This document describes the smart contract disclosure process for Art Blocks, including vulnerability disclosures. We are committed to conduct our smart contract security process in a professional and civil manner, and we expect the same from our community. Public shaming, under-reporting, or misrepresentation of vulnerabilities will not be tolerated.
Art Blocks follows a community standard for responsible disclosure in cryptocurrency and related software. This document is a public commitment to following the standard.
The standard provides detailed information for:
- Initial Contact: how to establish initial contact with the project team
- Giving Details: what details to provide when reporting a vulnerability
- Setting Dates: how to agree on timeliens for releasing updates and public disclosures
Art Blocks will receive vulnerability reports through the following channels:
| Contact | Public Key | |
|---|---|---|
| ryley-o.eth | PGP | [email protected] |
| dogbot | PGP | [email protected] |
| aaronpenne | PGP | [email protected] |
| lyaunzbe | PGP | [email protected] |
The standard describes reporters of vulnerabilities including full details of an issue, in order to reproduce it. This is necessary for instance in the case of an external researcher both demonstrating and proving that there really is a security issue, and that security issue really has the impact that they say it has - allowing the development team to accurately prioritize and resolve the issue.
In the case of a counterfeiting or fund-stealing bug affecting Art Blocks, however, we might decide not to include those details with our reports to partners ahead of coordinated release, as long as we are sure that they are not vulnerable.
Parts of this document were inspired by the Yearn Finance security policy