Zel CVE registration

The Zel team will strive to its utmost to deliver a strong effort in support of all CVE’ efforts and values.

Please, contribute to our code! - Daniel Keller

Responsible Disclosure Policy

To encourage responsible disclosure, no legal action shall be taken against you, provided you adhere to the following points:

>1) The Zel Blockchain and nodes: Any and all exploits be confined to a private testnet or regtest for validation purposes. Any code modifications carried out to run exploits need to be disclosed along with the effects for full validation.

2) For the Flux distributed operating system, any and all exploits are confined to their own nodes for validation purposes. Should additional nodes be required to fully validate more serious/extensive effects “ripple attacks”, the Zel team will assist with a private testnet.

3) Submissions can only be made to security@zel.network using the attached PGP keys for encryption is a requirement.

4) Include an email for responses in your report.

5) Adhere to timeframes laid out in initial confirmation of report emails.As we are a small team, the only absolute promise we can make is an acknowledgement within 24 hours which will include full timeframes for remedial action, public disclosure as well as publication and acknowledgement.

All bugs will be evaluated according to the CVSS scoring scale and rewarded accordingly. The CVSS levels are:

How it works:

Adhere to the Responsible Disclosure Policy

B) Make all possible effort to not interrupt or degrade our service.

C) Do not attempt to gain unauthorized access to user accounts, assets or information (use your own account/accounts to test against).

D) Do not copy or modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.

E) Do not exploit a security issue you discover beyond the point of validation on own accounts/nodes.

F) We publish a cve compliant list of researchers who have submitted valid security reports. Additionally we operate a Bug Bounty program and will on your behalf submit disclosure to it as well. Should you have no interest in bounties, you will be free to nominate a charity of your choice to receive the reward.

G) Should you wish to remain anonymous, we will respect your privacy.

H) We reserve the right to determine timeframes for publishing reports (and accompanying product updates) pertaining to each instance. However, we will provide best effort information to you on all such issues.

Eligibility Requirements

We have the right to remove you from the CVE Program and disqualify you from publication if you:

● Are in violation of any national, state, or local law or regulation

Scope of Services covered:

● Zeltrezjs library

● Zel wallet clients, Zelnode Daemon.

● Flux, both the distributed operating system and the individual components.

● Zel-ID and all its components

Out-of-scope Services:

Third-party libraries, for example attacking java itself to exploit zeltrezjs Infrastructure not managed by Zel Teams such as Public Explorers and ZelNodes run by community members

Qualifying Vulnerabilities

1) Injection flaws such as SQL, noQSL, Mongodb, OS injection that tricks command interpreter into executing unintended commands without proper authorization.

2) Broken authentication/session management that allows compromise of passwords, keys, or session tokens

3) Sensitive data exposure due to improper protection of data via insecure API or flaw in cryptography implementation3

4) Cross-Site Scripting (XSS)

5) Cross-Site Request Forgery (CSRF) for sensitive functions in a privileged context

6) Remote code execution (RCE)

7) Insecure Direct Object References

8) Privilege Escalation

9) Significant Security Misconfiguration (when not caused by user)

10) Directory Traversal

11) Open Redirects

12) Spoofing enablement

13) Attacks of any type on the docker containers hosted on the Flux network.

14) Any significant abuse-related methodologies that could lead to significant harm

The above list is by no means exhaustive, so if you have something not on it and not on the excluded list, do reach out, it is covered.

Non-Qualifying Vulnerabilities

I. Non-original or previously disclosed/reported bugs (with fixes currently underway).

II. Non-technical attacks such as social engineering, phishing, or physical attacks against entities or infrastructure.

III. Any degrading/damaging the reliability or integrity of our services (such as DDoS attacks, man in the middle attacks, spamming, and similar questionable acts)

IV. Any software not directly produced by the Zel Team

V. Domains hosted by third parties (e.g.: Github, Gitlab, etc)

VI. Subdomains operated by third parties (e.g: info.zel.cash)

VII. Any Zel branded services operated by third parties

VIII. Network hijacks, man in the middle, ss7 or similar.

Process flow:

Send an email using the below pgp keys cve@zel.network is the only email to use. Failing to use the attached PGP keys for the report will invalidate any security issues higher than level 2 on the CVSS scale.

1) Write up a report on your findings.

2) PGP Encrypt the report with keys from URL

3) Within 24 hours you will have an acknowledgement

4) Adhere to timeline and additional information requests from the Zel team outlined in the acknowledgement email.

5) Discuss publication times and names.

6) Possibly Collect bounty

7) Get published under the advisory policy

Advisory policy:

Zel will immediately upon the discovery and initial remediation of security breaches undertake to inform the community and user base as a whole to the largest broadest extent possible.

Initial communication from Zel may not necessarily include details of the vulnerability if the purpose of such an advisory is to have end-users update potentially compromised software.

As soon as a reasonable (severity dependent) percentage of users have updated their software, Zel will do full and in depth disclosure with CVE reports published at URL. Security researchers who choose to contribute towards the wellbeing of Zel and the wider community will be acknowledged in the posts. However, should they request privacy, the Zel team will respect that.

The Zel Team reserves the right to determine timeframes for publication in accordance with best overall security practices for end-users.

The exact methods of communication of advisories will include but are not limited to publishing on URL as well as announcement through Zel’s social media channels.