At Tendermint, we highly value security. Learn about how we deal with security and vulnerability reports below.
Security researchers and white hat hackers are a vital part of building strong, resilient cryptocurrency protocols. At Tendermint & Cosmos, we actively support the work that hackers and researchers do to find, report and patch security vulnerabilities.
If you're here because you're trying to figure out how to notify us of a security issue, please send an email to us directly at [email protected], or report the issue to our public HackerOne program. Please avoid opening public issues on Github that contain information about a potential security vulnerability as this makes it difficult to reduce the impact and harm of valid security issues.
We ask security researchers to keep vulnerabilities and communications around vulnerability submissions private and confidential until a patch is developed to protect the people using Tendermint’s protocols. In addition to this, we ask that you:
Tendermint uses the following disclosure process:
This process can take some time. Every effort will be made to handle the bug in as timely a manner as possible, however it's important that we follow the process described above to ensure that disclosures are handled consistently and to keep Tendermint and its downstream dependent projects--including but not limited to Gaia and the Cosmos Hub--as secure as possible.
At Tendermint, we strongly believe in compensating researchers for the time they spend in making cryptocurrencies stronger and more resilient. Depending on the severity and criticality of an issue, researchers who report bugs and respect our vulnerability disclosure policy may be eligible for rewards through our bug bounty program (opens new window) with HackerOne.
The full scope of our bug bounty program is outlined on our Hacker One program page (opens new window). Please also note that, in the interest of the safety of our users and staff, a few things are explicitly excluded from scope:
You can contact our team directly at [email protected] which is monitored by the team, or report issues to us through our bug bounty program on HackerOne. Please avoid filing security issues in public repositories as this method of contact fully discloses security bugs to friends and adversaries alike, and makes it difficult for us to reduce harm for our users and community.
To report the issue through a PGP-encrypted email, here is our pubkey fingerprint: 57D0 5C29 94CE 536A (opens new window)
# curl + gpg pro tip: import allinbitsinc's keys
curl https://keybase.io/allinbitsinc/pgp_keys.asc | gpg --import