Public announcements of new releases with security fixes and of disclosure of any vulnerabilities will be made in the Celo Forum's Security Announcements channel.

We’re extremely grateful for security researchers and users that report vulnerabilities to the Celo community. All reports are thoroughly investigated.

The Celo community asks that all suspected vulnerabilities be privately and responsibly disclosed.

1. Submit your vulnerability to Celo on Intigriti.
   • This is currently a public program
2. You can also email the security@clabs.co list with the details of reproducing the vulnerability as well as the usual details expected for all bug reports.

• Celo protocol, but the team may be able to assist in coordinating a response to a vulnerability in the third-party apps or tools in the Celo ecosystem.

https://celo.org
https://*.celo.org
https://*.clabs.co
https://github.com/celo-org/*

Verbose messages/files/directory listings without disclosing any sensitive information
CORS misconfiguration on non-sensitive endpoints
Missing cookie flags
Missing security headers
Presence of autocomplete attribute on web forms
Bypassing rate-limits
Clickjacking on pages with no sensitive actions
Host header injection without proven business impact
Anything related to email spoofing, SPF, DMARC or DKIM
Open ports without an accompanying proof-of-concept demonstrating vulnerability

• In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity
• Spam, social engineering and physical intrusion
• DoS/DDoS attacks or brute force attacks
• Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted
• Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts
• Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty.
• Reports that state that software is out of date/vulnerable without a proof-of-concept

• What will happen if a vulnerability is reported and is known to the company from their own tests,?

  • It will be flagged as a duplicate

• What kind of exploits are excluded from the program or may be lowered in severity?

  • Reports that state that software is out of date/vulnerable without a proof-of-concept
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces
  • Issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity
  • Spam, social engineering and physical intrusion
  • DoS/DDoS attacks or brute force attacks
  • Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted
  • Attacks requiring physical access to a victim’s computer/device will not be accepted.
  • Man in The Middle
  • Compromised User Accounts

• Do you accept recently disclosed zero-day vulnerabilities?

  • We need time to patch our systems just like everyone else - please give us 2 weeks before reporting

PGP Fingerprint ID: A22B62A5EAFB6948