Skip to content

Security: Ricochet-Exchange/ricochet-frontend

Security

SECURITY.md

Security

The Ricochet bounty program rewards anyone who finds a bug in covered Ricochet's web app.

Rules and Rewards

  • Issues that have already been submitted by another user or are already known to the Ricochet team are not eligible for bounty rewards.
  • Public disclosure of a vulnerability makes it ineligible for a bounty. This includes exploiting the bug on mainnet or any public test network.
  • The Ricochet team, employees and all other people paid by Ricochet project, directly or indirectly, are not eligible for rewards.
  • Only the sites listed below are eligible for rewards.
  • The Ricochet bounty program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the Ricochet team.

The value of rewards paid out will vary depending on Severity. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood :

Reward sizes are guided by the rules below, but are in the end, determined at the sole discretion of the Ricochet team

  • Critical: up to $25,000 USD
  • High: up to $12,500 USD
  • Medium: up to $5,000 USD
  • Low: up to $2,000 USD
  • Note: up to $1,000 USD

The Ricochet team reserves the right to adjust bounty amounts at any time in the future.

In addition to Severity, other variables are also considered when the Ricochet team decides the score, including (but not limited to):

  • Quality of description. Higher rewards are paid for clear, well-written submissions.
  • Quality of reproducibility. Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.
  • Quality of fix, if included. Higher rewards are paid for submissions with clear description of how to fix the issue.

Covered Websites

The following websites are covered by the bounty:

Important Legal Information

The bug bounty program is a discretionary rewards program for the Ricochet community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the program at any time, and awards are at the sole discretion of the Ricochet team. You are responsible for all taxes. All awards are subject to applicable law. Any patches must be offered under the same license as the repository they affect. Finally, your testing must not violate any law or compromise any data that is not yours.

Submitting a Bug

Bugs should be submitted via email to [email protected], or on Discord to shepardblue#8122.

There aren’t any published security advisories