The Crescendo upgrade with EVM on Flow and Cadence 1.0 is here! Learn more

Flow Responsible Disclosure

Guidelines for Responsible Disclosure

Flow was built from the ground up with security in mind. Our code, infrastructure, and development methodology help us keep our users safe.

We appreciate and encourage the security researcher community to report potential vulnerabilities in our assets.If you identify a vulnerability, please notify us using the following guidelines. 

Things To Do:

  • Make every effort to avoid unauthorized access, use, downloading, destruction, or disclosure of personal or confidential information.
  • Avoid actions which could impact user experience, disrupt production systems, change, or destroy data during security testing.
  • Use our provided communication channels to report vulnerability information to us.
  • Keep information about any vulnerability you discover confidential between us for a reasonable time that will allow us to review and resolve the vulnerability or until we have notified you that the vulnerability has been resolved. 
  • Only test assets covered by the “Assets In Scope” section.

Things Not To Do:

  • Do not include Sensitive Data in your reports. See the “Sensitive Data” section for further information.
  • Do not perform any attack that may cause denial-of-service to the network, hosts, applications, or services on any port or protocol.
  • Do not use automated scanners to crawl us or hammer endpoints. 
  • Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • Do not perform physical testing such as office and data-center access (e.g., open doors, tailgating, card reader attacks, or physically destructive testing).
  • Do not test assets explicitly listed in the “Assets Out of Scope” section.

Assets In Scope

To be eligible for a reward, you may report a vulnerability in one or more of the following Flow assets: 
  • *.flow.com
  • *.onflow.org

Assets Out of Scope

The following assets are excluded from the Responsible Disclosure Program: 
  • n/a

Sensitive Data

In the interests of protecting privacy, we never want to receive reports containing:
  • Personal Information
  • Payment card data (e.g. credit card numbers)
  • Financial information (e.g. bank account numbers)
  • Accessed or cracked credentials in cleartext

Exclusions (Non-Qualifying Vulnerabilities)

Flow Protocol Exclusions:

Flow ecosystem is working on progressively decentralizing the network by hardening the protocol level security and introducing permissionless nodes. For this reason, Flow still relies on protocol-compliant nodes and bounties are limited to permissionless node types. Only attacks originating from Access and observer nodes will qualify.

Protocol-level vulnerabilities which are only exploitable through the control of Collection, Consensus, Execution or Verification nodes are excluded.

Web Application Exclusions:

The following web application vulnerabilities are excluded from this program:
  • Clickjacking on pages with no sensitive actions.
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
  • Attacks requiring MITM or physical access to a user's device.
  • Use of a known-vulnerable library without evidence of exploitability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service or denial-of-service attack (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Rate limiting or brute force issues on non-authentication endpoints.
  • Missing best practices in Content Security Policy (CSP).
  • Missing HttpOnly or Secure flags on cookies.
  • Missing email best practices (Invalid, or incomplete SPF/DKIM/DMARC records, etc.)
  • Vulnerabilities only affecting users of outdated or unpatched browsers (i.e., less than two stable versions behind the latest released stable version).
  • Software version disclosure, banner identification issues, or descriptive error messages or headers (e.g., stack traces, application, or server errors).
  • Issues that require unlikely user interaction.
  • Social engineering of Flow staff or contractors.
  • Tabnabbing.

Our Commitment To You

Activities conducted in accordance with the Responsible Disclose Program shall be considered authorized, and we will not initiate legal action against you. Flow reserves all legal rights in the event of noncompliance with this program. 

We will work with you and investigate and resolve vulnerabilities within a reasonable timeframe.

We reserve the right to change the Responsible Disclosure Program at any time.

Rewards

Rewards are based on the severity of the vulnerability. Reward amounts, if any, will be determined by us in our sole discretion. A maximum of $1M of rewards per person or organization shall be paid within any 12 consecutive months based on the reward value at time of payment. Additionally, all bounty rewards are subject to applicable law. 

To qualify for a reward, the vulnerability must fall within our Assets In Scope, comply with our Responsible Disclosure Guidelines, and meet the following criteria:

  1. Previously unknown - When reported, we must not have already known of the issue, either by internal discovery or other report.
  2. Material impact - Demonstrable vulnerability where, if exploited, the vulnerability would materially affect the confidentiality, integrity, or availability of our assets.
  3. Requires action - The vulnerability requires some mitigation.
  4. Your participation is not prohibited by applicable law.

The following defines the rewards for Flow protocol and cadence:

  • Severity: Critical
    Reward: 
    $100,000 USD
    Criteria:

    - Emergency remediation
    - Public announcement
    - Hard-forking of a smart contract
  • Severity: High
    Reward: 
    $50,000 USD
    Criteria:

    - Immediate analysis and action is necessary
    - Public disclosure in most cases
    - Exploitation would significantly affect the business
    - Eventual fix of smart contract
  • Severity: Medium
    Reward: 
    $10,000 USD
    Criteria:

    - Remediation required, but impact is not significant
  • Severity: Low
    Reward: 
    $1000 USD
    Criteria:

    - Low risk issues like misconfigurations with no proven path to exploit

Reporting Vulnerabilities To Us

Please do reach out to us if you have a security concern. If you believe you may have found a security vulnerability in one of our products or platforms, send us an email: [email protected]

If you prefer to encrypt the information you send us please use our PGP key at OpenPGP Key Server.

Please include the following details with your report:

  • A description of the location (e.g. playground/emulator/CLI/Testnet/domain) and the potential impact of the vulnerabilities;
  • A detailed description of the steps required to reproduce the vulnerability; and
  • Any proof of concept, screenshots, and screen captures. Where feasible, please also include the following:

    1. Cadence Version or Node with Software Version
    2. A transaction or a script that demonstrates the issue
    3. Link to relevant documentation in case the documentation is unclear/ambiguous, or mention if this is not covered by docs
Please respond to any follow-up requests from our team for updates or additional information.