Security

At Tendermint, we highly value security. Learn about how we deal with security and vulnerability reports below.

Vulnerabilties

Security researchers and white hat hackers are a vital part of building strong, resilient cryptocurrency protocols. At Tendermint & Cosmos, we actively support the work that hackers and researchers do to find, report and patch security vulnerabilities.

If you're here because you're trying to figure out how to notify us of a security issue, please send an email to us directly at [email protected], or report the issue to our public HackerOne program. Please avoid opening public issues on Github that contain information about a potential security vulnerability as this makes it difficult to reduce the impact and harm of valid security issues.

Coordinated Vulnerability Disclosure Policy

We ask security researchers to keep vulnerabilities and communications around vulnerability submissions private and confidential until a patch is developed to protect the people using Tendermint’s protocols. In addition to this, we ask that you:

  • Allow us a reasonable amount of time to correct or address security vulnerabilities.
  • Avoid exploiting any vulnerabilities that you discover.
  • Demonstrate good faith by not disrupting or degrading Tendermint’s data or services.

Vulnerability Disclosure Process

Tendermint uses the following disclosure process:

  1. Once a security report is received, the Tendermint team works to verify the issue and confirm its severity level using CVSS.
  2. The Tendermint team collaborates with the Gaia team to determine the vulnerability’s potential impact on the Cosmos Hub.
  3. Patches are prepared for eligible releases of Tendermint in private repositories. See “Supported Releases” below for more information on which releases are considered eligible.
  4. If it is determined that a CVE-ID is required, we request a CVE through a CVE Numbering Authority.
  5. We notify the community that a security release is coming, to give users time to prepare their systems for the update. Notifications can include forum posts, tweets, and emails to partners and validators, including emails sent to the Tendermint Security Mailing List (opens new window).
  6. 24 hours following this notification, the fixes are applied publicly and new releases are issued.
  7. Cosmos SDK and Gaia update their Tendermint dependencies to use these releases, and then themselves issue new releases.
  8. Once releases are available for Tendermint, Cosmos SDK and Gaia, we notify the community, again, through the same channels as above. We also publish a Security Advisory on Github and publish the CVE, as long as neither the Security Advisory nor the CVE include any information on how to exploit these vulnerabilities beyond what information is already available in the patch itself.
  9. Once the community is notified, we will pay out any relevant bug bounties to submitters.
  10. One week after the releases go out, we will publish a post with further details on the vulnerability as well as our response to it.

This process can take some time. Every effort will be made to handle the bug in as timely a manner as possible, however it's important that we follow the process described above to ensure that disclosures are handled consistently and to keep Tendermint and its downstream dependent projects--including but not limited to Gaia and the Cosmos Hub--as secure as possible.

Bug Bounty Program

At Tendermint, we strongly believe in compensating researchers for the time they spend in making cryptocurrencies stronger and more resilient. Depending on the severity and criticality of an issue, researchers who report bugs and respect our vulnerability disclosure policy may be eligible for rewards through our bug bounty program (opens new window) with HackerOne.

  • Bounty reward amounts are based on many factors, including impact, risk, likelihood of exploitation, and report quality.
  • For severe bugs or exceptional bug reports, we may decide to pay lower-tier bugs a higher-tier reward.
  • If we receive duplicate bug reports, we will award a bounty to the first person who reported the issue. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, Discord) are ineligible for rewards, and should be disclosed directly to those services.
  • To learn more about the scope of our bug bounty program or to report a bug, please visit HackerOne.

Scope

The full scope of our bug bounty program is outlined on our Hacker One program page (opens new window). Please also note that, in the interest of the safety of our users and staff, a few things are explicitly excluded from scope:

  • Any third-party services
  • Findings from physical testing, such as office access
  • Findings derived from social engineering (e.g., phishing)

Contact Us

You can contact our team directly at [email protected] which is monitored by the team, or report issues to us through our bug bounty program on HackerOne. Please avoid filing security issues in public repositories as this method of contact fully discloses security bugs to friends and adversaries alike, and makes it difficult for us to reduce harm for our users and community.

To report the issue through a PGP-encrypted email, here is our pubkey fingerprint: 57D0 5C29 94CE 536A (opens new window)

# curl + gpg pro tip: import allinbitsinc's keys
curl https://keybase.io/allinbitsinc/pgp_keys.asc | gpg --import