Details

No technology is perfect and Chia Network believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our assets. Good luck, and happy hunting!

Response Targets

Chia Network will make a best effort to meet the following SLAs for hackers participating in our program:

Type of Response	SLA in business days
First Response	2 days
Time to Triage	2 days
Time to Bounty	14 days
Time to Resolution	depends on severity and complexity

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

Follow HackerOne's disclosure guidelines.
We currently don't disclose reports marked as Informative.

Eligibility

You must be the first reporter of the vulnerability.
The vulnerability must demonstrate security impact.
In most cases, a working proof of concept is required for report acceptance.
If a proof of concept is not provided, nor sufficient supporting documentation for Chia engineers to feasibly recreate and evaluate the issue, the report may not be accepted.
Report quality for acceptance will be at the discretion of Chia's HackerOne program.

Access

Information on how to install and test on these applications can be found on their page's wiki's (that can be found in the linked GitHub repos).
The GitHub repos include instructions on how to point the local services at testnet10 and testnet11, please ensure all testing is done against these testnets and not mainnet.

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via [email protected] before going any further.

Response Targets

Chia Network will make a best effort to meet the following SLAs for hackers participating in our program:

Type of Response	SLA in business days
First Response	2 days
Time to Triage	2 days
Time to Bounty	14 days
Time to Resolution	depends on severity and complexity

We’ll try to keep you informed about our progress throughout the process.

Eligibility

You must be the first reporter of the vulnerability.

The vulnerability must demonstrate security impact.

In most cases, a working proof of concept is required for report acceptance.

If a proof of concept is not provided, nor sufficient supporting documentation for Chia engineers to feasibly recreate and evaluate the issue, the report may not be accepted.

Report quality for acceptance will be at the discretion of Chia's HackerOne program.

Access

Information on how to install and test on these applications can be found on their page's wiki's (that can be found in the linked GitHub repos).

The GitHub repos include instructions on how to point the local services at testnet10 and testnet11, please ensure all testing is done against these testnets and not mainnet.

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;

Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;

Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and

Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via [email protected] before going any further.