π¨ Vulnerability Reporting
Learn how to report security vulnerabilities, understand our responsible disclosure policy, and contribute to SuperSafe's security.
Responsible Disclosure Policyβ
SuperSafe Wallet takes security seriously and encourages responsible disclosure of security vulnerabilities. We appreciate the security research community's efforts to help keep our users safe.
Our Commitmentβ
Security Firstβ
- User Safety: User safety is our top priority
- Quick Response: We respond to security reports quickly
- Transparent Process: We maintain a transparent process
- Recognition: We recognize security researchers
Response Timelineβ
Security Response Timeline:
βββ Initial Response: Within 24 hours
βββ Triage: Within 48 hours
βββ Investigation: Within 7 days
βββ Fix Development: Within 30 days
βββ Fix Deployment: Within 45 days
βββ Public Disclosure: Within 90 days
What to Reportβ
Security Vulnerabilitiesβ
Critical Vulnerabilitiesβ
- Private Key Exposure: Any way to expose private keys
- Vault Bypass: Any way to bypass vault encryption
- Unauthorized Access: Any unauthorized access to wallets
- Data Exfiltration: Any way to extract sensitive data
High Priority Vulnerabilitiesβ
- Authentication Bypass: Any way to bypass authentication
- Permission Escalation: Any way to escalate permissions
- Code Injection: Any code injection vulnerabilities
- Session Hijacking: Any session hijacking vulnerabilities
Medium Priority Vulnerabilitiesβ
- Information Disclosure: Any information disclosure
- Denial of Service: Any denial of service vulnerabilities
- Cross-Site Scripting: Any XSS vulnerabilities
- CSRF: Any CSRF vulnerabilities
What NOT to Reportβ
Out of Scopeβ
- Social Engineering: Social engineering attacks
- Physical Access: Physical access to devices
- Phishing: Phishing attacks
- Malware: Malware infections
Low Priority Issuesβ
- UI/UX Issues: User interface issues
- Performance Issues: Performance problems
- Feature Requests: Feature requests
- Documentation Issues: Documentation problems
How to Reportβ
Reporting Channelsβ
Primary Channel: GitHub Securityβ
- Repository: SuperSafe Security
- Method: GitHub Security Advisories
- Encryption: End-to-end encrypted
- Tracking: Full issue tracking
Alternative Channel: Emailβ
- Email: security@supersafe.cool
- Subject: [SECURITY] Brief description
- Encryption: PGP encryption preferred
- Response: Within 24 hours
Report Formatβ
Required Informationβ
- Vulnerability Type: Type of vulnerability
- Severity: Severity level (Critical, High, Medium, Low)
- Description: Detailed description
- Steps to Reproduce: Step-by-step reproduction
- Impact: Potential impact
- Mitigation: Suggested mitigation
Report Templateβ
Security Vulnerability Report
Vulnerability Type: [Critical/High/Medium/Low]
Severity: [Critical/High/Medium/Low]
Description: [Detailed description of the vulnerability]
Steps to Reproduce:
1. [Step 1]
2. [Step 2]
3. [Step 3]
Expected Behavior: [What should happen]
Actual Behavior: [What actually happens]
Impact: [Potential impact of the vulnerability]
Mitigation: [Suggested mitigation if any]
Environment:
- Browser: [Browser and version]
- OS: [Operating system and version]
- SuperSafe Version: [SuperSafe version]
- Extension Version: [Extension version]
Additional Information:
[Any additional information]
Security Research Guidelinesβ
Research Scopeβ
In Scopeβ
- SuperSafe Wallet Extension: Chrome extension
- SuperSafe Website: Official website
- SuperSafe APIs: Public APIs
- SuperSafe Documentation: Public documentation
Out of Scopeβ
- Third-party Services: External services
- User Devices: User devices and systems
- Network Infrastructure: Network infrastructure
- Social Engineering: Social engineering attacks
Research Guidelinesβ
Ethical Guidelinesβ
- Responsible Disclosure: Follow responsible disclosure
- No Data Access: Don't access user data
- No Disruption: Don't disrupt services
- Respect Privacy: Respect user privacy
Technical Guidelinesβ
- Test Environment: Use test environment
- Minimal Impact: Minimize impact
- Document Everything: Document all findings
- Report Promptly: Report findings promptly
Bug Bounty Programβ
Program Overviewβ
Eligibilityβ
- Security Researchers: Independent security researchers
- Security Companies: Security companies
- Academic Researchers: Academic researchers
- Community Members: Community members
Rewardsβ
- Critical: $1,000 - $5,000
- High: $500 - $1,000
- Medium: $100 - $500
- Low: $50 - $100
Reward Criteriaβ
Critical Vulnerabilitiesβ
- Private Key Exposure: $5,000
- Vault Bypass: $3,000
- Unauthorized Access: $2,000
- Data Exfiltration: $1,000
High Priority Vulnerabilitiesβ
- Authentication Bypass: $1,000
- Permission Escalation: $750
- Code Injection: $500
- Session Hijacking: $500
Medium Priority Vulnerabilitiesβ
- Information Disclosure: $250
- Denial of Service: $200
- Cross-Site Scripting: $150
- CSRF: $100
Payment Processβ
Payment Timelineβ
- Report Submission: Submit vulnerability report
- Triage: Within 48 hours
- Investigation: Within 7 days
- Fix Development: Within 30 days
- Fix Deployment: Within 45 days
- Payment: Within 60 days
Payment Methodsβ
- Cryptocurrency: Bitcoin, Ethereum, USDC
- Bank Transfer: Bank wire transfer
- PayPal: PayPal payment
- GitHub Sponsors: GitHub Sponsors
Security Response Processβ
Response Timelineβ
Initial Responseβ
- Acknowledgment: Within 24 hours
- Triage: Within 48 hours
- Investigation: Within 7 days
- Status Update: Within 14 days
Fix Developmentβ
- Fix Development: Within 30 days
- Testing: Within 35 days
- Deployment: Within 45 days
- Verification: Within 50 days
Public Disclosureβ
- Coordinated Disclosure: Within 90 days
- Security Advisory: Public security advisory
- CVE Assignment: CVE assignment if applicable
- Credit: Researcher credit
Communicationβ
Regular Updatesβ
- Weekly Updates: Weekly status updates
- Milestone Updates: Milestone updates
- Final Update: Final resolution update
- Public Disclosure: Public disclosure
Communication Channelsβ
- GitHub Issues: GitHub issue tracking
- Email: Direct email communication
- Security Advisory: Public security advisory
- Blog Post: Blog post announcement
Security Teamβ
Core Teamβ
Security Leadβ
- Name: Security Team Lead
- Email: security@supersafe.cool
- GitHub: @supersafe-security
- PGP: Available on request
Security Engineersβ
- Team: Security engineering team
- Email: security@supersafe.cool
- GitHub: @supersafe-security
- Response: 24/7 response
External Advisorsβ
Security Advisorsβ
- Independent Advisors: Independent security advisors
- Academic Advisors: Academic security advisors
- Industry Advisors: Industry security advisors
- Community Advisors: Community security advisors
Security Resourcesβ
Documentationβ
Security Documentationβ
- Security Overview: Comprehensive security overview
- Architecture Security: Security architecture details
- Threat Model: Threat model documentation
- Security Controls: Security controls documentation
Technical Resourcesβ
- API Documentation: Security API documentation
- Code Documentation: Security code documentation
- Test Documentation: Security test documentation
- Deployment Guide: Security deployment guide
Tools and Resourcesβ
Security Toolsβ
- Static Analysis: Static code analysis tools
- Dynamic Analysis: Dynamic analysis tools
- Penetration Testing: Penetration testing tools
- Vulnerability Scanning: Vulnerability scanning tools
Research Resourcesβ
- Test Environment: Test environment access
- Documentation: Comprehensive documentation
- Support: Technical support
- Community: Security community access
Legal and Complianceβ
Legal Frameworkβ
Responsible Disclosureβ
- Good Faith: Good faith security research
- No Legal Action: No legal action for responsible disclosure
- Cooperation: Cooperation with security team
- Confidentiality: Confidentiality during investigation
Legal Protectionβ
- Safe Harbor: Safe harbor for security researchers
- Legal Immunity: Legal immunity for responsible disclosure
- Protection: Protection from legal action
- Support: Legal support if needed
Complianceβ
Regulatory Complianceβ
- GDPR: General Data Protection Regulation
- CCPA: California Consumer Privacy Act
- SOC 2: Service Organization Control 2
- ISO 27001: Information Security Management
Industry Standardsβ
- OWASP: OWASP security standards
- NIST: NIST security guidelines
- ISO 27001: ISO 27001 security standards
- CIS: Center for Internet Security
Community Recognitionβ
Recognition Programβ
Hall of Fameβ
- Security Researchers: Security researchers hall of fame
- Contributors: Security contributors recognition
- Community Members: Community members recognition
- Academic Partners: Academic partners recognition
Recognition Benefitsβ
- Public Recognition: Public recognition
- Community Access: Community access
- Early Access: Early access to features
- Special Events: Special events access
Contribution Recognitionβ
Contribution Typesβ
- Vulnerability Reports: Vulnerability reports
- Security Improvements: Security improvements
- Documentation: Security documentation
- Community Support: Community support
Recognition Levelsβ
- Gold: Major contributions
- Silver: Significant contributions
- Bronze: Regular contributions
- Community: Community contributions
Contact Informationβ
Primary Contactβ
Security Teamβ
- Email: security@supersafe.cool
- GitHub: SuperSafe Security
- PGP Key: Available on request
- Response Time: Within 24 hours
General Contactβ
- Email: support@supersafe.cool
- GitHub: SuperSafe Issues
- Discord: SuperSafe Discord
- Twitter: @SuperSafeWallet
Emergency Contactβ
Critical Issuesβ
- Email: security-emergency@supersafe.cool
- Response Time: Within 4 hours
- Availability: 24/7
- Escalation: Immediate escalation
Next Stepsβ
Now that you understand vulnerability reporting:
- Security Overview - Review security overview
- Security Configurations - Configure security settings
- Advanced Topics - Advanced security topics
- For Developers - Developer security
Ready to learn more about security? Continue to Security Overview!