Responsible Security Bug Disclosure Policy
LAST UPDATED: 15 JUNE 2022
At SupraOracles, it is our mission to bring the world a smarter, faster and more secure blockchain to accelerate the decentralization movement beyond every imaginable metric. It is paramount how we secure and protect the information we collect and use when accomplishing this mission. To learn more about how we secure this information, please review the Guide to Security at SupraOracles.
The SupraOracles Security Team investigates reported security bugs as fast as possible. If you believe you have discovered a security bug in any of our applications or services please contact the SupraOracles Security Team at firstname.lastname@example.org with your responsible disclosure report and follow the security bug reporting requirements outlined in this policy (including using our optional PGP Key to encrypt your report). We ask that you do not publicly disclose any information about the potential security bug or the existence of said security bug until it has been addressed by SupraOracles. Typically this should not take longer than 30 days.
Generally we ask you to apply common sense when looking for security bugs in our systems and services. Keep in mind that you are accessing a prod uction environment. We ask you to not perform any automated scans, checks and analysis or any type of (D)DoS or load testing against any SupraOracles system or service. Your activity must not violate any laws.
We do not operate a rewards program for reported security bugs, but we might decide to reward the responsible disclosure of a security bug on a case by case basis. Any kind of reward is entirely at our own discretion.
What is the security bug reporting process?
The following is an example run through of a responsible security bug report in an SupraOracles service.
If you think you have identified a security vulnerability or bug in our Identity Services, please report it to the SupraOracles security team at email@example.com and as described in the SupraOracles Responsible Security Bug Disclosure Policy.
Which vulnerability reports do we review?
Every submission is reviewed by SupraOracles's Security Team, note that some of the reported issues may not qualify. We do not consider reports which do not include manual validation of the issue - such as reports based on the output generated by automated tools and scanners - or reports which describe theoretical attack flow without a valid proof of concept that demonstrate the exploitation. Attack vectors that require an exceeding amount of user interaction will be carefully reviewed but if the scenario is evaluated as too unrealistic, the submission will be rejected.
In addition, we consider to be excluded any vulnerability classes that is present in the list below:
What should your report look like?
When you send us a responsible disclosure report please make sure it contains the information outlined below. This way we can speed up the verification and remediation process. It will also reduce the time it takes us to respond to your report.
Make sure the email subject clearly states that you are reporting a security bug. E.g.: [Security Bug Report for SupraOracles.com ]
The email body should provide at least the following information:
If you have any questions around our responsible disclosure policy or any general security question please drop us an email at firstname.lastname@example.org.
Get news, insights, and more.
Sign up for the SupraOracles newsletter for company news, industry insights, and more. You’ll also be the first to know when we come out of stealth mode.