We’re extremely grateful for security researchers and users that report vulnerabilities to the Celo community. All reports are thoroughly investigated.

The Celo community asks that all suspected vulnerabilities be privately and responsibly disclosed.

1. Submit your vulnerability to Celo on Remedy. This is currently a private program in beta. Message us for an invite.

2. You can also email the security.report@clabs.co list with the details for reproducing the vulnerability as well as the usual details expected for all bug reports.

   You may encrypt your email using this GPG key, but encryption is NOT required:

   PGP Fingerprint ID: A22B62A5EAFB6948
   

• Celo protocol

However, the team may be able to assist in coordinating a response to a vulnerability in the third-party apps or tools in the Celo ecosystem.

• https://celo.org
• https://*.celo.org
• https://*.clabs.co
• https://github.com/celo-org/*
• https://stcelo.xyz
• https://*.stcelo.xyz

• Verbose messages/files/directory listings without disclosing any sensitive information
• CORS misconfiguration on non-sensitive endpoints
• Missing cookie flags
• Missing security headers
• Presence of autocomplete attribute on web forms
• Bypassing rate-limits
• Clickjacking on pages with no sensitive actions
• Host header injection without proven business impact
• Anything related to email spoofing, SPF, DMARC or DKIM
• Open ports without an accompanying proof-of-concept demonstrating vulnerability
• Open write access of documents pertain to the community

• In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate.
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity.
• Spam, social engineering and physical intrusion
• DoS/DDoS attacks or brute force attacks
• Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted.
• Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts
• Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty.
• Reports that state that software is out of date/vulnerable without a proof-of-concept

• ❓What will happen if a vulnerability is reported and is known to the company from their own tests?

  It will be flagged as a duplicate

• ❓What kind of exploits are excluded from the program or may be lowered in severity?

  • Reports that state that software is out of date/vulnerable without a proof-of-concept
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces
  • Issues that would require complex end user interactions to be exploited
  • Spam, social engineering and physical intrusion
  • DoS/DDoS attacks or brute force attacks
  • Vulnerabilities that are limited to non-current browsers (older than 3 versions)
  • Attacks requiring physical access to a victim’s computer/device
  • Man in The Middle
  • Compromised User Accounts

• ❓Do you accept recently disclosed zero-day vulnerabilities?

  We need time to patch our systems just like everyone else - please give us 2 weeks before reporting