Details

Vulnerability Disclosure Policy

R3, the company behind Corda, welcomes collaboration with the security community. We are committed to the continuous security improvement of our products and services, and we thank you in advance for your contributions to our Vulnerability Disclosure Program (VDP).

Scope

We welcome submissions related to any publicly accessible information system, web property, or data owned, operated, or controlled by R3, unless explicitly defined as out of scope.

Out-of-scope assets are detailed in the program scope section in our HackerOne VDP program. Please refer to the scope section before commencing your research.

Expectations

We are committed to working in good faith with the security community. R3 requires that vulnerability submissions be conducted according to these guidelines:

Research is conducted in a manner that protects the data, property and privacy of our customers and partners.
Please be respectful of our systems and user data; avoid spamming forms, and the modification or deletion of our data.
Please do not use high-intensity invasive or destructive scanning tools to find vulnerabilities, and do not attempt or report any form of denial of service, e.g., overwhelming a service with a high volume of requests.
If creating accounts on our systems for testing purposes, please clearly identify yourself as a HackerOne researcher.
Report any suspected or confirmed vulnerability promptly and provide full details at the time of submission.
Give us reasonable time to work with our customers and partners to mitigate the issue, before making any information about it public.
Always comply with data protection rules and securely delete all data retrieved during your research as soon as it is no longer required, or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).

Submitting a vulnerability

When submitting a vulnerability please include:

A description of the vulnerability and the environment in which it was discovered.
The name, version and configuration of the product or service that is affected.
Detailed steps that can reproduce the issue.
An image attachment (optional). Do not attach any video or executable files to your email.

Please do not include any identifiable information (name, contact information, or similar information) in your submission.

Response

R3’s Security Team will make every effort to acknowledge your report and initiate an investigation as soon as possible, and we will do our best to keep you updated throughout the remediation process. Our target response times are as follows:

We will provide prompt acknowledgement of receipt of your vulnerability report (normally within 48 business hours of submission).
Conduct an internal assessment and respond with our view on severity and impact, typically within 2 weeks but may be longer for complex issues.

Advisory-class issues may require coordinated disclosure with our customers and partners before being made publicly available. Security vulnerabilities may be published on our website in the form of a security advisory after R3 has conducted an analysis.

Safe Harbour

Any activities conducted in good faith, in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Scope

We welcome submissions related to any publicly accessible information system, web property, or data owned, operated, or controlled by R3, unless explicitly defined as out of scope.

Out-of-scope assets are detailed in the program scope section in our HackerOne VDP program. Please refer to the scope section before commencing your research.

Expectations

We are committed to working in good faith with the security community. R3 requires that vulnerability submissions be conducted according to these guidelines:

Research is conducted in a manner that protects the data, property and privacy of our customers and partners.

Please be respectful of our systems and user data; avoid spamming forms, and the modification or deletion of our data.

Please do not use high-intensity invasive or destructive scanning tools to find vulnerabilities, and do not attempt or report any form of denial of service, e.g., overwhelming a service with a high volume of requests.

If creating accounts on our systems for testing purposes, please clearly identify yourself as a HackerOne researcher.

Report any suspected or confirmed vulnerability promptly and provide full details at the time of submission.

Give us reasonable time to work with our customers and partners to mitigate the issue, before making any information about it public.

Always comply with data protection rules and securely delete all data retrieved during your research as soon as it is no longer required, or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).

Submitting a vulnerability

When submitting a vulnerability please include:

A description of the vulnerability and the environment in which it was discovered.

The name, version and configuration of the product or service that is affected.

Detailed steps that can reproduce the issue.

An image attachment (optional). Do not attach any video or executable files to your email.

Please do not include any identifiable information (name, contact information, or similar information) in your submission.

Response

We will provide prompt acknowledgement of receipt of your vulnerability report (normally within 48 business hours of submission).

Conduct an internal assessment and respond with our view on severity and impact, typically within 2 weeks but may be longer for complex issues.

Safe Harbour