SUBMISSION_POLICY.md

🔴 C4 Submission Policy

• 1. Overview
• 2. Code Contest Guidelines
• 3. Submitting A Report
• 4. Unauthorized Test Methods
• 5. Questions
• 6. Authorization

1. ⏩ Overview

Code 423nA is an open organization committed to ensuring the security of decentralized protocols and protecting the information of our sponsors and participants. This policy is intended to provide C4 Wardens (security researchers) clear guidelines for participating in code contests (bug bounties) while conducting vulnerability discovery activities.

The following policy conveys C4's preferences in how to submit discovered vulnerabilities to the organization and describes what systems and types of research are covered under this policy, how to share vulnerability reports, and the length of time we expect Wardens to wait prior to publicly disclosing vulnerabilities.

When participating in C4 code contests, please contact an organizer in the C4 Discord and formally submit any bug bounties to submissions@code423n4.com using the official submission template.

Reports can be submitted at any point prior to stop time for a given contest. The details for each code contest can be found in the contests directory.

2. 👩‍🏫 Code Contest Guidelines

Under this policy, code contests covers activities in which you:

• Register as a C4 Warden within an individual capacity or as part of a team.

• Submit your bug report within a single document or email using the provided submission template.

• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data, especially in regard to funds.

• Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise funds, exfiltrate data, establish persistent permissioning access, or use the exploit to redirect to other systems.

• Unless explicitly noted by the affiliated sponsor, wait until the end of a code competition and allow for a reasonable amount of time to resolve the issue before you disclose it publicly.

• Do not submit a high volume of low-quality reports.

In the event that you encounter a critical vulnerability that the sponsor project would want to know about, even before the end of the contest, immediately notify the C4 team at submissions@code423n4.com.

Publicly disclosing any information prior to the end of a code competition is grounds for immediate forfeit of award and disqualification from any future C4 events and activities.

3. 📋 Submitting A Report

C4 accepts vulnerability reports via submissions@code423n4.com. Reports should be formatted based on the provided template. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report prior to the end of the code contest or within 3 business days, whichever comes first.

We do not support PGP-encrypted emails. For particularly sensitive information, please place your submission through the C4 Discord by DM'ing a C4 organizer.

In order to help us triage and prioritize submissions, please ensure that your reports:

• Are submitted no later than the code contest stop time.

• Consolidate multiple bug findings within a single document.

• Are submitted through email to submissions@code423n4.com and conform to the provided template.

• Describe the location the vulnerability was discovered and the potential impact of exploitation.

• Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).

• Are written in English, if possible.

4. 🙅 Unauthorized Test Methods

The following methods are not authorized means of testing within C4 code contests:

• Testing exploits on mainnet.

• Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.

• Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.

5. ❓ Questions

Questions regarding this policy can be addressed in the #questions channel on the C4 Discord. We also invite you to contact us with suggestions for improving this policy.

6. 👌 Authorization

If you make a good faith effort to comply with this policy during your security research, C4, its affiliates, and sponsors will consider your research to be authorized.

The C4 community will work with you to understand and resolve any issues quickly, and C4, its affiliates, and sponsors will not recommend or pursue legal action related to your research.

Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, C4 will make this authorization known.