Response Targets\n\nPolygon Labs will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in Business Days |\n| ---------------- | -------------------- |\n| First Response   | 2 days               |\n| Time to Triage   | 2 days               |\n| Time to Bounty   | 14 days              |\n| Time to Resolution | Depends on severity and complexity |\n\n## Disclosure Policy\n\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization. Follow HackerOne's disclosure guidelines.\n\n## Program Rules\n\n- Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n- Ask the program team before submitting vulnerabilities on unscoped subdomains.\n- Only interact with accounts you own or with the explicit permission of the account holder.\n\n## Rewards\n\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Polygon Labs.\n\n## Out-of-Scope Vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n- Any issues already reported publicly on GitHub.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Sections of the code intended to be used for testing purposes.\n- Clickjacking on pages with no sensitive actions.\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Issues that require unlikely user interaction.\n- Privacy-related vulnerabilities (e.g., leaking your address to other peers on the network).\n- Open redirect - unless an additional security impact can be demonstrated.\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.\n- Rate limiting or bruteforce issues on non-authentication endpoints.\n- Missing best practices in Content Security Policy.\n- Missing HttpOnly or Secure flags on cookies.\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).\n- Vulnerabilities that depend solely on third-party services that we utilize and might be subject to their bug bounty program.\n- Broken social media links not directly related to Polygon Labs (f.e solution providers listed on ecosystem.polygon.technology are considered as OUT of scope)\n\n## Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will, within our sole discretion, endeavor to make it known that your actions were conducted in compliance with this policy.\n\n## Program Changes\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThank you for helping keep users safe!\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-23T08:35:09.212Z"},{"id":3732449,"new_policy":"# Polygon Labs Bug Bounty Program\n\nPolygon Labs looks forward to working with the security community to find security vulnerabilities to keep users safe.\n\n## Response Targets\n\nPolygon Labs will make a best effort to meet the following response targets for hackers participating in our program:\n\n| Type of Response | SLA in Business Days |\n| ---------------- | -------------------- |\n| First Response   | 2 days               |\n| Time to Triage   | 2 days               |\n| Time to Bounty   | 14 days              |\n| Time to Resolution | Depends on severity and complexity |\n\n## Disclosure Policy\n\nAs this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization. Follow HackerOne's disclosure guidelines.\n\n## Program Rules\n\n- Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n- Ask the program team before submitting vulnerabilities on unscoped subdomains.\n- Only interact with accounts you own or with the explicit permission of the account holder.\n\n## Rewards\n\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Polygon Labs.\n\n## Out-of-Scope Vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n\n- Any issues already reported publicly on GitHub.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Sections of the code intended to be used for testing purposes.\n- Clickjacking on pages with no sensitive actions.\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS).\n- Issues that require unlikely user interaction.\n- Privacy-related vulnerabilities (e.g., leaking your address to other peers on the network).\n- Open redirect - unless an additional security impact can be demonstrated.\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.\n- Rate limiting or bruteforce issues on non-authentication endpoints.\n- Missing best practices in Content Security Policy.\n- Missing HttpOnly or Secure flags on cookies.\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).\n- Vulnerabilities that depend solely on third-party services that we utilize and might be subject to their bug bounty program.\n\n## Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will, within our sole discretion, endeavor to make it known that your actions were conducted in compliance with this policy.\n\n## Program Changes\n\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThank you for helping keep users safe!\n","has_open_scope":false,"pays_within_one_month":false,"protected_by_gold_standard_safe_harbor":false,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-16T08:08:48.283Z"},{"id":3681300,"new_policy":"# Introduction\nPolygon looks forward to working with the security community to find security vulnerabilities to keep our businesses and customers safe.\n\n**PLEASE NOTE: This program requires that a KYC/KYB is passed in order to process any bounty payments**\n\n# Program Policy\n## Program Process\nThe Polygon Security team will be reviewing each report carefully. A report must be a valid, in-scope report to qualify for a bounty, which will be awarded based on the severity of such vulnerability. We determine severity based on two factors: Impact and Exploitability.\n\nReports that include a clear Proof of Concept or specific step-by-step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid. After the internal review process is complete, any reports that are not reproducible, invalid, or informative will be closed.\n\nUpon confirmation of the report being valid, and determination of the Severity, Polygon requires the Researcher to submit to a KYC/KYB process for compliance reasons.\n\nWith the KYC/KYB completed and approved payment will be processed\n\n## Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Report Checklist\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per the report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* Reports out of scope will not be considered. Please check before you submit.\n* Attacking any other Testnet than Polygon's designated testnet for this program is prohibited\n* Attacking any other network than Polygon is prohibited\n* Any reports that are out of scope but that are deemed valuable or business impactful to Polygon will be considered at Polygon's discretion. These reports may be triaged (awarded Reputation Points) but will not be eligible for a bounty.\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Polygon.\n\n| Type of Attack |\n|----------|\n|  Double spend by getting the clients to accept a different chain |\n| Double spend by validating malicious blocks| \n| Tamper/manipulate blockchain history to invalidate transactions |\n| Cause network to mint tokens to own account |\n| Undermine consensus mechanism to split the chain |\n| Censorship (e.g. on votes) |\n| Steal tokens from node |\n| Prevent node from accessing the network |\n| Abuse bugs in the economic system to defraud other participants (e.g. avoid transaction fees to full nodes) |\n| DDOS attack |\n| Chain halt and shutting down the network |\n| ... |\n\n\n## Out-of-scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).\n* Previously known vulnerabilities in Tendermint and or/any other fork of these.\n* Previously known vulnerabilities in cosmos-sdk and or/any other fork of these. \n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.\n* Rate Limiting (Non-critical issues)\n* Social engineering\n* Findings related to a service hosted by a third party (ex. Discorse or Getro)\n\n**If you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.**\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Program Changes\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThank you for helping keep Polygon and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-12-19T13:17:01.065Z"},{"id":3680861,"new_policy":"# Introduction\nPolygon looks forward to working with the security community to find security vulnerabilities to keep our businesses and customers safe.\n\n**PLEASE NOTE: This program requires that a KYC/KYB is passed in order to process any bounty payments**\n\n# Program Policy\n## Program Process\nThe Polygon Security team will be reviewing each report carefully. A report must be a valid, in-scope report to qualify for a bounty, which will be awarded based on the severity of such vulnerability. We determine severity based on two factors: Impact and Exploitability.\n\nReports that include a clear Proof of Concept or specific step-by-step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid. After the internal review process is complete, any reports that are not reproducible, invalid, or informative will be closed.\n\nUpon confirmation of the report being valid, and determination of the Severity, Polygon requires the Researcher to submit to a KYC/KYB process for compliance reasons.\n\nWith the KYC/KYB completed and approved payment will be processed\n\n## Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Report Checklist\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per the report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* Reports out of scope will not be considered. Please check before you submit.\n* Attacking any other Testnet than Polygon's designated testnet for this program is prohibited\n* Attacking any other network than Polygon is prohibited\n* Any reports that are out of scope but that are deemed valuable or business impactful to Polygon will be considered at Polygon's discretion. These reports may be triaged (awarded Reputation Points) but will not be eligible for a bounty.\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Polygon.\n\n| Type of Attack |\n|----------|\n|  Double spend by getting the clients to accept a different chain |\n| Double spend by validating malicious blocks| \n| Tamper/manipulate blockchain history to invalidate transactions |\n| Cause network to mint tokens to own account |\n| Undermine consensus mechanism to split the chain |\n| Censorship (e.g. on votes) |\n| Steal tokens from node |\n| Prevent node from accessing the network |\n| Abuse bugs in the economic system to defraud other participants (e.g. avoid transaction fees to full nodes) |\n| DDOS attack |\n| Chain halt and shutting down the network |\n| ... |\n\n\n## Out-of-scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).\n* Previously known vulnerabilities in Tendermint and or/any other fork of these.\n* Previously known vulnerabilities in cosmos-sdk and or/any other fork of these. \n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.\n* Rate Limiting (Non-critical issues)\n* Social engineering\n\n**If you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.**\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Program Changes\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThank you for helping keep Polygon and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-12-09T09:35:37.662Z"},{"id":3677450,"new_policy":"# Introduction\nPolygon looks forward to working with the security community to find security vulnerabilities to keep our businesses and customers safe.\n\n**PLEASE NOTE: This program requires that a KYC/KYB is passed in order to process any bounty payments**\n\n# Program Policy\n## Program Process\nThe Polygon Security team will be reviewing each report carefully. A report must be a valid, in-scope report to qualify for a bounty, which will be awarded based on the severity of such vulnerability. We determine severity based on two factors: Impact and Exploitability.\n\nReports that include a clear Proof of Concept or specific step-by-step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid. After the internal review process is complete, any reports that are not reproducible, invalid, or informative will be closed.\n\nUpon confirmation of the report being valid, and determination of the Severity, Polygon requires the Researcher to submit to a KYC/KYB process for compliance reasons.\n\nWith the KYC/KYB completed and approved payment will be processed\n\n## Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n## Report Checklist\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per the report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* Reports out of scope will not be considered. Please check before you submit.\n* Attacking any other Testnet than Polygon's designated testnet for this program is prohibited\n* Attacking any other network than Polygon is prohibited\n* Any reports that are out of scope but that are deemed valuable or business impactful to Polygon will be considered at Polygon's discretion. These reports may be triaged (awarded Reputation Points) but will not be eligible for a bounty.\n\n## Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Polygon.\n\n| Critical (9.0 - 10.0) | High (7.0 - 8.9)  | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |\n|----------|--------|---------|------|\n|  $5,000  | $3,000 | $1,500    | $300 |\n\n### Indicative examples of valid attacks that could be done on Polygon\n\n| Type of Attack |\n|----------|\n|  Double spend by getting the clients to accept a different chain |\n| Double spend by validating malicious blocks| \n| Tamper/manipulate blockchain history to invalidate transactions |\n| Cause network to mint tokens to own account |\n| Undermine consensus mechanism to split the chain |\n| Censorship (e.g. on votes) |\n| Steal tokens from node |\n| Prevent node from accessing the network |\n| Abuse bugs in the economic system to defraud other participants (e.g. avoid transaction fees to full nodes) |\n| DDOS attack |\n| Chain halt and shutting down the network |\n| ... |\n\n\n## Out-of-scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).\n* Previously known vulnerabilities in Tendermint and or/any other fork of these.\n* Previously known vulnerabilities in cosmos-sdk and or/any other fork of these. \n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis.\n* Rate Limiting (Non-critical issues)\n* Social engineering\n\n**If you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.**\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\n# Program Changes\nWe reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.\n\nThank you for helping keep Polygon and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-09-19T16:43:34.501Z"},{"id":3676446,"new_policy":"Polygon looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* Reports out of scope will not be considered. Please check before you submit.\n* Attacking any other Testnet than Polygon's designated testnet for this program is prohibited\n* Attacking any other network than Polygon is prohibited\n* Any reports that are out of scope but that are deemed valuable or business impactful to Polygon will be considered at Polygon's discretion. These reports may be triaged (awarded Reputation Points) but will not be eligible for a bounty.\n\n\n# Test Plan\n\n##Getting Started\n* If you are new to blockchains and/or to Polygon, take a look at the Polygon overview - https://wiki.polygon.technology/\n\n* Explore the code on GitHub there are 2 main repositories for you to study\nHeimdall - https://github.com/maticnetwork/heimdall\nBor - https://github.com/maticnetwork/bor\n\n##Setting up\n* Set up a test network locally with these instructions: Getting Started - Running a node on the local environment: https://github.com/maticnetwork/matic-cli\n\nThe Polygon CLI repo is an easy way to set up and manage Polygon validator nodes in a local environment. This would help in simulating tests and attacks locally.\n\n\n##Getting Tokens for Testing\n* To get tokens you can access our faucet: https://faucet.polygon.technology/ and choose the Goerli network to get some tokens.\n\nYou’re now set up to start looking for vulnerabilities.\n\n##Have questions?\nCheck out the forum and join the discussion on Discord.\nForum - https://forum.matic.network\nDiscord - https://discord.gg/XvpHAxZ\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Polygon.\n\n| Critical (9.0 - 10.0) | High (7.0 - 8.9)  | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |\n|----------|--------|---------|------|\n|  $5,000  | $3,000 | $1,500    | $300 |\n\n## Indicative examples of valid attacks that could be done on Polygon\n\n| Type of Attack |\n|----------|\n|  Double spend by getting the clients to accept a different chain |\n| Double spend by validating malicious blocks| \n| Tamper/manipulate blockchain history to invalidate transactions |\n| Cause network to mint tokens to own account |\n| Undermine consensus mechanism to split the chain |\n| Censorship (e.g. on votes) |\n| Steal tokens from node |\n| Prevent node from accessing the network |\n| Abuse bugs in the economic system to defraud other participants (e.g. avoid transaction fees to full nodes) |\n| DDOS attack |\n| Chain halt and shutting down the network |\n| ... |\n\n\n## Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).\n* Previously known vulnerabilities in Tendermint and or/any other fork of these.\n* Previously known vulnerabilities in cosmos-sdk and or/any other fork of these. \n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Polygon and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-08-23T11:56:42.083Z"},{"id":3676445,"new_policy":"Polygon looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nPolygon will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* Reports out of scope will not be considered. Please check before you submit.\n* Attacking any other Testnet than Polygon's designated testnet for this program is prohibited\n* Attacking any other network than Polygon is prohibited\n* Any reports that are out of scope but that are deemed valuable or business impactful to Polygon will be considered at Polygon's discretion. These reports may be triaged (awarded Reputation Points) but will not be eligible for a bounty.\n\n\n# Test Plan\n\n##Getting Started\n* If you are new to blockchains and/or to Polygon, take a look at the Polygon overview - https://wiki.polygon.technology/\n\n* Explore the code on GitHub there are 2 main repositories for you to study\nHeimdall - https://github.com/maticnetwork/heimdall\nBor - https://github.com/maticnetwork/bor\n\n##Setting up\n* Set up a test network locally with these instructions: Getting Started - Running a node on the local environment: https://github.com/maticnetwork/matic-cli\n\nThe Polygon CLI repo is an easy way to set up and manage Polygon validator nodes in a local environment. This would help in simulating tests and attacks locally.\n\n\n##Getting Tokens for Testing\n* To get tokens you can access our faucet: https://faucet.polygon.technology/ and choose the Goerli network to get some tokens.\n\nYou’re now set up to start looking for vulnerabilities.\n\n##Have questions?\nCheck out the forum and join the discussion on Discord.\nForum - https://forum.matic.network\nDiscord - https://discord.gg/XvpHAxZ\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Polygon.\n\n| Critical (9.0 - 10.0) | High (7.0 - 8.9)  | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |\n|----------|--------|---------|------|\n|  $5,000  | $3,000 | $1,500    | $300 |\n\n## Indicative examples of valid attacks that could be done on Polygon\n\n| Type of Attack |\n|----------|\n|  Double spend by getting the clients to accept a different chain |\n| Double spend by validating malicious blocks| \n| Tamper/manipulate blockchain history to invalidate transactions |\n| Cause network to mint tokens to own account |\n| Undermine consensus mechanism to split the chain |\n| Censorship (e.g. on votes) |\n| Steal tokens from node |\n| Prevent node from accessing the network |\n| Abuse bugs in the economic system to defraud other participants (e.g. avoid transaction fees to full nodes) |\n| DDOS attack |\n| Chain halt and shutting down the network |\n| ... |\n\n\n## Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).\n* Previously known vulnerabilities in Tendermint and or/any other fork of these.\n* Previously known vulnerabilities in cosmos-sdk and or/any other fork of these. \n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Polygon and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-08-23T11:55:18.295Z"},{"id":3675596,"new_policy":"Matic Network looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nMatic Network will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* Reports out of scope will not be considered. Please check before you submit.\n* Attacking any other Testnet than Matic Network’s designated testnet for this program is prohibited\n* Attacking any other network than Matic Network is prohibited\n* Any reports that are out of scope but that are deemed valuable or business impactful to Matic will be considered at Matic's discretion. These reports may be triaged (awarded Reputation Points) but will not be eligible for a bounty.\n\n\n# Test Plan\n\n##Getting Started\n* If you are new to blockchains and/or to Matic, take a look at the Matic overview - https://docs.matic.network/docs/home/architecture/matic-architecture\n\n* Explore the code on GitHub there are 2 main repositories for you to study\nHeimdall - https://github.com/maticnetwork/heimdall\nBor - https://github.com/maticnetwork/bor\n\n##Setting up\n* Set up a test network locally with these instructions: Getting Started - Running a node on the local environment: https://github.com/maticnetwork/matic-cli\n\nThe Matic CLI repo is an easy way to set up and manage Matic validator nodes in a local environment. This would help in simulating tests and attacks locally.\n\n\n\n##Getting Tokens for Testing\n* To get tokens you can access our faucet: https://faucet.matic.network/ and choose the Goerli network to get some tokens. Or you can drop an email with your ETH address to delroy(@)matic.network\n\nYou’re now set up to start looking for vulnerabilities.\n\n##Have questions?\nCheck out the forum and join the discussion on Discord.\nForum - https://forum.matic.network\nDiscord - https://discord.gg/XvpHAxZ\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Matic Network.\n\n| Critical (9.0 - 10.0) | High (7.0 - 8.9)  | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |\n|----------|--------|---------|------|\n|  $5,000  | $3,000 | $1,500    | $300 |\n\n## Indicative examples of valid attacks that could be done on Matic Network\n\n| Type of Attack |\n|----------|\n|  Double spend by getting the clients to accept a different chain |\n| Double spend by validating malicious blocks| \n| Tamper/manipulate blockchain history to invalidate transactions |\n| Cause network to mint tokens to own account |\n| Undermine consensus mechanism to split the chain |\n| Censorship (e.g. on votes) |\n| Steal tokens from node |\n| Prevent node from accessing the network |\n| Abuse bugs in the economic system to defraud other participants (e.g. avoid transaction fees to full nodes) |\n| DDOS attack |\n| Chain halt and shutting down the network |\n| ... |\n\n# In Scope Repositories\n\n* Heimdall - This github repository contains the source code for one of the core components of Matic. Heimdall is the heart of the Matic system. It manages validators, block producer selection, spans, the state-sync mechanism between Ethereum and Matic, and other essential aspects of the system.\n\nURL - https://github.com/maticnetwork/heimdall\nCategory - Critical\n\n* Bor - The Bor node or the Block Producer implementation is basically the sidechain operator. The sidechain VM is EVM-compatible. \n\nURL - https://github.com/maticnetwork/bor\nCategory - Critical\n\n\n# Out of Scope Repositories examples\n\n* Any reports that are out of scope but that are deemed valuable or business impactful to Matic will be considered at Matic's discretion. These reports may be triaged (awarded Reputation Points) but will not be eligible for a bounty.\n\n* Website - The Matic Network website\nURL - https://matic.network\n\n* Matic JS\nURL - https://github.com/maticnetwork/matic.js\n\n* Matic Scabbards\nURL - https://github.com/maticnetwork/matic-scabbards \n\nAnd any other repositories that are not mentioned “In-Scope” is considered as out of scope.\n\n\n## Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).\n* Previously known vulnerabilities in Tendermint and or/any other fork of these.\n* Previously known vulnerabilities in cosmos-sdk and or/any other fork of these. \n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Matic Network and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-08-03T13:29:09.027Z"},{"id":3653421,"new_policy":"Matic Network looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nMatic Network will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* Reports out of scope will not be considered. Please check before you submit.\n* Attacking any other Testnet than Matic Network’s designated testnet for this program is prohibited\n* Attacking any other network than Matic Network is prohibited\n* Any reports that are out of scope but that are deemed valuable or business impactful to Matic will be considered at Matic's discretion. These reports may be triaged (awarded Reputation Points) but will not be eligible for a bounty.\n\n\n# Test Plan\n\n##Getting Started\n* If you are new to blockchains and/or to Matic, take a look at the Matic overview - https://docs.matic.network/docs/home/architecture/matic-architecture\n\n* Explore the code on GitHub there are 3 main repositories for you to study\nHeimdall - https://github.com/maticnetwork/heimdall\nBor - https://github.com/maticnetwork/bor\nContracts - https://github.com/maticnetwork/contracts \n\n##Setting up\n* Set up a test network locally with these instructions: Getting Started - Running a node on the local environment: https://github.com/maticnetwork/matic-cli\n\nThe Matic CLI repo is an easy way to set up and manage Matic validator nodes in a local environment. This would help in simulating tests and attacks locally.\n\n\n\n##Getting Tokens for Testing\n* To get tokens you can access our faucet: https://faucet.matic.network/ and choose the Goerli network to get some tokens. Or you can drop an email with your ETH address to delroy(@)matic.network\n\nYou’re now set up to start looking for vulnerabilities.\n\n##Have questions?\nCheck out the forum and join the discussion on Discord.\nForum - https://forum.matic.network\nDiscord - https://discord.gg/XvpHAxZ\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Matic Network.\n\n| Critical (9.0 - 10.0) | High (7.0 - 8.9)  | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |\n|----------|--------|---------|------|\n|  $5,000  | $3,000 | $1,500    | $300 |\n\n## Indicative examples of valid attacks that could be done on Matic Network\n\n| Type of Attack |\n|----------|\n|  Double spend by getting the clients to accept a different chain |\n| Double spend by validating malicious blocks| \n| Tamper/manipulate blockchain history to invalidate transactions |\n| Cause network to mint tokens to own account |\n| Undermine consensus mechanism to split the chain |\n| Censorship (e.g. on votes) |\n| Steal tokens from node |\n| Prevent node from accessing the network |\n| Abuse bugs in the economic system to defraud other participants (e.g. avoid transaction fees to full nodes) |\n| DDOS attack |\n| Chain halt and shutting down the network |\n| ... |\n\n# In Scope Repositories\n\n* Heimdall - This github repository contains the source code for one of the core components of Matic. Heimdall is the heart of the Matic system. It manages validators, block producer selection, spans, the state-sync mechanism between Ethereum and Matic, and other essential aspects of the system.\n\nURL - https://github.com/maticnetwork/heimdall\nCategory - Critical\n\n* Bor - The Bor node or the Block Producer implementation is basically the sidechain operator. The sidechain VM is EVM-compatible. \n\nURL - https://github.com/maticnetwork/bor\nCategory - Critical\n\n* Contracts - This repository contains the smart contracts that power Matic Network\n\nURL - https://github.com/maticnetwork/contracts\nCategory - Critical\n\n# Out of Scope Repositories examples\n\n* Any reports that are out of scope but that are deemed valuable or business impactful to Matic will be considered at Matic's discretion. These reports may be triaged (awarded Reputation Points) but will not be eligible for a bounty.\n\n* Website - The Matic Network website\nURL - https://matic.network\n\n* Matic JS\nURL - https://github.com/maticnetwork/matic.js\n\n* Matic Scabbards\nURL - https://github.com/maticnetwork/matic-scabbards \n\nAnd any other repositories that are not mentioned “In-Scope” is considered as out of scope.\n\n\n## Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).\n* Previously known vulnerabilities in Tendermint and or/any other fork of these.\n* Previously known vulnerabilities in cosmos-sdk and or/any other fork of these. \n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Matic Network and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-06-14T06:08:16.620Z"},{"id":3653420,"new_policy":"Matic Network looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nMatic Network will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* Reports out of scope will not be considered. Please check before you submit.\n* Attacking any other Testnet than Matic Network’s designated testnet for this program is prohibited\n* Attacking any other network than Matic Network is prohibited\n* Any reports that are out of scope but that are deemed valuable or business impactful to Matic will be considered at Matic's discretion. These reports may be triaged (awarded Reputation Points) but will not be eligible for a bounty.\n\n\n# Test Plan\n\n##Getting Started\n* If you are new to blockchains and/or to Matic, take a look at the Matic overview - https://docs.matic.network/docs/home/architecture/matic-architecture\n\n* Explore the code on GitHub there are 3 main repositories for you to study\nHeimdall - https://github.com/maticnetwork/heimdall\nBor - https://github.com/maticnetwork/bor\nContracts - https://github.com/maticnetwork/contracts \n\n##Setting up\n* Set up a test network locally with these instructions: Getting Started - Running a node on the local environment: https://github.com/maticnetwork/matic-cli/tree/v0.0.4-beta.1\n\nThe Matic CLI repo is an easy way to set up and manage Matic validator nodes in a local environment. This would help in simulating tests and attacks locally.\n\n\n\n##Getting Tokens for Testing\n* To get tokens you can access our faucet: https://faucet.matic.network/ and choose the Goerli network to get some tokens. Or you can drop an email with your ETH address to delroy(@)matic.network\n\nYou’re now set up to start looking for vulnerabilities.\n\n##Have questions?\nCheck out the forum and join the discussion on Discord.\nForum - https://forum.matic.network\nDiscord - https://discord.gg/XvpHAxZ\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Matic Network.\n\n| Critical (9.0 - 10.0) | High (7.0 - 8.9)  | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |\n|----------|--------|---------|------|\n|  $5,000  | $3,000 | $1,500    | $300 |\n\n## Indicative examples of valid attacks that could be done on Matic Network\n\n| Type of Attack |\n|----------|\n|  Double spend by getting the clients to accept a different chain |\n| Double spend by validating malicious blocks| \n| Tamper/manipulate blockchain history to invalidate transactions |\n| Cause network to mint tokens to own account |\n| Undermine consensus mechanism to split the chain |\n| Censorship (e.g. on votes) |\n| Steal tokens from node |\n| Prevent node from accessing the network |\n| Abuse bugs in the economic system to defraud other participants (e.g. avoid transaction fees to full nodes) |\n| DDOS attack |\n| Chain halt and shutting down the network |\n| ... |\n\n# In Scope Repositories\n\n* Heimdall - This github repository contains the source code for one of the core components of Matic. Heimdall is the heart of the Matic system. It manages validators, block producer selection, spans, the state-sync mechanism between Ethereum and Matic, and other essential aspects of the system.\n\nURL - https://github.com/maticnetwork/heimdall\nCategory - Critical\n\n* Bor - The Bor node or the Block Producer implementation is basically the sidechain operator. The sidechain VM is EVM-compatible. \n\nURL - https://github.com/maticnetwork/bor\nCategory - Critical\n\n* Contracts - This repository contains the smart contracts that power Matic Network\n\nURL - https://github.com/maticnetwork/contracts\nCategory - Critical\n\n# Out of Scope Repositories examples\n\n* Any reports that are out of scope but that are deemed valuable or business impactful to Matic will be considered at Matic's discretion. These reports may be triaged (awarded Reputation Points) but will not be eligible for a bounty.\n\n* Website - The Matic Network website\nURL - https://matic.network\n\n* Matic JS\nURL - https://github.com/maticnetwork/matic.js\n\n* Matic Scabbards\nURL - https://github.com/maticnetwork/matic-scabbards \n\nAnd any other repositories that are not mentioned “In-Scope” is considered as out of scope.\n\n\n## Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).\n* Previously known vulnerabilities in Tendermint and or/any other fork of these.\n* Previously known vulnerabilities in cosmos-sdk and or/any other fork of these. \n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Matic Network and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-06-14T05:37:10.847Z"},{"id":3650539,"new_policy":"Matic Network looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nMatic Network will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* Reports out of scope will not be considered. Please check before you submit.\n* Attacking any other Testnet than Matic Network’s designated testnet for this program is prohibited\n* Attacking any other network than Matic Network is prohibited\n* Any reports that are out of scope but that are deemed valuable or business impactful to Matic will be considered at Matic's discretion. These reports may be triaged (awarded Reputation Points) but will not be eligible for a bounty.\n\n\n# Test Plan\n\n##Getting Started\n* If you are new to blockchains and/or to Matic, take a look at the Matic overview - https://docs.matic.network/docs/home/architecture/matic-architecture\n\n* Explore the code on GitHub there are 3 main repositories for you to study\nHeimdall - https://github.com/maticnetwork/heimdall\nBor - https://github.com/maticnetwork/bor\nContracts - https://github.com/maticnetwork/contracts \n\n##Setting up\n* Set up a test network locally with these instructions: Getting Started - Running a node on the local environment: https://github.com/maticnetwork/matic-cli\n\nThe Matic CLI repo is an easy way to setup and manage Matic validator nodes on a local environment. This would help in simulating tests and attacks locally.\n\n\n* If you want to run a node on the Counter Stake - Stage 2 staking testnet, you follow the instructions on these links:\n\n##Overview\n* https://docs.matic.network/docs/validate/counter-stake-stage-2/getting-started\n\n##Linux Package\n* https://docs.matic.network/docs/validate/counter-stake-stage-2/linux-package-installation\n\n##Binaries\n* https://docs.matic.network/docs/validate/counter-stake-stage-2/running-with-binaries\n\n##Getting Tokens for Testing\n* To get tokens you can access our faucet: https://faucet.matic.network/ and choose the Goerli network to get some tokens. Or you can drop an email with your ETH address to delroy(@)matic.network\n\nYou’re now set up to start looking for vulnerabilities.\n\n##Have questions?\nCheck out the forum and join the discussion on Discord.\nForum - https://forum.matic.network\nDiscord - https://discord.gg/XvpHAxZ\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Matic Network.\n\n| Critical (9.0 - 10.0) | High (7.0 - 8.9)  | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |\n|----------|--------|---------|------|\n|  $5,000  | $3,000 | $1,500    | $300 |\n\n## Indicative examples of valid attacks that could be done on Matic Network\n\n| Type of Attack |\n|----------|\n|  Double spend by getting the clients to accept a different chain |\n| Double spend by validating malicious blocks| \n| Tamper/manipulate blockchain history to invalidate transactions |\n| Cause network to mint tokens to own account |\n| Undermine consensus mechanism to split the chain |\n| Censorship (e.g. on votes) |\n| Steal tokens from node |\n| Prevent node from accessing the network |\n| Abuse bugs in the economic system to defraud other participants (e.g. avoid transaction fees to full nodes) |\n| DDOS attack |\n| Chain halt and shutting down the network |\n| ... |\n\n# In Scope Repositories\n\n* Heimdall - This github repository contains the source code for one of the core components of Matic. Heimdall is the heart of the Matic system. It manages validators, block producer selection, spans, the state-sync mechanism between Ethereum and Matic, and other essential aspects of the system.\n\nURL - https://github.com/maticnetwork/heimdall\nCategory - Critical\n\n* Bor - The Bor node or the Block Producer implementation is basically the sidechain operator. The sidechain VM is EVM-compatible. \n\nURL - https://github.com/maticnetwork/bor\nCategory - Critical\n\n* Contracts - This repository contains the smart contracts that power Matic Network\n\nURL - https://github.com/maticnetwork/contracts\nCategory - Critical\n\n# Out of Scope Repositories examples\n\n* Any reports that are out of scope but that are deemed valuable or business impactful to Matic will be considered at Matic's discretion. These reports may be triaged (awarded Reputation Points) but will not be eligible for a bounty.\n\n* Website - The Matic Network website\nURL - https://matic.network\n\n* Matic JS\nURL - https://github.com/maticnetwork/matic.js\n\n* Matic Scabbards\nURL - https://github.com/maticnetwork/matic-scabbards \n\nAnd any other repositories that are not mentioned “In-Scope” is considered as out of scope.\n\n\n## Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).\n* Previously known vulnerabilities in Tendermint and or/any other fork of these.\n* Previously known vulnerabilities in cosmos-sdk and or/any other fork of these. \n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Matic Network and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-03-30T09:32:16.605Z"},{"id":3641897,"new_policy":"Matic Network looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nMatic Network will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* Reports out of scope will not be considered. Please check before you submit.\n* Attacking any other Testnet than Matic Network’s designated testnet for this program is prohibited\n* Attacking any other network than Matic Network is prohibited\n* Any reports that are out of scope but that are deemed valuable or business impactful to Matic will be considered at Matic's discretion. These reports may be triaged (awarded Reputation Points) but will not be eligible for a bounty.\n\n\n# Test Plan\n\n##Getting Started\n* If you are new to blockchains and/or to Matic, take a look at the Matic overview - https://docs.matic.network/docs/home/architecture/matic-architecture\n\n* Explore the code on GitHub there are 3 main repositories for you to study\nHeimdall - https://github.com/maticnetwork/heimdall\nBor - https://github.com/maticnetwork/bor\nContracts - https://github.com/maticnetwork/contracts \n\n##Setting up\n* Set up a test network locally with these instructions: Getting Started - Running a node on the local environment: https://github.com/maticnetwork/matic-cli\n\nThe Matic CLI repo is an easy way to setup and manage Matic validator nodes on a local environment. This would help in simulating tests and attacks locally.\n\n\n* If you want to run a node on the Counter Stake - Stage 2 staking testnet, you follow the instructions on these links:\n\n##Overview\n* https://docs.matic.network/docs/validate/counter-stake-stage-2/getting-started\n\n##Linux Package\n* https://docs.matic.network/docs/validate/counter-stake-stage-2/linux-package-installation\n\n##Binaries\n* https://docs.matic.network/docs/validate/counter-stake-stage-2/running-with-binaries\n\n##Getting Tokens for Testing\n* To get tokens you can access our faucet: https://faucet.matic.network/ and choose the Goerli network to get some tokens. Or you can drop an email with your ETH address to delroy(@)matic.network\n\nYou’re now set up to start looking for vulnerabilities.\n\n##Have questions?\nCheck out the forum and join the discussion on Discord.\nForum - https://forum.matic.network\nDiscord - https://discord.gg/XvpHAxZ\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Matic Network.\n\n| Critical (9.0 - 10.0) | High (7.0 - 8.9)  | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |\n|----------|--------|---------|------|\n|  $5,000  | $3,000 | $1,500    | $300 |\n\n## Indicative examples of valid attacks that could be done on Matic Network\n| Type of Attack |\n|----------|\n|  Double spend by getting the clients to accept a different chain |\n| Double spend by validating malicious blocks| \n| Tamper/manipulate blockchain history to invalidate transactions |\n| Cause network to mint tokens to own account |\n| Undermine consensus mechanism to split the chain |\n| Censorship (e.g. on votes) |\n| Steal tokens from node |\n| Prevent node from accessing the network |\n| Abuse bugs in the economic system to defraud other participants (e.g. avoid transaction fees to full nodes)\nDDOS attack |\n| Chain halt and shutting down the network |\n| ... |\n\n# In Scope Repositories\n\n* Heimdall - This github repository contains the source code for one of the core components of Matic. Heimdall is the heart of the Matic system. It manages validators, block producer selection, spans, the state-sync mechanism between Ethereum and Matic, and other essential aspects of the system.\n\nURL - https://github.com/maticnetwork/heimdall\nCategory - Critical\n\n* Bor - The Bor node or the Block Producer implementation is basically the sidechain operator. The sidechain VM is EVM-compatible. \n\nURL - https://github.com/maticnetwork/bor\nCategory - Critical\n\n* Contracts - This repository contains the smart contracts that power Matic Network\n\nURL - https://github.com/maticnetwork/contracts\nCategory - Critical\n\n# Out of Scope Repositories examples\n\n* Any reports that are out of scope but that are deemed valuable or business impactful to Matic will be considered at Matic's discretion. These reports may be triaged (awarded Reputation Points) but will not be eligible for a bounty.\n\n* Website - The Matic Network website\nURL - https://matic.network\n\n* Matic JS\nURL - https://github.com/maticnetwork/matic.js\n\n* Matic Scabbards\nURL - https://github.com/maticnetwork/matic-scabbards \n\nAnd any other repositories that are not mentioned “In-Scope” is considered as out of scope.\n\n\n## Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).\n* Previously known vulnerabilities in Tendermint and or/any other fork of these.\n* Previously known vulnerabilities in cosmos-sdk and or/any other fork of these. \n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Matic Network and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-01T03:25:34.276Z"},{"id":3641896,"new_policy":"Matic Network looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nMatic Network will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* Reports out of scope will not be considered. Please check before you submit.\n* Attacking any other Testnet than Matic Network’s designated testnet for this program is prohibited\n* Attacking any other network than Matic Network is prohibited\n* Any reports that are out of scope but that are deemed valuable or business impactful to Matic will be considered at Matic's discretion. These reports may be triaged (awarded Reputation Points) but will not be eligible for a bounty.\n\n\n# Test Plan\n\n##Getting Started\n* If you are new to blockchains and/or to Matic, take a look at the Matic overview - https://docs.matic.network/docs/home/architecture/matic-architecture\n\n* Explore the code on GitHub there are 3 main repositories for you to study\nHeimdall - https://github.com/maticnetwork/heimdall\nBor - https://github.com/maticnetwork/bor\nContracts - https://github.com/maticnetwork/contracts \n\n##Setting up\n* Set up a test network locally with these instructions: Getting Started - Running a node on the local environment: https://github.com/maticnetwork/matic-cli\n\nThe Matic CLI repo is an easy way to setup and manage Matic validator nodes on a local environment. This would help in simulating tests and attacks locally.\n\n\n* If you want to run a node on the Counter Stake - Stage 2 staking testnet, you follow the instructions on these links:\n\n##Overview\n* https://docs.matic.network/docs/validate/counter-stake-stage-2/getting-started\n\n##Linux Package\n* https://docs.matic.network/docs/validate/counter-stake-stage-2/linux-package-installation\n\n##Binaries\n* https://docs.matic.network/docs/validate/counter-stake-stage-2/running-with-binaries\n\n##Getting Tokens for Testing\n* To get tokens you can access our faucet: https://faucet.matic.network/ and choose the Goerli network to get some tokens. Or you can drop an email with your ETH address to delroy(@)matic.network\n\nYou’re now set up to start looking for vulnerabilities.\n\n##Have questions?\nCheck out the forum and join the discussion on Discord.\nForum - https://forum.matic.network\nDiscord - https://discord.gg/XvpHAxZ\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Matic Network.\n\n| Critical (9.0 - 10.0) | High (7.0 - 8.9)  | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |\n|----------|--------|---------|------|\n|  $5,000  | $3,000 | $1,500    | $300 |\n\n## Indicative examples of valid attacks that could be done on Matic Network\n| Type of Attack |\n|----------|\n|  Double spend by getting the clients to accept a different chain |\n| Double spend by validating malicious blocks| \n| Tamper/manipulate blockchain history to invalidate transactions |\n| Cause network to mint tokens to own account |\n| Undermine consensus mechanism to split the chain |\n| Censorship (e.g. on votes) |\n| Steal tokens from node |\n| Prevent node from accessing the network |\n| Abuse bugs in the economic system to defraud other participants (e.g. avoid transaction fees to full nodes)\nDDOS attack |\n| Chain halt and shutting down the network |\n| ... |\n\n# In Scope Repositories\n\n* Heimdall - This github repository contains the source code for one of the core components of Matic. Heimdall is the heart of the Matic system. It manages validators, block producer selection, spans, the state-sync mechanism between Ethereum and Matic, and other essential aspects of the system.\n\nURL - https://github.com/maticnetwork/heimdall\nCategory - Critical\n\n* Bor - The Bor node or the Block Producer implementation is basically the sidechain operator. The sidechain VM is EVM-compatible. \n\nURL - https://github.com/maticnetwork/bor\nCategory - Critical\n\n* Contracts - This repository contains the smart contracts that power Matic Network\n\nURL - https://github.com/maticnetwork/contracts\nCategory - Critical\n\n# Out of Scope Repositories examples\n\n* Website - The Matic Network website\nURL - https://matic.network\n\n* Matic JS\nURL - https://github.com/maticnetwork/matic.js\n\n* Matic Scabbards\nURL - https://github.com/maticnetwork/matic-scabbards \n\nAnd any other repositories that are not mentioned “In-Scope” is considered as out of scope.\n\n\n## Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).\n* Previously known vulnerabilities in Tendermint and or/any other fork of these.\n* Previously known vulnerabilities in cosmos-sdk and or/any other fork of these. \n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Matic Network and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-09-01T03:02:40.217Z"},{"id":3641309,"new_policy":"Matic Network looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nMatic Network will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* Reports out of scope will not be considered. Please check before you submit.\n* Attacking any other Testnet than Matic Network’s designated testnet for this program is prohibited\n* Attacking any other network than Matic Network is prohibited\n* Any reports that are out of scope but that are deemed valuable or business impactful to Matic will be considered at Matic's discretion. These reports may be triaged (awarded Reputation Points) but will not be eligible for a bounty.\n\n\n# Test Plan\n\n##Getting Started\n* If you are new to blockchains and/or to Matic, take a look at the Matic overview - https://docs.matic.network/docs/home/architecture/matic-architecture\n\n* Explore the code on GitHub there are 3 main repositories for you to study\nHeimdall - https://github.com/maticnetwork/heimdall\nBor - https://github.com/maticnetwork/bor\nContracts - https://github.com/maticnetwork/contracts \n\n##Setting up\n* Set up a test network locally with these instructions: Getting Started - Running a node on the local environment: https://github.com/maticnetwork/matic-cli\n\nThe Matic CLI repo is an easy way to setup and manage Matic validator nodes on a local environment. This would help in simulating tests and attacks locally.\n\n\n* If you want to run a node on the Counter Stake - Stage 2 staking testnet, you follow the instructions on these links:\n\n##Overview\n* https://docs.matic.network/docs/validate/counter-stake-stage-2/getting-started\n\n##Linux Package\n* https://docs.matic.network/docs/validate/counter-stake-stage-2/linux-package-installation\n\n##Binaries\n* https://docs.matic.network/docs/validate/counter-stake-stage-2/running-with-binaries\n\n##Getting Tokens for Testing\n* To get tokens you can access our faucet: https://faucet.matic.network/ and choose the Goerli network to get some tokens. Or you can drop an email with your ETH address to delroy(@)matic.network\n\nYou’re now set up to start looking for vulnerabilities.\n\n##Have questions?\nCheck out the forum and join the discussion on Discord.\nForum - https://forum.matic.network\nDiscord - https://discord.gg/XvpHAxZ\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Matic Network.\n\n| Critical (9.0 - 10.0) | High (7.0 - 8.9)  | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |\n|----------|--------|---------|------|\n|  $2,500  | $1,500 | $500    | $200 |\n\n## Indicative examples of valid attacks that could be done on Matic Network\n| Type of Attack |\n|----------|\n|  Double spend by getting the clients to accept a different chain |\n| Double spend by validating malicious blocks| \n| Tamper/manipulate blockchain history to invalidate transactions |\n| Cause network to mint tokens to own account |\n| Undermine consensus mechanism to split the chain |\n| Censorship (e.g. on votes) |\n| Steal tokens from node |\n| Prevent node from accessing the network |\n| Abuse bugs in the economic system to defraud other participants (e.g. avoid transaction fees to full nodes)\nDDOS attack |\n| Chain halt and shutting down the network |\n| ... |\n\n# In Scope Repositories\n\n* Heimdall - This github repository contains the source code for one of the core components of Matic. Heimdall is the heart of the Matic system. It manages validators, block producer selection, spans, the state-sync mechanism between Ethereum and Matic, and other essential aspects of the system.\n\nURL - https://github.com/maticnetwork/heimdall\nCategory - Critical\n\n* Bor - The Bor node or the Block Producer implementation is basically the sidechain operator. The sidechain VM is EVM-compatible. \n\nURL - https://github.com/maticnetwork/bor\nCategory - Critical\n\n* Contracts - This repository contains the smart contracts that power Matic Network\n\nURL - https://github.com/maticnetwork/contracts\nCategory - Critical\n\n# Out of Scope Repositories examples\n\n* Website - The Matic Network website\nURL - https://matic.network\n\n* Matic JS\nURL - https://github.com/maticnetwork/matic.js\n\n* Matic Scabbards\nURL - https://github.com/maticnetwork/matic-scabbards \n\nAnd any other repositories that are not mentioned “In-Scope” is considered as out of scope.\n\n\n## Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).\n* Previously known vulnerabilities in Tendermint and or/any other fork of these.\n* Previously known vulnerabilities in cosmos-sdk and or/any other fork of these. \n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Matic Network and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-14T06:27:25.514Z"},{"id":3638308,"new_policy":"Matic Network looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nMatic Network will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* Reports out of scope will not be considered. Please check before you submit.\n* Attacking any other Testnet than Matic Network’s designated testnet for this program is prohibited\n* Attacking any other network than Matic Network is prohibited\n* Any reports that are out of scope but that are deemed valuable or business impactful to Matic will be considered at Matic's discretion. These reports may be triaged (awarded Reputation Points) but will not be eligible for a bounty.\n\n\n# Test Plan\n\n##Getting Started\n* If you are new to blockchains and/or to Matic, take a look at the Matic overview - https://docs.matic.network/docs/home/architecture/matic-architecture\n\n* Explore the code on GitHub there are 3 main repositories for you to study\nHeimdall - https://github.com/maticnetwork/heimdall\nBor - https://github.com/maticnetwork/bor\nContracts - https://github.com/maticnetwork/contracts \n\n##Setting up\n* Set up a test network locally with these instructions: Getting Started - Running a node on the local environment: https://github.com/maticnetwork/matic-cli\n\nThe Matic CLI repo is an easy way to setup and manage Matic validator nodes on a local environment. This would help in simulating tests and attacks locally.\n\n\n* If you want to run a node on the Counter Stake - Stage 2 staking testnet, you follow the instructions on these links:\n\n##Overview\n* https://docs.matic.network/docs/validate/counter-stake-stage-2/getting-started\n\n##Linux Package\n* https://docs.matic.network/docs/validate/counter-stake-stage-2/linux-package-installation\n\n##Binaries\n* https://docs.matic.network/docs/validate/counter-stake-stage-2/running-with-binaries\n\n##Getting Tokens for Testing\n* To get tokens you can access our faucet: https://faucet.matic.network/ and choose the Goerli network to get some tokens. Or you can drop an email with your ETH address to delroy(@)matic.network\n\nYou’re now set up to start looking for vulnerabilities.\n\n##Have questions?\nCheck out the forum and join the discussion on Discord.\nForum - https://forum.matic.network\nDiscord - https://discord.gg/XvpHAxZ\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Matic Network.\n\n| Critical (9.0 - 10.0) | High (7.0 - 8.9)  | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |\n|----------|--------|---------|------|\n|  $5,000  | $3,000 | $1,500    | $300 |\n\n## Indicative examples of valid attacks that could be done on Matic Network\n| Type of Attack |\n|----------|\n|  Double spend by getting the clients to accept a different chain |\n| Double spend by validating malicious blocks| \n| Tamper/manipulate blockchain history to invalidate transactions |\n| Cause network to mint tokens to own account |\n| Undermine consensus mechanism to split the chain |\n| Censorship (e.g. on votes) |\n| Steal tokens from node |\n| Prevent node from accessing the network |\n| Abuse bugs in the economic system to defraud other participants (e.g. avoid transaction fees to full nodes)\nDDOS attack |\n| Chain halt and shutting down the network |\n| ... |\n\n# In Scope Repositories\n\n* Heimdall - This github repository contains the source code for one of the core components of Matic. Heimdall is the heart of the Matic system. It manages validators, block producer selection, spans, the state-sync mechanism between Ethereum and Matic, and other essential aspects of the system.\n\nURL - https://github.com/maticnetwork/heimdall\nCategory - Critical\n\n* Bor - The Bor node or the Block Producer implementation is basically the sidechain operator. The sidechain VM is EVM-compatible. \n\nURL - https://github.com/maticnetwork/bor\nCategory - Critical\n\n* Contracts - This repository contains the smart contracts that power Matic Network\n\nURL - https://github.com/maticnetwork/contracts\nCategory - Critical\n\n# Out of Scope Repositories examples\n\n* Website - The Matic Network website\nURL - https://matic.network\n\n* Matic JS\nURL - https://github.com/maticnetwork/matic.js\n\n* Matic Scabbards\nURL - https://github.com/maticnetwork/matic-scabbards \n\nAnd any other repositories that are not mentioned “In-Scope” is considered as out of scope.\n\n\n## Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).\n* Previously known vulnerabilities in Tendermint and or/any other fork of these.\n* Previously known vulnerabilities in cosmos-sdk and or/any other fork of these. \n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Matic Network and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-23T04:51:19.076Z"},{"id":3637098,"new_policy":"Matic Network looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nMatic Network will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* Reports out of scope will not be considered. Please check before you submit.\n* Attacking any other Testnet than Matic Network’s designated testnet for this program is prohibited\n* Attacking any other network than Matic Network is prohibited\n* Any reports that are out of scope but that are deemed valuable or business impactful to Matic will be considered at Matic's discretion. These reports may be triaged (awarded Reputation Points) but will not be eligible for a bounty.\n\n\n# Test Plan\n\n##Getting Started\n* If you are new to blockchains and/or to Matic, take a look at the Matic overview - https://docs.matic.network/docs/home/architecture/matic-architecture\n\n* Explore the code on GitHub there are 3 main repositories for you to study\nHeimdall - https://github.com/maticnetwork/heimdall\nBor - https://github.com/maticnetwork/bor\nContracts - https://github.com/maticnetwork/contracts \n\n##Setting up\n* Set up a test network locally with these instructions: Getting Started - Running a node on the local environment: https://github.com/maticnetwork/matic-cli\n\nThe Matic CLI repo is an easy way to setup and manage Matic validator nodes on a local environment. This would help in simulating tests and attacks locally.\n\n\n* If you want to run a node on the Counter Stake - Stage 2 staking testnet, you follow the instructions on these links:\n\n##Overview\n* https://docs.matic.network/docs/validate/counter-stake-stage-2/getting-started\n\n##Linux Package\n* https://docs.matic.network/docs/validate/counter-stake-stage-2/linux-package-installation\n\n##Binaries\n* https://docs.matic.network/docs/validate/counter-stake-stage-2/running-with-binaries\n\n##Getting Tokens for Testing\n* To get tokens you can access our faucet: https://faucet.matic.network/ and choose the Goerli network to get some tokens. Or you can drop an email with your ETH address to delroy(@)matic.network\n\nYou’re now set up to start looking for vulnerabilities.\n\n##Have questions?\nCheck out the forum and join the discussion on Discord.\nForum - https://forum.matic.network\nDiscord - https://discord.gg/XvpHAxZ\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Matic Network.\n\n| Critical (9.0 - 10.0) | High (7.0 - 8.9)  | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |\n|----------|--------|---------|------|\n|  $10,000  | $5,000 | $2,000    | $400 |\n\n## Indicative examples of valid attacks that could be done on Matic Network\n| Type of Attack |\n|----------|\n|  Double spend by getting the clients to accept a different chain |\n| Double spend by validating malicious blocks| \n| Tamper/manipulate blockchain history to invalidate transactions |\n| Cause network to mint tokens to own account |\n| Undermine consensus mechanism to split the chain |\n| Censorship (e.g. on votes) |\n| Steal tokens from node |\n| Prevent node from accessing the network |\n| Abuse bugs in the economic system to defraud other participants (e.g. avoid transaction fees to full nodes)\nDDOS attack |\n| Chain halt and shutting down the network |\n| ... |\n\n# In Scope Repositories\n\n* Heimdall - This github repository contains the source code for one of the core components of Matic. Heimdall is the heart of the Matic system. It manages validators, block producer selection, spans, the state-sync mechanism between Ethereum and Matic, and other essential aspects of the system.\n\nURL - https://github.com/maticnetwork/heimdall\nCategory - Critical\n\n* Bor - The Bor node or the Block Producer implementation is basically the sidechain operator. The sidechain VM is EVM-compatible. \n\nURL - https://github.com/maticnetwork/bor\nCategory - Critical\n\n* Contracts - This repository contains the smart contracts that power Matic Network\n\nURL - https://github.com/maticnetwork/contracts\nCategory - Critical\n\n# Out of Scope Repositories examples\n\n* Website - The Matic Network website\nURL - https://matic.network\n\n* Matic JS\nURL - https://github.com/maticnetwork/matic.js\n\n* Matic Scabbards\nURL - https://github.com/maticnetwork/matic-scabbards \n\nAnd any other repositories that are not mentioned “In-Scope” is considered as out of scope.\n\n\n## Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).\n* Previously known vulnerabilities in Tendermint and or/any other fork of these.\n* Previously known vulnerabilities in cosmos-sdk and or/any other fork of these. \n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Matic Network and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-08T06:27:56.826Z"},{"id":3636889,"new_policy":"Matic Network looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.\n\n# Response Targets\nMatic Network will make a best effort to meet the following response targets for hackers participating in our program:\n\n* Time to first response (from report submit) - 2 business days\n* Time to triage (from report submit) - 2 business days\n* Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n\n# Program Rules\n* Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.\n* Reports out of scope will not be considered. Please check before you submit.\n* Attacking any other Testnet than Matic Network’s designated testnet for this program is prohibited\n* Attacking any other network than Matic Network is prohibited\n\n\n# Test Plan\n\n##Getting Started\n* If you are new to blockchains and/or to Matic, take a look at the Matic overview - https://docs.matic.network/docs/home/architecture/matic-architecture\n\n* Explore the code on GitHub there are 3 main repositories for you to study\nHeimdall - https://github.com/maticnetwork/heimdall\nBor - https://github.com/maticnetwork/bor\nContracts - https://github.com/maticnetwork/contracts \n\n##Setting up\n* Set up a test network locally with these instructions: Getting Started - Running a node on the local environment: https://github.com/maticnetwork/matic-cli\n\nThe Matic CLI repo is an easy way to setup and manage Matic validator nodes on a local environment. This would help in simulating tests and attacks locally.\n\n\n* If you want to run a node on the Counter Stake - Stage 2 staking testnet, you follow the instructions on these links:\n\n##Overview\n* https://docs.matic.network/docs/validate/counter-stake-stage-2/getting-started\n\n##Linux Package\n* https://docs.matic.network/docs/validate/counter-stake-stage-2/linux-package-installation\n\n##Binaries\n* https://docs.matic.network/docs/validate/counter-stake-stage-2/running-with-binaries\n\n##Getting Tokens for Testing\n* To get tokens you can access our faucet: https://faucet.matic.network/ and choose the Goerli network to get some tokens. Or you can drop an email with your ETH address to delroy(@)matic.network\n\nYou’re now set up to start looking for vulnerabilities.\n\n##Have questions?\nCheck out the forum and join the discussion on Discord.\nForum - https://forum.matic.network\nDiscord - https://discord.gg/XvpHAxZ\n\n# Rewards\nOur rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Matic Network.\n\n| Critical (9.0 - 10.0) | High (7.0 - 8.9)  | Medium (4.0 - 6.9) | Low (0.1 - 3.9) |\n|----------|--------|---------|------|\n|  $10,000  | $5,000 | $2,000    | $400 |\n\n## Indicative examples of valid attacks that could be done on Matic Network\n| Type of Attack |\n|----------|\n|  Double spend by getting the clients to accept a different chain |\n| Double spend by validating malicious blocks| \n| Tamper/manipulate blockchain history to invalidate transactions |\n| Cause network to mint tokens to own account |\n| Undermine consensus mechanism to split the chain |\n| Censorship (e.g. on votes) |\n| Steal tokens from node |\n| Prevent node from accessing the network |\n| Abuse bugs in the economic system to defraud other participants (e.g. avoid transaction fees to full nodes)\nDDOS attack |\n| Chain halt and shutting down the network |\n| ... |\n\n# In Scope Repositories\n\n* Heimdall - This github repository contains the source code for one of the core components of Matic. Heimdall is the heart of the Matic system. It manages validators, block producer selection, spans, the state-sync mechanism between Ethereum and Matic, and other essential aspects of the system.\n\nURL - https://github.com/maticnetwork/heimdall\nCategory - Critical\n\n* Bor - The Bor node or the Block Producer implementation is basically the sidechain operator. The sidechain VM is EVM-compatible. \n\nURL - https://github.com/maticnetwork/bor\nCategory - Critical\n\n* Contracts - This repository contains the smart contracts that power Matic Network\n\nURL - https://github.com/maticnetwork/contracts\nCategory - Critical\n\n# Out of Scope Repositories examples\n\n* Website - The Matic Network website\nURL - https://matic.network\n\n* Matic JS\nURL - https://github.com/maticnetwork/matic.js\n\n* Matic Scabbards\nURL - https://github.com/maticnetwork/matic-scabbards \n\nAnd any other repositories that are not mentioned “In-Scope” is considered as out of scope.\n\n\n## Out of scope vulnerabilities\n### When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:\n \n* Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).\n* Previously known vulnerabilities in Tendermint and or/any other fork of these.\n* Previously known vulnerabilities in cosmos-sdk and or/any other fork of these. \n* Attacks requiring MITM or physical access to a user's device.\n* Previously known vulnerable libraries without a working Proof of Concept.\n* Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.\n\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for helping keep Matic Network and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-01T02:08:06.321Z"}]