# Blockchain Commons Vulnerability Disclosure ## Competent Audit #### Expertise _Contractor_ agrees to perform any security analysis or review work under this agreement with the care, skill, and knowledge of an expert in the digital security industry, and to use employees and contractors, if any, with the required expertise to uphold that standard. Customer acknowledges and agrees that it would be unreasonable to expect _Contractor_ to guarantee to identify every real or potential _Vulnerability_ in every relevant _System_. No one can. ## No Legal Opinions _Contractor_ cannot and does not agree to provide or guarantee any conclusion about compliance of any _System_ under audit with legal, regulatory, industry-standard, or private rules, terms, or standards. _Client_ must look to its legal counsel and other professional advisers for that kind of advice. ## Vulnerability Reporting ### Process in General Subject to [Advice of Counsel](#advice-of-counsel), _Contractor_ agrees to follow this process for any _Vulnerability_ _Contractor_ discovers during work under this agreement: - _Contractor_ will identify the maintainer of the _System_ that is vulnerable. The maintainer may be _Client_, an open source software project, a standards body, or another kind of organization. - _Contractor_ will determine whether the maintainer has published a process for reporting the _Vulnerability_. - If _Contractor_ determines that the maintainer has a process, and that the process meets [Minimum Standards](#minimum-standards), _Contractor_ will report the _Vulnerability_ according to that process. - Otherwise, _Contractor_ will report the _Vulnerability_ according to [Fallback Disclosure Policy](#fallback-disclosure-policy). ## Advice of Counsel _Contractor_ may seek legal advice about the legal risks of reporting or publishing a _Vulnerability_. If legal counsel recommends against reporting or publication, _Contractor_ may follow that advice. _Contractor_ agrees to notify _Client_ that there are legal concerns about reporting or publishing a _Vulnerability_ when doing so won't itself create significant legal risk. ### Minimum Standards #### Requirements A disclosure process must: - specify a secure means of communicating _Vulnerability_ information - allow _Contractor_ to publish of the _Vulnerability_ after a definite period of time #### Prohibitions _Contractor_ does not agree to any terms of a disclosure process that would: - require _Contractor_ to pay any fee or incur any significant expense in order to report - require _Contractor_ to agree to any contract, or otherwise take on legal obligations, in order to report - impose an onerous process that requires an inordinate amount of time - shift the burden of engineering a patch onto _Contractor_ - reserve or establish any right to bring civil, criminal, or any other kinds of legal claims against _Contractor_, or replace or supercede this contract - require _Contractor_ to provide extra information that might be used to incriminate or sue _Contractor_ - require _Contractor_ to waive any privacy right, confidential treatment, or privileges against disclosure ### Fallback Disclosure Policy - _Contractor_ will determine whether the vulnerable _System_ has been made available for licensing or use outside its maintainer's corporate group. If _Client_ is the maintainer, _Contractor_ will ask _Client_ technical staff to confirm. If the _System_ has not been available, _Contractor_ will report the _Vulnerability_ to the maintainer immediately, but not publish it. - Otherwise, _Contractor_ will report each _Vulnerability_ to the maintainer of the vulnerable _System_ immediately and publish each _Vulnerability_ to the security community more broadly ninety calendar days after notification to the maintainer of the system. - When ninety calendar days end on a weekend or US holiday, _Contractor_ will wait until the next regular workday. - If the maintainer notifies _Contractor_ that the maintainer will release a security patch within fourteen days after the ninety days would run out, _Contractor_ will wait until the patch is released or the extra fourteen days run out. - _Contractor_ will publish a _Zero-Day_ after seven days, rather than ninety. - In exceptional circumstances, _Contractor_ may commit to publishing earlier or later, or change a timeline in light of new information. Whenever possible, _Contractor_ will immediately notify the maintainer of any changes. ### Confidential Reporting Information that _Contractor_ needs to enable a maintainer to reproduce, validate, and patch a _Vulnerability_ is not confidential information of _Client_ under any nondisclosure terms between _Contractor_ and _Client_. However, if other information about the circumstances in which the _Vulnerability_ was discovered are confidential information under that kind of agreement, they remain confidential information of _Client_. For example, if a nondisclosure agreement covers the fact of the working relationship between _Contractor_ and _Client_, the fact that _Client_ is using or considering the vulnerable _System_, or the terms of this agreement are confidential information under that agreement, they remain so. ## No Bounties _Contractor_ agrees to waive any bounty for every _Vulnerability_ _Contractor_ discovers during work under this agreement. ## Terminology - **Vulnerability** means a weakness in a _System_ that attackers can exploit to do things the _System_ wasn't designed to allow. - **Zero-Day** means a _Vulnerability_ that, as far as _Contractor_ can reasonably tell, hasn't already been discovered, remains unpatched, affects a system in use. (Adam asks aren't all vulns 0days when discovered under this definition? Do you mean something that has been discovered by someone not covered by a contract like this one or more restrictive? What if Contractor finds evidence of a vuln being exploited, thinks its a zero-day, and it's found by another contractor? Does this create a situation where the company is obligated to disclose that third party's confidential information to contractor? that seems untenable.) - **System** means a computer software project, computer system, or security design.