Ava Labs Avalanche

These impacts are out of scope for this bug bounty program.

All Categories:

• Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
• Impacts caused by attacks requiring access to leaked keys/credentials
• Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible
• Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
• Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
• Best practice recommendations
• Feature requests
• Impacts on test files and configuration files unless stated otherwise in the bug bounty program
• If a bug is publicly disclosed (in the repo of an "asset in scope" or otherwise), that bug is considered out-of-scope in this program.
• If a bug is publicly disclosed in a dependency of any of the "assets in scope", that bug is considered out-of-scope in this program.

Coreth/Subnet-EVM

• If a bug is publicly disclosed in https://github.com/ethereum/go-ethereum, that bug is considered out-of-scope in this program.
• If a bug is publicly disclosed in https://github.com/ava-labs/subnet-evm that affects https://github.com/ava-labs/coreth (or vice-versa), that bug is considered out-of-scope in this program.

Blockchain/DLT & Smart Contract Specific:

• Impacts requiring basic economic and governance attacks (e.g. 51% attack)
• Impacts from Sybil attacks
• Network-level Denial-of-Service (TCP/IP/P2P)
• Misconfigurations of AvalancheGo nodes currently running on the Avalanche Network
• Denial-of-Service, OOM, or panic on any API exposed by AvalancheGo
• Impacts involving centralization risks
• Any usage of the node's HTTP API through intended mediums. Intended mediums include usage:
  • requiring direct machine access
  • through explicitly opened RPC ports
  • This includes the ability to send HTTP requests that cause node panics, OOMs, increased disk usage, or causing the node to become unhealthy.
• Consensus liveness failure requiring network control.
• Ex: BGP hijacking attacks
• Preventing a node from properly connecting to the P2P network due to brute force networking DoS vectors.
  • Ex: Syn attacking a specific node with a botnet.
• Unintended node behavior caused by local disk failures.
• Unintended node behavior caused by unusual node configuration deviating from best practices for node configurations
• Compile time or runtime errors due to using unsupported hardware or operating systems.
• Inability to automatically perform NAT-hole punching on specific router hardware.

Prohibited Activities:

• Any testing with pricing oracles or third-party smart contracts
• Attempting phishing or other social engineering attacks against our employees and/or customers
• Any testing of third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
• Any denial of service attacks that are executed against project assets
• Automated testing of services that generates significant amounts of traffic
• Public disclosure of an unpatched vulnerability in an embargoed bounty

Even if a bug is considered out-of-scope but you feel it should be disclosed privately, we appreciate any and all informational disclosures through this portal. Thanks for your responsible disclosure!