Last updated: January 11, 2023

Responsible Disclosure Policy

Important note: for any immediate security report please proceed to our report page.

The security of the MultiversX blockchain, and associated core components, is a top priority for MultiversX. Our Proof of Stake network is secured by considerable amounts of EGLD and provides valuable services for business or private use. Our mission is to become a layer of trust for digital financial systems at internet scale, and the highest level of security is a mandatory prerequisite.

The security researcher community regularly makes valuable contributions to the security of organizations and the broader Internet, and MultiversX recognizes that fostering a close relationship with the community will help improve the security of the MultiversX blockchain. So if you have information about a vulnerability in the MultiversX blockchain and associated components, we want to hear from you.

Reporting a Security Issue

Please DO send an email to security[@]multiversx[.]com

Please DO NOT open public issues on Github that contain information about a potential security vulnerability as this makes it difficult to reduce the impact of valid security issues.

What to include:

Well-written reports in English will have a higher chance of being accepted
Reports that include proof of concept code will be more likely to be accepted
Reports that include only crash dumps or other automated tool output will most likely not be accepted
Reports that include products & services that are out of scope (see the Scope section below) will not be considered
Include how you found the bug, the impact, and any potential remediation
Any plans for public disclosure

What you can expect from us:

A timely response to your email (within 2 business days).
An open dialog to discuss issues.
Credit after the vulnerability has been validated and fixed.

Coordinated Responsible Disclosure Policy

We ask security researchers to keep vulnerabilities and communications around vulnerability submissions private and confidential until a patch is developed to protect the MultiversX blockchain and its users.

Please do:

Allow the MultiversX team a reasonable amount of time address security vulnerabilities
Avoid exploiting any vulnerabilities that you discover
Demonstrate good faith by not disrupting or degrading MultiversX services, products & data

MultiversX pledges not to initiate legal action against researchers as long as they adhere to this policy.

Responsible Disclosure Process

Once a security report is received, the MultiversX team verifies the issue and establishes the potential threat
Patches to address the issues will be prepared and tested on private testnets
The Validators community is informed about an upcoming public testnet release to prepare them for upgrading in a timely manner
The public testnet is patched and additional tests are performed
The Validators community is informed about an upcoming mainnet release to prepare them for upgrading in a timely manner
The mainnet is patched and additional tests are performed
We publish a security advisory on GitHub
We give credit and applicable rewards to the submitter(s) of the issue

Scope

MultiversX protocol Repository: https://github.com/multiversx/mx-chain-go
SDK Repository: https://github.com/multiversx/mx-sdk-dapp
MultiversX Proxy Repository: https://github.com/multiversx/mx-chain-proxy-go
Virtual Machine Repository: https://github.com/multiversx/mx-chain-vm-go
Wallet Located at https://wallet.multiversx.com
Explorer Located at https://explorer.multiversx.com
Other repositories that contain potential security risks for the MultiversX blockchain and corresponding services. Repository: https://github.com/multiversx
Other web components related to MultiversX.com that pose a security risk for MultiversX related services. Located at *.multiversx.com

Out of scope

Scam & phishing attempts involving MultiversX products
Lost or compromised secret phrases, keystore files or private keys
Physical vulnerabilities
Social Engineering attacks
Functional, UI, and UX bugs such as spelling mistakes
Descriptive error messages
HTTP error codes/pages

Contact Us

Important note: for any immediate security report please proceed to our report page.

In order to protect the MultiversX ecosystem, we request that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed partners if needed.

‍

Stay in-the-know and never miss an update

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

We're committed to your privacy. MultiversX uses the information you provide to us to contact you about MultiversX content and events. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.