Updated December 6th, 2018
At Shift Cryptosecurity, we strive towards excellence when it comes to the security and privacy of
our products and believe that an open architecture is vital to keep our users safe. However, even
in time-proven security architectures, vulnerabilities can be found. This is why our code is open
source. In the case you find a vulnerability, we would like to ask you to follow our bug bounty
program for responsible disclosure.
I. Hall of fame
We are thankful to the researchers who work with us to help keep users safe. We wish to
acknowledge those who have contacted us and coordinated the release of their research. At their
discretion, contributions are attributed on our hall of fame page. We also understand that
anonymity may be an important concern to the researcher and are prepared to protect their
Respect and appreciation of the effort, time and skills of independent security researchers is
important to Shift Cryptosecurity. We enable researchers in their work to help us equip users
with safe products by establishing responsible disclosure guidelines and a bug bounty
program. We understand that researchers are free to choose their work’s focus as well as when
and to whom they disclose their findings. When a vulnerability is found, we recommend you follow
our guidelines below.
Information that significantly helps improve our security will be rewarded. This includes user and customer privacy. The main areas are:
- Official code implementations in production that we maintain and make available at the BitBox GitHub repository.
- All Shift Cryptosecurity hardware.
- Keep lines of communication open
- Additional information is needed and we want to ensure that we give your research proper attribution.
- Do not at any time:
- Actively exploit or commit a Denial of Service against us or other user's wallets and nodes where the software connects.
- Socially engineer our company, those who contact us, and users of our products.
- Enact any physical or electronic attack against company property.
- Release user data.
- Release any private data related to Shift Cryptosecurity.
- If applicable, the bounty will be granted after the Incident Response is successfully completed and the relevant software fixes have been released.
- Known issues are not applicable for the bug bounty program. When Shift becomes aware of a vulnerability, it will be time stamped on the blockchain.
III. Security Response Team
The security team may be reached
at firstname.lastname@example.org (PGP: 4B40 A37E D0BB
0775 EA91 0A31 684B DEA7 EF01 480E) for reports and discussion about potential issues.
IV. Incident Response
- Submit your report via PGP or another end-to-end encrypted communication channel. .
- We will respond within 3 business days and then make inquiries to satisfy any needed information.
- Confirm receipt of your contact and triage the reported issues.
- Follow up with the results of our validation process.
For vulnerabilities or important observations that impact our users, we’ll layout a timeline
regarding mitigation and suggestions for coordinated disclosure with you. We will report on progress
made and contact you if more time is required.
V. Post-Release Disclosure Process
- At your discretion, we will credit you on our hall of fame page and in relevant software release notes.
- Rewards are based on the severity of the bug and at a level that we feel is reasonable.
If the Incident Response process in section IV is not successfully completed and consensus
on a timely disclosure not met, we encourage you to publish your results without us.
We may even invite you for a bite to eat in Switzerland with the team for especially nice
cryptographic or elegant code execution attacks. Novel bugs will be rewarded with novel