Responsible Disclosure

Last Updated: January 5, 2021

SIREN's bug bounty program encourages members of the community to help identify and fix vulnerabilities before they can potentially be exploited.

Introduction

Siren recognizes the importance of contributor efforts to help keep the community and the use of the protocol safe.

Please note that this page only refers to the disclosure of software security-related issues.

A valid issue is one that demonstrates a software vulnerability that potentially exploits the protocol or its users. The Siren core developers and/or governance token holders will be the sole determiners of whether or not an issue is valid.

Disclosure Requirements

Siren does not authorize security research on other entities. Complying with the Security / Bug Bounty Program policy requires researchers to adhere to “Responsible Disclosure”. Responsible Disclosure includes:

  • Providing Siren a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.
  • Making a good faith effort to preserve the confidentiality and integrity of any data.
  • Not defrauding Siren users or Siren itself in the process of research.
  • Not profiting from or allowing any other party to profit from a vulnerability.
  • Reporting vulnerabilities with conditions, demands, or ransom threats.

Siren considers Social Engineering attacks against Siren contributors to be out of scope. We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.

Report Evaluation

In order to be deemed valid, a report must demonstrate a software vulnerability in code provided by Siren. Reports that include a clear Proof of Concept or specific step by step instructions to replicate the vulnerability are considerably more effective at communicating findings and are therefore far more likely to be deemed valid.

A report must be a valid, in scope report in order to qualify for a bounty. Siren at its sole discretion, may award bounties for an amount to be determined on a case-by-case basis, based on severity of the vulnerability. 

Report Closure

Siren reviews all findings that are reported via our Bug Bounty Program. Each report submission is reviewed and evaluated to ensure validity. If the description in the report is unclear, Siren will request additional information from the reporter. After all information is aggregated; the report submission goes through an internal review and scoring process. After the internal review process is complete, any bugs that are not reproducible, invalid or informative will be closed.

PLEASE NOTE: It is up to the researcher to provide detailed information and supporting evidence to support all reports. Failure to provide a detailed report will result in delayed triage and/or closure leading up to a resolution.

Scope

The Siren Bug Bounty program scope covers all software vulnerabilities in technology directly released by Siren. It does not cover third party services and/or utilities. Nor platforms and/or services that have integrated the protocol, which are subject to their own bug bounty and/or security-related responsible disclosure programs.

Additionally, all vulnerabilities that require or are related to the following are out of scope:

  • Social engineering
  • Physical security
  • Non-security-impacting UX issues
  • Deprecated Open Source libraries
  • Vulnerabilities or weaknesses in third party applications that integrate with Siren

If you feel that a particular asset or activity not mentioned here should be in scope, please submit a report along with a brief description of why you believe that the asset should be covered by this scope.

Program

We reserve the right to modify the Bug Bounty Program or cancel the Bug Bounty Program at any time.