Responsible Security Bug Disclosure Policy

LAST UPDATED: 15 JUNE 2022

At SupraOracles, it is our mission to bring the world a smarter, faster and more secure blockchain to accelerate the decentralization movement beyond every imaginable metric. It is paramount how we secure and protect the information we collect and use when accomplishing this mission. To learn more about how we secure this information, please review the Guide to at SupraOracles.

The SupraOracles Security Team investigates reported security bugs as fast as possible. If you believe you have discovered a security bug in any of our applications or services please contact the SupraOracles Security Team at [email protected] with your responsible disclosure report and follow the security bug reporting requirements outlined in this policy (including using our optional PGP Key to encrypt your report). We ask that you do not publicly disclose any information about the potential security bug or the existence of said security bug until it has been addressed by SupraOracles. Typically this should not take longer than 30 days.

Generally we ask you to apply common sense when looking for security bugs in our systems and services. Keep in mind that you are accessing a production environment. We ask you to not perform any automated scans, checks and analysis or any type of (D)DoS or load testing against any SupraOracles system or service. Your activity must not violate any laws.

We do not operate a rewards program for reported security bugs, but we might decide to reward the responsible disclosure of a security bug on a case by case basis. Any kind of reward is entirely at our own discretion.

The following is an example run through of a responsible security bug report in an SupraOracles service.

• Researcher identifies potential security bug.
• Researcher assembles a basic report containing the information outlined above and submits it via email.
• The Security Team will review the report, verify the reported security bug and respond with confirmation and/or further information requests; we typically reply within 24 hours.
• Once the reported security bug has been addressed the SupraOracles Security Team will notify the Researcher.

If you think you have identified a security vulnerability or bug in our Identity Services, please report it to the SupraOracles security team at [email protected] and as described in the SupraOracles Responsible Security Bug Disclosure Policy.

Every submission is reviewed by SupraOracles's Security Team, note that some of the reported issues may not qualify. We do not consider reports which do not include manual validation of the issue - such as reports based on the output generated by automated tools and scanners - or reports which describe theoretical attack flow without a valid proof of concept that demonstrate the exploitation. Attack vectors that require an exceeding amount of user interaction will be carefully reviewed but if the scenario is evaluated as too unrealistic, the submission will be rejected.

In addition, we consider to be excluded any vulnerability classes that is present in the list below:

• Lack of security headers
• Lack of cookie attributes
• Social engineering (eg. phishing, self-xss)
• (D)DoS
• Email spoofing
• Username / email enumeration (eg. via login page or forgot password form)
• Banner, version or internal ip information disclosure
• Physical testing

When you send us a responsible disclosure report please make sure it contains the information outlined below. This way we can speed up the verification and remediation process. It will also reduce the time it takes us to respond to your report.

Make sure the email subject clearly states that you are reporting a security bug. E.g.: [Security Bug Report for SupraOracles.com ]

The email body should provide at least the following information:

• Your preferred means of communication and a PGP key if you wish to receive encrypted emails. By default we will reply to the email address from which you sent the responsible disclosure report.
• The type of security bug you are reporting. E.g.: XSS, CSRF, SQLi, RCE.
• The systems/services/endpoints which are affected. E.g.: IPs, FQDNs, Deep-Links.
• Any details you can provide, e.g. screenshots, screen recordings, http/s transaction logs, POC exploits (please do not share any evidence via unauthenticated file drops. Contact us first in order to agree on a way to securely share files > 15MB).
• The date and time when you identified the security bug.
• (optional) The time frame during which you tested our systems and services as well as the source IPs your requests have been sent from. This will help us train our intrusion detection and log analysis systems.

If you have any questions around our responsible disclosure policy or any general security question please drop us an email at [email protected].