Flow was built from the ground up with security in mind. Our code, infrastructure, and development methodology helps us keep our users safe.
We really appreciate the community's help. Responsible disclosure of vulnerabilities helps to maintain the security and privacy of everyone.
If you care about making a difference, please follow the guidelines below.
We ask that all researchers adhere to these guidelines here.
Additionally, please include the following in the security report:
-
the name and version of the AI, scanner, etc. that detected the issue (this can help us handle reports generated by buggy tools more efficiently)
-
list of affected platforms (Atree is only officially supported on 64-bit architectures)
-
list of changes to the source code of Flow components (generally, the vulnerability reproducer shouldn't require modifying Flow source code)
-
version of the unmodified Flow Emulator used to check the reported issue (issue might be prevented by Flow components that set or enforce limits on Atree)
Before submitting a security report, please review your source code included in the report. For example, please make sure the reported panic isn't caused by an overlooked mistake in the report's test code.
Security reports that follow the guidelines and meet other requirements of the vulnerability disclosure program might qualify for Flow Protocol Rewards.
Security reports should not evaluate Atree as a standalone component, because Atree relies on some limits and security guarantees provided by other components, i.e. in the Cadence programming language and the Flow node software.
Before submitting a report, please try to reproduce the vulnerability using a Cadence script or transaction using an unmodified Flow Emulator. See the documentation on how to install and use it.