Oxorio Public Disclosure Policy for Critical Vulnerabilities
Introduction
At OXORIO, our commitment is to enhance the security and integrity of the blockchain ecosystem. This Public Disclosure Policy outlines our procedures for publicly disclosing critical vulnerabilities in blockchain projects that choose not to address the issues we have identified during our audits.
Purpose: This policy aims to protect the community and users of blockchain technologies by ensuring they are informed of significant risks that have not been remediated by the respective project teams.
Scope: This policy applies to all critical vulnerabilities found in blockchain projects that OXORIO investigates, where the project team has decided against implementing the recommended fixes or has not responded adequately within the agreed timeframe.
Policy Guidelines
- Initial Discovery and Reporting:
- Upon discovering a critical vulnerability, we will confidentially report the issue to the project team, providing detailed documentation and a recommended course of action.
- The report will include a clear description of the vulnerability, steps to reproduce it, the potential impact, and suggested remediation measures.
- Grace Period:
- The project team will be given a standard grace period of 90 days from the date of the report to address the vulnerability. This period may be adjusted based on the severity of the vulnerability and the responsiveness of the project team.
- We encourage open communication and will offer assistance during this period to help resolve the issue.
- Decision to Disclose Publicly:
- If the project team does not take action within the grace period, or if the response is inadequate relative to the severity of the vulnerability, we will proceed with preparing a public disclosure.
- The decision to disclose publicly is made based on the risk to the community and the potential impact of the vulnerability.
- Responsible Disclosure:
- Prior to public disclosure, we will notify the project team of our intent to go public with the information and provide them with a draft of the disclosure document for review.
- We will make every effort to ensure that the disclosure minimizes harm and avoids unnecessary panic, while providing the community with enough information to take protective measures.
- Public Disclosure:
- The disclosure will include a detailed description of the vulnerability, affected components, the potential impact, and any possible mitigation steps that users can take.
- We will publish the disclosure on our website, distribute it through our social media channels, and share it with major cybersecurity news outlets.
- Post-Disclosure Follow-up:
- We will continue to monitor the situation and update the public if and when new information or further remediation is provided by the project team.
- We remain open to collaborating with the project team to resolve the issue even after public disclosure.
Safe Harbor:
- We commit to not pursuing legal action against anyone who discloses vulnerabilities to us in good faith and in accordance with our Vulnerability Disclosure Policy.
- We expect the same ethical consideration from the community and the project teams with which we work.
Contact Information:
For more information about this policy or our security practices, please contact ping@oxor.io.