Security

Custody Not Required

Staking with us does not require giving us custody of your holdings. This ensures that, in the unlikely event we are hacked, your holdings are never at risk of being stolen.

Vulnerabilities

Security researchers and white hat hackers are a critical part of building strong, resilient technology. Staked actively supports the work that hackers and researchers do to find, report and patch security vulnerabilities.

If you want to notify us of a security issue, please send an email to us directly at [email protected], or report the issue to our public Bug Bounty program. Please avoid opening public issues on Github that contain information about a potential security vulnerability as this makes it difficult to reduce the impact and harm of valid security issues.

Coordinated Vulnerability Disclosure Policy

We ask security researchers to keep vulnerabilities and communications around vulnerability submissions private and confidential until a patch is developed to protect the people using Staked's services. In addition to this, we ask that you:

  • Allow us a reasonable amount of time to correct or address security vulnerabilities.
  • Avoid exploiting any vulnerabilities that you discover.
  • Demonstrate good faith by not disrupting or degrading Staked’s data or services.

Vulnerability Disclosure Process

Once we receive a vulnerability report, we will use the following process to address it:

  1. Staked will confirm receipt of the vulnerability report within 2 business days. The timing of our response may depend on when a report is submitted. As our daily operations are distributed in time zones across the globe, response times may vary. If you have not received a response to a vulnerability report from us within 2 business days, we encourage you to follow up with us again for a response.
  2. Staked will investigate and validate the security issue submitted to us as quickly as we can, usually within 5 business days of receipt. Submitting a thorough report with clear steps to recreate the vulnerability and/or a proof-of-concept will move the process along in a timely manner.
  3. Staked will acknowledge the bug, and make the necessary code changes to patch it. Some issues may require more time than others to patch, but we will strive to patch each vulnerability as quickly as our resources and development process allow.
  4. Staked will publicly release the security patch for the vulnerability, and acknowledge the security fix in the release notes once the issue has been resolved. Public release notes can reference to the person or people who reported the vulnerability, unless they wish to stay anonymous.

Bug Bounty Program

Staked believes strongly in compensating researchers for the time they spend in making cryptocurrencies stronger and more resilient. Depending on the severity and criticality of an issue, researchers who report bugs and respect our vulnerability disclosure policy may be eligible for rewards through our bug bounty program.

  • Bounty reward amounts are based on many factors, including impact, risk, likelihood of exploitation, and report quality.
  • There is no maximum reward in the program, but critical bugs are eligible for rewards equivalent to $2,500 or more. For severe bugs or exceptional bug reports, we may decide to pay lower-tier bugs a higher-tier reward.
  • Program rewards will be paid in ETH, and will be calculated using prices at the time of payment.
  • If we receive duplicate bug reports, we will award a bounty to the first person who reported the issue.
  • Any bugs that are found in services that we use (i.e. Mailchimp, Hubspot, et al) are ineligible for rewards, and should be disclosed directly to those services.
  • To learn more about the scope of our bug bounty program or to report a bug, please visit our Bug Bounty section.