LAST UPDATED: 15 JUNE 2022
At Blast Off, it is our mission to bring the world a smarter, faster and more secure blockchain to accelerate the decentralization movement beyond every imaginable metric. It is paramount how we secure and protect the information we collect and use when accomplishing this mission. To learn more about how we secure this information, please review the Guide to at Blast Off.
The Blast Off Security Team investigates reported security bugs as fast as possible. If you believe you have discovered a security bug in any of our applications or services please contact the Blast Off Security Team at [email protected] with your responsible disclosure report and follow the security bug reporting requirements outlined in this policy (including using our optional PGP Key to encrypt your report). We ask that you do not publicly disclose any information about the potential security bug or the existence of said security bug until it has been addressed by Blast Off. Typically this should not take longer than 30 days.
Generally we ask you to apply common sense when looking for security bugs in our systems and services. Keep in mind that you are accessing a production environment. We ask you to not perform any automated scans, checks and analysis or any type of (D)DoS or load testing against any Blast Off system or service. Your activity must not violate any laws.
We do not operate a rewards program for reported security bugs, but we might decide to reward the responsible disclosure of a security bug on a case by case basis. Any kind of reward is entirely at our own discretion.
The following is an example run through of a responsible security bug report in an Blast Off service.
If you think you have identified a security vulnerability or bug in our Identity Services, please report it to the Blast Off security team at [email protected] and as described in the SupraOracles Responsible Security Bug Disclosure Policy.
Every submission is reviewed by Blast Off's Security Team, note that some of the reported issues may not qualify. We do not consider reports which do not include manual validation of the issue - such as reports based on the output generated by automated tools and scanners - or reports which describe theoretical attack flow without a valid proof of concept that demonstrate the exploitation. Attack vectors that require an exceeding amount of user interaction will be carefully reviewed but if the scenario is evaluated as too unrealistic, the submission will be rejected.
In addition, we consider to be excluded any vulnerability classes that is present in the list below:
When you send us a responsible disclosure report please make sure it contains the information outlined below. This way we can speed up the verification and remediation process. It will also reduce the time it takes us to respond to your report.
Make sure the email subject clearly states that you are reporting a security bug. E.g.: [Security Bug Report for supraoracles/blastoff]
The email body should provide at least the following information:
If you have any questions around our responsible disclosure policy or any general security question please drop us an email at [email protected].