# Responsible Disclosure Policy We greatly appreciate any and all disclosures of bugs and vulnerabilities that are done in a responsible manner. We will engage responsible disclosures according to this policy and put forth our best effort to fix disclosed vulnerabilities as well as reaching out to numerous node operators to deploy fixes in a timely manner. ## Responsible Disclosure Guidelines Non-critical bugs can be repoted by creating an issue on [GitHub](https://github.com/grant-project/zcash-grant-system). Do not disclose critical bug or vulnerability on public forums, message boards, mailing lists, etc. prior to responsibly disclosing to the Zcash Foundation / Grant.io teams and giving sufficient time for the issue to be fixed and deployed. ## Reporting a Bug or Vulnerability When reporting a bug or vulnerability, please provide the following to contact@grant.io and CC contact@zfnd.org. * A short summary of the potential impact of the issue (if known). * Details explaining how to reproduce the issue or how an exploit may be formed. * Your name (optional). If provided, we will provide credit for disclosure. Otherwise, you will be treated anonymously and your privacy will be respected. * Your email or other means of contacting you. * A PGP key/fingerprint for us to provide encrypted responses to your disclosure. If this is not provided, we cannot guarantee that you will receive a response prior to a fix being made and deployed. ## Encrypting the Disclosure We highly encourage all disclosures to be encrypted to prevent interception and exploitation by third-parties prior to a fix being developed and deployed. Please encrypt using the PGP public key with fingerprint: `46CD57E95AF395A1499C18A3F01C867EEB456C7A` It may be obtained via: ``` gpg --recv-keys 46CD57E95AF395A1499C18A3F01C867EEB456C7A ``` Alternatively, it may be optained by copying the following into a file, and imported it via: ``` gpg --import ``` Signing example: ``` gpg --encrypt --sign --armor -r contact@grant.io ``` ``` -----BEGIN PGP PUBLIC KEY BLOCK----- Version: Keybase OpenPGP v2.1.0 Comment: https://keybase.io/crypto xsFNBFyIGnABEAC864WlC/UVmKfaDPWgCt5EppPV8H5KXnKRy/iwXmDPetWpWiYC UmcvFuXc+cD+RLuqwmei5K/74QgmGxCNiuWsa22cXF5xkQDHwSSAhw6DisoT//OK ftcn9HBB88nIzzGuRedv1eyGV7fc4syACkSZS1PgplLC5R3mvKIGUXz9mbSdL2HM 7ao4mTNFo6wgPkebBX4w1CHQgyU327HJAVRt59VMrI85ahoU9b2K9UjVfbFartQs cU276EmOXC3Sd+3JLyqfOXsK5W+bInvC6hnoXlQpPA9Zv5RIshHHTSW31M9w6inI SkJa35emvt/UIVPEAbm3UtkYzD6YstOBQnGqUBQzRSU14fvPuuX4FQXUORSEcYv5 KdqNzj0BCD5BNr992L8+FRcQnHm1+d8LgCYHzg2lpaQ5bgXYi0lL5HitlD9+Je9k btqKYF0qESQRDMLYyTYV06Ka7Uu0Yd1V/7+URc4OkkgMRBBAw/RVBWzgrz1Vu+T7 EZynhATn4z7StXf3RLikuShqL9y0nFgIzJuwInFdwlngX0WNetDIOvi8sif28N8K C5Fq9+Js1hKii4YAxz+kkAXFjYvkebr5BhEJsWfek2Y5Bq4a1ZYJHeqxl9EwUYpF nKy6sLWIfxUckfGWb26YSOONhFkxzDbPt+JTFSgS0Plt0FTI7cqCbXJlcQARAQAB zRtHcmFudC5pbyA8Y29udGFjdEBncmFudC5pbz7CwXQEEwEKAB4FAlyIGnACGwMD CwkHAxUKCAIeAQIXgAMWAgECGQEACgkQ8ByGfutFbHr9uRAAuIF/L9tve5TNjqBC X1Vku3+VgN1sLQu8JWzTDmwmAp0UHd9wXV7Yw6NR6jny1Os4SEibBA1LgWU/f56W m3y39xzZGFnbD81BucGh676PB7JNnfSscLhggrZOtAP+sEFAlg+0vJM46l/TnXtD 6+tc7/J+skHrcwKUBNamZh6UkE+1E/Qi7EHCemhJlW9QAN8CUPKhM05OSb8wypBF HY50QROA+/FpvUUHY4iumJmZujUWQ2os+NM+KKvFQtkQp06vsk5jCpqEGC+YTVr3 GArkIEQtJgsiM+h1KsYxBzQfmBVabzire+Xi1csskzY/vuQbqk4FaeaHjExuRcGk vyblBdAvSIgjW3PNrZauWrlu92Rxmlpb2+gtPcQ+hxKxaGWKghrOTR3hx6maV993 T5m00OGRAk/7yc+yZPUCBuZt6qDtcBWOZfkK5KJb/gGSiH/Xyt4v115qmaTHnZya lxzZrkAFBaa4qTp5xmu2bK+KQ9kj5PS9X8l8aGCICMDZgjQdCC9APUNbqTuDqUqo SkBPzfheBCD+5dlZ+M4ToZvG3sXd7QF6OKsb717sz9SFAfG5gDMtO7E66kspclh6 KAflOyKp/J4irJzmV+bJ2L/nRbCgaGxAL8mA812QW9VICG1LH+2FmAolenwXrFNj g9dUFE6qBNRPKuMqze/6/qAf67bOwE0EXIgacAEIANXkJ2EM0HepjvrCI3m/VIEY PSejIDgU90l3miNiziJE8tfUrhjXIa5w7xp9bNyzLQW3W10oP0ZEw7nwWweuccyg jjVj2GlgdDjZ/GngxbKxSqyeKeomy6hYnX91lEY6FIhoceSdi6YM6XUc/8vBv0l9 ErRXm0g+iFILXSsVLf8HlB7iWr53FG54MHh8+VD4Q+kykX/eyEdIClwvaIrlTc74 xJmQwAMv9RZcjcAaMjd8xTHd4qHvo/bf82DRXdnwfdMUwNF0DGL05TNOohACPddx qUMq6mn4hhfpp7QN4z1IwkshyNyWZHRxXckNIqW2ACCSmCj38dkEquaVNrK4LksA EQEAAcLChAQYAQoADwUCXIgacAUJDwmcAAIbDAEpCRDwHIZ+60VsesBdIAQZAQoA BgUCXIgacAAKCRDDgnzS4GP2HYeUCADPtnAf+Q2y6bMSInS+J7kgnRYANYQptVPC lAC2PrSrJFtcjaF0LYUvdoXZHoNRx1EqaAVpfT/lBHsMxIo+jBR555yPIPZdVXcL W0WfvqvQ37rznHPEsGTMwHnVfr4gPkr1SvdGHhbTvmJTPeYAqG6+7I1QBbvRxnnD iE+4HXPu+l1uCa4aA196S7QrBKAIQiLEIKlSefGNcZrITPnqybO8FCVfbx4sJKac 0zYFxuJ7ZNAMUOjCwrQD08CCX3Po6SWtmrH6LfaQU5DIO/9CX+9jp4b7FdRrbl/K otTQVIIw3yPaVeMUczOhdtvVrBvtubMhohwdc3LJB8RJ/VLZti0GjzIQAJXjmfrV TDk84NBtigorHO0WU1iUdHpw3J2LUX3SczkywQZ3Q/p5j3C2J813FoBJ433fh+ED s/YS/FO/lJSYaXdBAE8Er6EUvQyJIabKIpPrZtbshRV+An9Psq/M5sP2alLX38i0 UqocUbdUGI6jOrmjNDKf5G5mCvE27jJVLBytKOHN9EJGr5WT0g8VuL5JCLrRHJ5D BVLfocH6q9OfW3cAh5ULH/ZHizTecZg93gDdpjGxY46SyYyTmdyzsKxIKx74vLw6 6rsIh+Hv0zw7bjTBwFpLVy7poRn4gNpD90n9U1FAYDSwNzdZlEAAPUiIO1BCSaf6 20Bt6pB4gg3cWXRFuQBjFYmlyHdZwns9iO2gbsA7iNrKHn7o+vnRbEgEiAyEg3cF y5x4j4U34WcvPbmYPjUEiIzBt0VtnEtuBJa1GHcINICotgfMOM1W7fFQwXVK2kvF K7/8BcXQ9KYvzPgDIijIdIgg1jwqrZcAbSF+q2ogsyfyowptQtOeigqYFdXehXwR lgMX8DTjUQ5rcpGSHPDaEOvA68RtR9IWv4r3EIbKVLvoGHePr9L+3FmxcU5ZbG2s kRLI94eOJvt9sHLq24+SDd0Nekd1MLT4FK1HWDwllAoxPES0qw0sO1P3QtYT0jE/ 7rzyL4QKUfaPhQzqmr3G+bp+3KkdMrqQkrnIzsBNBFyIGnABCADYrqV/3RaMwWsl umkiv569p4TGwDGivbMbIp+OXSGDRygmIcSsK58HTLUK3GYntSspUinVk6mDGT1I ndTX+GtOXDs3A6x6Z3zFEfKKjBYp0FshD6Ite3sTLUX7rEbMVlyB3qGakVR0PYFD O7FXsGlMewvgJ82pna9sRGEB8ZwspSm3qVlUvgL3+Lj14+i5+pINrx8Oslcb3Tqq XqDHv7/6scThVHDVIjBWNp1V9G+8lGYuromosMEtfjjctvexCdcuM5ecWkfl4lhJ Y7Y+2mb8ZPKPRBxJm9jU9ROCJYiOAhDB51QMfukc+sOtAWy+M7jmdK4Y5StqDkH2 zbNCYQvdABEBAAHCwoQEGAEKAA8FAlyIGnAFCQ8JnAACGyIBKQkQ8ByGfutFbHrA XSAEGQEKAAYFAlyIGnAACgkQRzZ4O9hHqSAKQwgAlspfIcY1jQEq6KA1NPEBWHKR hIiB7RPI+dcZ9YBKVxWXSMj13XSWor+eWL1Hkimks0Khf+TjgAzP9x032ecbeZr3 xinFAE4FagQkim52z9lRAa62tqOETKBsvmV91FszphZj8pcJazfxB7U7Sssmg+LY TVLe0qLmJ3RZbS7SuknJ+kRz5gs9NrFWLszhfWdKM7soznkOg0ld6Ut2iuI63ZzM 9UJns4as7ZXA8sCGbcMGmekyf2YdRhTK5+UuC97YjF9NmX5RojxRfQpvffAA2j5r +/f4Xc3QdJxXhqEYJKea4+3xslfT+rV8QeG+H22ooPC5OO3auq5p4KZIUZO9p95v EACZNXsgPv3OHSftqmJ1d5Dq76sbNeeQDQ24S/YKGyHI7KJlQcQumMBonK4gLiww GBcnkdTrvhZHTRxURhrUgnPnlYuEDZpuH5BN8HUxFrNk+2AV04efco8uH8Jo+dR9 RG9ymM+SUsL1u+09ve+dkUlcM+uUU5QC+HqNcj6XePeYNcXMKGaP+W1DNvWtdQjs HLtPqCJ9/ZneTy51jmfq1+MEVIuWDePuzrSzgMr2hmZpMRJP8DrPqxdlGjy4ydAg WOA1GngILfgAjhn+WvXYAGl/u4dMxGTm93Debp3qMiA/3U9Mp6ZtBqLqkRHsbT8P ow4ZDHDO/4SGoKCJJyp91MM8bq1tRrZnpmtqN8D9rmvJPRbksmgnzYVif3rYyei+ iyp8dN8llNrAlP/dOSTS+dVlN6tJXvqp/wbhghxQ88Gl0h5E+bAtBaact6A7ypg8 3UEJD8vbZi/SlIrmBE4wRNkcmGhT7SBCbt04o36ZgX57P3KMZgnFv3g2AIWmhL8C szKKmnciuRky8/Rp35UZygxNlSMfwFNz3TIPu0rTqrEZ/TqIzBI4Do82PCBb8uRu YuE2wMSvdPhaQSs1siFICIBrCu/nH1AcgLO2R20vtWi3azx+zLq20l1mQXgUDvfB Xy9U/6jQi/pDWSFTLF/tj9ctvfGJXs03lkTrKyp7xAu5MA== =1KTe -----END PGP PUBLIC KEY BLOCK----- ``` ##### Inspired by [this](https://github.com/Bitcoin-ABC/bitcoin-abc/blob/master/DISCLOSURE_POLICY.md) dislosure policy