Bug bounties

Found a software security issue?

If you believe that you have spotted a vulnerability in either the Vega protocol software (node, data node, wallet, etc.) or network or any supporting systems or code used by the project, please submit a bug report by email resolved as soon as possible.

Scope

The vega.xyz website or any bug related to the vega.xyz email domain are out of scope. The program is meant for serious bugs that have significant impact on security. Bugs on the vega.xyz website would only qualify if they demonstrate how to modify website content to replace links in order to for instance; host malicious software on the downloads section of the site, link to different github code repositories, link to impersonator Twitter / Discord accounts from the Community section etc. In particular if any automated scanner reports that there is an issue with vega.xyz then this on its own does not merit a report.

How to

Prevent a potential vulnerability being abused by others:

  • Submit a bug through email. If you want to send an encrypted message, use the Vega PGP key and send the email to security@vega.xyz.
  • Provide sufficient information (for example, a detailed description including logs, how to reproduce the vulnerability, scripts, screenshots, etc.) so that the security issue can be addressed as effectively as possible.

Please do not share knowledge about the vulnerability with others, until the issue has been fixed or we have worked out some safe and coordinated way of publication with you. Do not abuse the vulnerability. After a vulnerability has been reported, you will be contacted within 2 working days to make arrangements for a reasonable period of recovery, a possible coordinated publication of the vulnerability and reward.

We are not network operators

As a decentralized system, we are entirely separate from any validators running the Vega protocol and vulnerabilities relevant to specific validators should be reported to them directly (though feel free to let us know if you think a validator is not responding appropriately). In addition, we have no influence on how the validators (or their cloud providers) might react if you poke their systems, so we cannot help you if you do so in any way that upsets them. For testing your discoveries, using a separate protocol instance that you can run for yourselves is advised.

Encrypted or anonymous submissions

If you want to send an encrypted message to security@vegaprotocol.io, you can use our PGP key, which is detailed below.

PGP Key

This is the PGP key that can be used to securely submit security issues to the project team. Please note that this is the only usage of the key; especially, this key will never be used to issue signatures that are in any way meaningful or binding. We also may change the key at any time, so please make sure to check here for the current version.
-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZJBtihYJKwYBBAHaRw8BAQdAnoV3CXhVkzH4SWA9C9t5kQOniW3RLSpYMGKa
4v4TqjO1AVVWZWdhUmVwb3J0IChWZWdhLVByb3RvY29sIFNlY3VyaXR5IElzc3Vl
IFJlcG9ydGluZyBrZXkuIFRoaXMga2V5IGlzIG9ubHkgdXNlZCB0byBhbGxvdyBm
b3IgZW5jcnlwdGVkIGNvbW11bmljYXRpb24gb24gc2VjdXJpdHkgaXNzdWVzIHdp
dGggdGhlIHRlYW0sIGFuZCBpcyBuZXZlciB1c2VkIHRvIHNpZ24gYW55dGhpbmcg
bWVhbmluZ2Z1bC4gSXQgYWxzbyBtYXkgYmUgcmV2b2tlZCBhdCBhbnkgdGltZTsg
cGxlYWUgY2hlY2sgdGhlIHdlYnNpdGUgYXQgdmVnYS54eXogYXMgdGhlIGF1dGhv
cmF0aXZlIHNvdXJjZSBvZiB0aGUgY3VycmVudGx5IHVzZWQga2V5LikgPHNlY3Vy
aXR5QHZlZ2EueHl6PoiZBBMWCgBBFiEEDmwoUh14HTF+GTIYbn2QYotPYZMFAmSQ
bYoCGwMFCQPCZwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQbn2QYotP
YZNYIwEA1Qu6MZcb5RqotV8dlodFxp9s1CL5jqHO0mq+yvyyUu8BAP1hKuhdTN35
MmAf5jCXD+kCv9UkBAdkJ3Mux7v4+D8KuDgEZJBtihIKKwYBBAGXVQEFAQEHQGop
lH9egLg4MU30OINhdDw1nz1N8/Ocw78a/KNi+mUvAwEIB4h+BBgWCgAmFiEEDmwo
Uh14HTF+GTIYbn2QYotPYZMFAmSQbYoCGwwFCQPCZwAACgkQbn2QYotPYZPdgAEA
gHy/18LW+Yn//ddY6+2hCGhLzGDh5D5jSoLcD8/UGPoBAJezJQFgQuPZ0buIBrSh
UGCir7aOk4/aTC1UAg0+8w8F
=KKVZ
-----END PGP PUBLIC KEY BLOCK-----