We ask security researchers to keep vulnerabilities and communications around vulnerability submissions private and confidential until a patch is developed to protect the people using Crypto.org’s protocols. In addition to this, we ask that you:
- Allow us a reasonable amount of time to correct or address security vulnerabilities.
- Avoid exploiting any vulnerabilities that you discover.
- Demonstrate good faith by not disrupting or degrading Crypto.org’s data or services.
Once we receive a vulnerability report, Crypto.org will take these steps to address it:
- Crypto.org will confirm receipt of the vulnerability report within 5 business days. The timing of our response may depend on when a report is submitted. As our daily operations are distributed in time zones across the globe, response times may vary. If you have not received a response to a vulnerability report from us within 5 business days, we encourage you to follow up with us again for a response.
- Crypto.org will investigate and validate the security issue submitted to us as quickly as we can, usually within 10 business days of receipt. Submitting a thorough report with clear steps to recreate the vulnerability and/or a proof-of-concept will move the process along in a timely manner.
- Crypto.org will acknowledge the bug, and make the necessary code changes to patch it. Some issues may require more time than others to patch, but we will strive to patch each vulnerability as quickly as our resources and development process allow.
- Crypto.org will publicly release the security patch for the vulnerability, and acknowledge the security fix in the release notes once the issue has been resolved. Public release notes can reference to the person or people who reported the vulnerability, unless they wish to stay anonymous.
If you find a security issue, you can contact our team directly at chain-security@crypto.org.
The following key can be used to communicate sensitive information to this email address:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEXUqLzhYJKwYBBAHaRw8BAQdAPBcxA1UIEZH+9lk1nyx9Lml6HC+N9gsoOHW4
QtRwLA60Q0NyeXB0by5jb20gQ2hhaW4gKENoYWluIFNlY3VyaXR5IGFsaWFzKSA8
Y2hhaW4tc2VjdXJpdHlAY3J5cHRvLmNvbT6IkAQTFggAOBYhBP4RUHmmU1JUI4bg
lI/op3Om4R2lBQJdSovOAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEI/o
p3Om4R2lkFEA/iKjrYFvWuwVcAcsiLQC0Su9INXwrb6voGkXTtIkTOY8AP9rc1sW
6LG0A/f5wqIQxauQCXohFF6dogSUHTghSN3FAbg4BF1Ki84SCisGAQQBl1UBBQEB
B0Clox9gYNHHDdWoG7ASSnPL4XtQKd5Ic2BEBbL96AZueQMBCAeIeAQYFggAIBYh
BP4RUHmmU1JUI4bglI/op3Om4R2lBQJdSovOAhsMAAoJEI/op3Om4R2lMbwA/1Ol
PXOsTvkBEyITp4pitott/fYgbTbcf19vSpUAPOdZAP9TWqypvKnG3f0FwckJwMB+
lKMS+/mfuYvXWtrqOWN5AQ==
=GZRl
-----END PGP PUBLIC KEY BLOCK-----
You can also contact cryptocom account on Wire, its key fingerprint is:
2009df951d8880a4f319c6bafb2da6376d5e5aeb927a5ef10b8074af8b9df8c8