This repo describes the Security Policy for Enzyme, including how to disclose vulnerabilities and information about the ongoing Bug Bounty program. We are committed to conduct our Security Policy in a professional and collaborative manner.
The Enzyme Council has established certain guidelines for responsible disclosure in its protocol. This document outlines the following:
- Establishing secure contact with a key Technical Council Member
- What details to provide when making such a disclosure
- Establishing Secure Contact
The Enzyme Council is committed to working with researchers who securely submit security vulnerability notifications to us, and to resolve those issues quickly.
For all security related issues, Enzyme has an email address where all key security contacts can be reached. Email security at enzyme.finance to let us know that you have something you would like to disclose. Please disclose in your email if the vulnerability you have discovered is critical, high, medium or low severity. Do not however disclose the details of the vulnerability until a member of the Council has responded to you.
In parallel, you may also reach out to key security members on the council and establish a secure line. Again, please do not disclose any details of the vulnerability until you have had a response from one of these parties.
| Contact | Keybase |
|---|---|
| Mona El Isa (Core Team & Council) | @elisafly |
| Sean Casey (Lead dev & Council ) | @dnjc |
| Sebastian Siemssen (Lead dev & Council) | @fubhy |
| Ivan Herger (Lead dev & Council) | @yogivan |
| Paul Salis (Technical Council) | @paulsalis |
| Matthias Egli (Technical Council) | @matthiasegli |
| Dominic (Technical Council) | @dominic91 |
| Nic Munoz McDonald (Technical Council) | @niconline |
| Theophille (Technical Council) | @theophile |
Once a secure line has been established, a member of the Council will instruct you on the next steps and provide a secure channel for you to disclose details to a small group of people.
When disclosing the issue, your report should include:
- A Description of suspected vulnerability
- Steps to reproduce the issue
- A secure way to contact you
- Your name and/or colleagues if you wish to be later recognized
- A suggested patch and/or suggestions to resolve the vulnerability (optional)
Enzyme has a Bug Bounty program to encourage security researchers to spend time studying the protocol in order to uncover vulnerabilities. We believe these researchers should get fairly compensated for their time and effort, and acknowledged for their valuable contributions. More information about this can be found here.
| Severity | Bounty |
|---|---|
| Critical | Up to $400,000 USDC |
| High | Up to $80,000 USDC |
| Medium | Up to $20,000 USDC |
| Low | Up to $2,000 USDC |
Actual payouts are determined by classifying the vulnerability based on its impact and likelihood to be exploited successfully, as well as the process working with the disclosing security researcher.
A detailed description of our bug submissions process as some examples of vulnerabilities we would prioritize, please refer to our bounty page on Immunefi.
Parts of this policy were inspired by Grin's security policy and DarrenRM’s proposed Responsible Disclosure policy.