Chainalysis
Chainalysis helps government agencies, cryptocurrency businesses, and financial institutions engage confidently with cryptocurrency.
External Program
Submit bugs directly to this organization
Chainalysis
Chainalysis helps government agencies, cryptocurrency businesses, and financial institutions engage confidently with cryptocurrency.
External Program
Submit bugs directly to this organization
Last updated: June 17th, 2022
Chainalysis recognizes the value that external security researchers (referred to as "you" or "reporters" in this policy) can bring to the security of our systems, and we welcome responsible disclosures from security researchers, as outlined below.
If you believe that you have found a security vulnerability relating to a Chainalysis product or the Chainalysis.com website (as scoped in more detail below), please let us know straight away by sending a bug report to [email protected]. Before making a disclosure, please review this page for guidance on how to submit a helpful and concise bug report.
We will make reasonable efforts to investigate all legitimate reports and quickly fix any problems.
Provided you follow our policy and act within generally accepted industry standards for security research (in our sole discretion), it is not Chainalysis' policy to take punitive actions against good faith reporters, such as referring matters to law enforcement for investigation or prosecution.
Follow these Dos and Don'ts when conducting security research on Chainalysis.
Reporters should submit vulnerability reports to Chainalysis only via email to this email address: [email protected]. Do not submit a high volume of low-quality reports. Check this policy from time to time to review our submission requirements and the types of reports we would like to see.
Reporters should keep confidential any information about vulnerabilities you have notified to Chainalysis until you have received an email confirmation that the issue has been resolved.
Reporters may request not to be named in public acknowledgements by Chainalysis. If reporters do not specify a preference then they will be acknowledged as the reporting party.
Chainalysis will not enter into a customer relationship, non-disclosure agreement (NDA), or any other contractual or financial obligation as a condition of receiving vulnerability reports. Depending on the circumstances, Chainalysis may ask that you sign an agreement in connection with establishing a more formal relationship. To the extent you sign, you may have additional contractual obligations to consider, such as confidentiality obligations.
Reporters will not receive compensation in return for reporting vulnerability information outside of what is set forth in Chainalysis' formal vulnerability disclosure program.
A good bug report needs to contain enough key information so that we can make a risk-based decision on what action should be taken. Our vulnerability disclosure program is designed for software developers and security researchers, so reports should be technically sound.
Reporters should include sufficient descriptive details to permit Chainalysis and/or the affected vendor(s) to accurately reproduce the vulnerable behavior.
Reporters should not report unanalyzed crash dumps or fuzzer output unless accompanied by a sufficiently detailed explanation of how they represent a security vulnerability.
Reporters should report other vulnerabilities they find that are incidental to their in-scope testing even if those vulnerabilities would be otherwise considered out-of-scope. For example, if while testing an in-scope system the reporter finds it to be exposing data from out-of-scope system, those would still be reportable vulnerabilities.
Once we get your report, a member of our team will respond to you as soon as possible to confirm receipt. We aim to respond to all submissions within a few days.
Please do not publicly disclose details of your suspected vulnerability before we have completed an investigation into the reported issues and confirmed we have successfully fixed any confirmed vulnerabilities.
We can't promise exactly how long it will take to publish a fix in the case of a complex issue. We always do our best to solve issues as fast as possible, and we will communicate with you throughout this process.
Our vulnerability disclosure program is designed for security-related bugs only. It applies to our commercial products (see System Scope below) and online presence (Chainalysis.com).
We would like to see reports for security bugs in one or more of the following Chainalysis products, technologies and programs:
If you find a bug in a product or tool that Chainalysis uses but was potentially built by someone else, we'd appreciate it if you let us know so we can pass on details to the relevant third parties.