Flux CVE Registration
The Flux Team, Community and Foundation are proud to announce Flux’s application to become a CNA.
A secure environment is only possible through the rapid sharing and deployment of knowledge. Flux aims to contribute to this through the Common Vulnerabilities and Exposures (CVE) organization, run and operated by Mitre.
CVE is a central database of known vulnerabilities, it is used as a source by many anti-malware and anti-virus software providers. Becoming part of the standard setting family would be paying back to the community the trust they have shown in us so far and help us facilitate a safer environment for all.
The Flux team strives to deliver a strong effort in support of all CVE’s efforts and values.
Please, contribute to our code!
Responsible Disclosure Policy
To encourage responsible disclosure, no legal action shall be taken against you, provided you adhere to the following points:
1The Flux Blockchain and nodes: Any and all exploits be confined to a private testnet or regtest for validation purposes. Any code modifications carried out to run exploits need to be disclosed along with the effects for full validation.
2For the FluxOS distributed operating system, any and all exploits are confined to their own nodes for validation purposes. Should additional nodes be required to fully validate more serious/extensive effects “ripple attacks”, the Flux team will assist with a private testnet.
3Submissions can only be made to [email protected] using the attached PGP keys for encryption is a requirement.
4Include an email for responses in your report.
5Adhere to timeframes laid out in initial confirmation of report emails. As we are a small team, the only absolute promise we can make is an acknowledgement within 24 hours which will include full timeframes for remedial action, public disclosure as well as publication and acknowledgement.
All bugs will be evaluated according to the CVSS scoring scale and rewarded accordingly. The CVSS levels are:
How it works:
AAdhere to the Responsible Disclosure Policy
BMake all possible effort to not interrupt or degrade our service.
CDo not attempt to gain unauthorized access to user accounts, assets or information (use your own account/accounts to test against).
DDo not copy or modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.
EDo not exploit a security issue you discover beyond the point of validation on own accounts/nodes.
FWe publish a list of researchers who have submitted valid security reports.
GHowever, should you wish to remain anonymous, we will respect your privacy.
HWe reserve the right to determine timeframes for publishing reports (and accompanying updates) pertaining to each instance. However, we will provide best effort information to you on all such issues.
We have the right to remove you from the Bug Bounty Program and disqualify you from receiving any bounty rewards if you: Are in violation of any national, state, or local law or regulation
Scope of Services covered by the programme:
- Zeltrezjs library
- Zel wallet clients, Zelnode Daemon.
- Flux, both the distributed operating system and the individual components.
- Zel-ID and all its components
Third-party libraries, for example attacking java itself to exploit zeltrezjs Infrastructure not managed by Flux Teams such as Public Explorers and FluxNodes run by community members
1 Injection flaws such as SQL, noQSL, Mongodb, OS injection that tricks command interpreter into executing unintended commands without proper authorization.
2Broken authentication/session management that allows compromise of passwords, keys, or session tokens
3Sensitive data exposure due to improper protection of data via insecure API or flaw in cryptography implementation
4Cross-Site Scripting (XSS)
5Cross-Site Request Forgery (CSRF) for sensitive functions in a privileged context
6Remote code execution (RCE)
7Insecure Direct Object References
9Significant Security Misconfiguration (when not caused by user)
13Attacks of any type on the docker containers hosted on the Flux network.
13Any significant abuse-related methodologies that could lead to significant harm
The above list is by no means exhaustive, so if you have something not on it and not on the excluded list, do reach out, it is covered.
1Non-original or previously disclosed/reported bugs (with fixes currently underway).
2Non-technical attacks such as social engineering, phishing, or physical attacks against entities or infrastructure.
3Any degrading/damaging the reliability or integrity of our services (such as DDoS attacks, man in the middle attacks, spamming, and similar questionable acts)
4Any software not directly produced by the Flux Team
5Domains hosted by third parties (e.g.: Github, Gitlab, etc)
6Subdomains operated by third parties (e.g: info.zel.cash)
7Any Flux branded services operated by third parties
8Network hijacks, man in the middle, ss7 or similar.
Send an email using these below PGP keys [email protected] is the only email to use. Failing to use the attached PGP keys for the bug report will invalidate any security issues higher than level 2 on the CVSS scale.
1Write up a report on your findings.
2PGP Encrypt the report with keys from URL
3Within 24 hours you will have an acknowledgement
4Adhere to timeline and additional information requests from the Flux team outlined in the acknowledgement email.
5Discuss publication times and names.
6Possibly Collect bounty
7Get published under the advisory policy
Flux will immediately upon the discovery and initial remediation of security breaches undertake to inform the community and user base as a whole to the largest broadest extent possible.
Initial communication from Flux may not necessarily include details of the vulnerability if the purpose of such an advisory is to have end-users update potentially compromised software.
As soon as a reasonable (severity dependent) percentage of users have updated their software, Flux will do full and in depth disclosure with CVE reports published at URL. Security researchers who choose to contribute towards the wellbeing of Flux and the wider community will be acknowledged in the posts. However, should they request privacy, the Flux team will respect that.
The Flux Team reserves the right to determine timeframes for publication in accordance with best overall security practices for end-users.
The exact methods of communication of advisories will include but are not limited to publishing on URL as well as announcement through Flux’s social media channels.
-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBF9aW/oBCACeTz66NgwhKzlGVNN65SlwFwUbrhBljDC393ww0pO1kdjDtIBu VkHknJeTaXbeGSKYXskQgL8hORIhoOxSsbRSFaq6s3e/dHukUOR3g2tp1myFMvsK stATCdWzWQNAe/7EMEnvenW6B9NwZd2bCXweIVneXZGzqwMaMqKGwR+cH47ngve7 LtpJC9NLQ3hOAoyRTKmvaCkSCVAek4uGa4QYiRJgr866QYuag09sTUUOVMpq8H/T kiRHGRDLvFWeObvreBM9eJv5zwhwTItqNtb6mIzkL8InJYhsRqR8+bHdH7z3QtMb eRaG0A8mGKaGXIQXL+6eGUJasKqaEpeonIYRABEBAAG0K3NlY3VyaXR5QHplbC5u ZXR3b3JrIDxzZWN1cml0eUB6ZWwubmV0d29yaz6JAU4EEwEIADgWIQSRhMlBCliD ig7+bBCgOr/bRBsxiQUCX1pb+gIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAK CRCgOr/bRBsxiRbsB/40/fxFiDgp9cXcfciQOEAMoZ6APMEUFLj3+RTJeJuRA+Xf w4/6Z3kvxcDWXxWPh94QPWFzZtt1LKYDhs/p0CG7IyWN5k3fKCJ0XobjND7MDycp DrOVD8D13Ez2xV2ZeRhJoTPron6mCy8xhU2e7lTduvyxnjKSWEAxZj3Gh58b/Jqa A7t1Y+gH1QFAAKNVutPgmEtwbBiXk/VCEricy0SOq43vaN2YrW56GAhtbrdRFmiw CrwqA5wU7ZkcFRq2YHHb6S+u4p4bA7/aezgvlM/oZCbH1PbdASApEkztRk46D72o PCq799tb4lKvDh2eqX1Z7Fvbh2poacY72/xc/EaLuQENBF9aW/oBCAD7CDpbaiME txr2aHw6O2oAfhZ+FhAZYgnPhy5aHwt0C/3I8Kc7SdvigEhKlhdmwjGxvh9i6h/3 xQ5no5eH7YsPDqU/00G2igVl5Ph3N5wJYmqe1MNP8eCNd9jTLuNhnK07Vbdjfo33 +88hxOFYf78gcv/O/SgX1EHecl6DFrNZZaqzLr1wIDAJZbeLZe4mQpIyTZ2wC2ys anZlF7Y4MJixWE9prpIjd4JPfxhj1kp1+MLGWxj6/YbRexeU8jS153EO92Yvepbf 2bQf5X2UZyhcacTSLtvXFW5S80BBqDLYA/elzHhyhNQz3MCxFUrWQwlie1iOnNHY Yakei53UczZzABEBAAGJATYEGAEIACAWIQSRhMlBCliDig7+bBCgOr/bRBsxiQUC X1pb+gIbDAAKCRCgOr/bRBsxiWc3B/4iMsGrhNMyB8ab8jUwTuW4JXF8Et5X6gvJ I5pTR33euZgtupRF3H/QyqpL2u5vc/vLFpqH4khjuvAaLHt8gNRCoMqJoPQi3Oli 3J2bIKOFz5JXsVTFyWCYYOzJENgoxkfOV+qxvvzBWcTbyZoHTsY1/BqDGEnE49rt YG9XJ9OWkTp1MMOSHKmTfxR1JSIxlr1HUDDBnEef4qzR/TnQZW6PVqZQpc6LlZFb D0ko5jJrW5uU9d4NYySO5/lr07PxQ10DbJL3RAQCKiNczP/pU8YhJ+BGgod5kZi5 tCuvxUjUzXCP0d7/0o7anQN7meq/P+JLKZRZmIzCH1ISwsDztyur =crmk -----END PGP PUBLIC KEY BLOCK-----