Disclosures
Last Modified: June 19, 2024
Vulnerability Rewards Program
No technology is perfect, and Unit 410 believes that working with skilled security researchers is crucial in identifying weaknesses in technology. If you believe you've found a security issue that affects staking nodes that we're running, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Disclosure Notification Policy
- Let us know as soon as possible upon discovery of a potential security issue, and, if there is any issue, we'll work to resolve it quickly.
- Allow a reasonable amount of time for us to resolve an issue before disclosing to the public or a third-party.
- Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- All submissions of such disclosure notifications are subject to additional terms and conditions.
Tiers
Our reward tiers are as follows. Classification and qualification for any reward is up to Unit 410's exclusive judgment and discretion, and payment, if any, would be subject to additional terms and conditions and our ability to pay. We will make a reasonable effort to resolve submissions in a manner that is mutually beneficial.
| Tier | Minimum Reward | Description |
|---|---|---|
| Critical | Shared on request | Exploits, system access or issues in key management, production crypto systems or contracts designed and managed by Unit 410 that could lead to the loss of > $1m of value. |
| High | Shared on request | Direct access to other Unit 410 managed production systems or data that could lead to the loss of > $100k of funds. This excludes vulnerabilities introduced through network or protocol wide issues. |
| Medium | Shared on request | Other issues with Unit 410 production systems, services or dependencies that could be used to disrupt operations or impact > $10k of value. Non-public vulnerabilities in underlying crypto protocols that can be mitigated. |
| Low | Shared on request | Security (mis)configuration. |
| Info | none | Best practices and other non-critical recommendations. |
Exclusions
To be considered for a reward, we'd ask you to refrain from:
- Denial of service
- Spamming
- Submitting email issues (SPF, DKIM, etc) on subdomains
- Social engineering (including phishing) of Unit 410 staff or contractors
- Any physical attempts against Unit 410
Contact
Contact us via email: security@unit410.com