Vulnerability disclosure Loki

  1. This Vulnerability Response Process and subsequent bounty reward apply to the following:

    • Code implementation as seen in the Loki repository which sits underneath the Loki Project
    • Written research from the Loki Team which dictates said code implementation

  2. Researchers/Hackers: while you research/hack, we ask that you please refrain from committing the following:

    • Denial of Service / Active exploiting against the Loki mainnet, Mixnet, or Service node networks
    • Social Engineering of Loki staff, contractors or Foundation members
    • Any physical or electronic attempts against Loki community property and/or data centers

  3. As a pro-privacy project we have volunteers running copies of the websites on hidden services on Tor and I2P, as well as on multiple public domains. The live sites are NOT in the scope of this process; only the code is!

  4. Bounty will be released for all projects in Loki (LOKI) only. For more information on how to use Loki, visit the Loki website

  5. Bounty is not eligible to those who:

    • Do not abide by the VRP for responsible disclosure

1. Points of contact for security issues

Kee [at] Loki.network PGP fingerprint = 8877 EEBB 9721 ABC5 DF64 9AE4 AC97 1489 5CE4 5D55

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQENBFrbANQBCAC5HMKeapz+WECQ3vY1XuSOM32yUfzp4V/rY5+YvJ/Gb7wxczF2
NTLxfr7ueJTyICXcj/h7qnvdtpbN87ZhjWTZzG0lmrCIfZX75dOQIjch8DkGblEB
RUG90edRx4GwYHPjfIUbIxYHcINKYMgH9jKqfHAVQD7HuvkBX1IYbNi/Kgj0wVgJ
vVA94x8JCD5blqGbos7r02bZxQHujAHnC19/PQxRyZwJNI0v1xJgy6w/cQduFLzL
GeEnkQfmJiSKEYzRLY3BYRSmysqD0bLGWLLSa1fcxAD+kllY1kSZXpHKH1XmErpi
pRCLblQs0kZYqHDKG2gscfpuaaM4fSiGmY8nABEBAAG0H0tlZSBKZWZmZXJ5cyA8
S2VlQGxva2kubmV0d29yaz6JATwEEwEKACYFAlrbANQCGwMFCQlmRIwFCwkIBwMF
FQoJCAsEFgIBAAIeAQIXgAAKCRCslxSJXORdVa7zCACAw7eEYcXlZXxXOB43TSKq
BTBtqISmu0+Me94PXNGo5XOp0gzVhgXPedbuz58Y1g9aCp0/wwg5cZvh6ky8zwgt
q2BtayTb36elUkcejo9IdgN+1Ruzr8bUdWQrw7w/sZGgI3ZaoMlHvm7mus1cqKH4
3gKaBYG/zPG25hgne13j365kxi+xgklvo0lL3atHV61UxdTlgDm2s4ZtfrMeV9fY
DRwcIjzyYv3HWAJvD60dN1RHzTCBxiMiyl6HLawh/3dpHVDOAdrIGqHfIbzodVLW
SA4JLw8at3JA8ColWkyFQj1srxvJJunT+haH32h2g9rNS/lf5z+Mdv+LfIPv/iZ5
uQENBFrbANQBCAC+4N/f+RZ8jYHW6VLPGT8nspuEyEgE++zab5XOkS8qcnP0e2sR
F0G1RLlJr6hfaowEqLOO0CTIguOBpRfeTWLHzSUK+w8pFx2GfvxXAyxViNbsA5/U
E4gbDgOu8AkZWOQLK0nPnE0eyBhHCz22yTJY7P5AUcbo2jw9q9Ye78GbTQx8JPXl
jia/VZprMILFOGQROGkH1amqDcaNuX6iOMKS6GtyP+eElPj+IWqwMUlr9aX+ptBQ
zfsw+KzgYC+RBS44SM98ZgNBEibZXKfQMT2t80riKgRUPTBQcOref9T+jAtfZl1A
OAKm0tLc3o0n0WvmjvxxOOfzdpvEDya12e4VABEBAAGJASUEGAEKAA8FAlrbANQC
GwwFCQlmRIwACgkQrJcUiVzkXVWaNQf8C0oYU0iN3YuA+AXGxBlfMHlxz4xhbbd7
Fn8EOIxi3scOltYeU/WvdSdXZ4IJEjydPo7TmVrQ746MUfLC+6ZfH9EDP322s+T/
TYbt3oNA0RWl2CxakpIlRKgCIuC6EEc1U32nKsXH3Uz7UVx8u9GrDxSvGhTSVppN
k3nhtcWeSBtANrWuhei1MC4+bRdHHExf6kHtdDMNsuwJmG3FtlKoP9l/Vpb3KscX
9FqdEYPrJSNk3QrndS/a9QzWsm4PR0LTp2+2WC2cDgFjPUqZqZVLA5hSutUVTzGG
fKg1gFLyG7Ed4fSa25pe5nUSJUCjFy1HprSM+I9IsSxc8sDll60a3Q==
=iX6u
-----END PGP PUBLIC KEY BLOCK-----

Simon [at] Loki.network PGP fingerprint = 45FF F23B 7805 CEC7 7C7E 15F6 2246 DFA8 0945 A5BD

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQENBFrmnhgBCAC3LWatVxk3QWV7V42B++En8l3xDeQ3uAaXwRot98/4ybImAwmc
ur4YCuLBXBiyZPrUQ8m6DxGG9a2RaNll+2dEkaxjDxIJsM7Op+2nUxlDBGrSS3Cf
p40BxM4pDBDe1j9haSdoamujYpUDCpYTLA1npKiCUncITsmc+ivefkXBskgh66eI
f69yEdeN7dvAqOWaaogBKucQfk9Si3MDXTAqm+hJbR1ByHBw/C0yXfNuq46mEVn6
Tu25cquQPIfYebXldJ4MDD5vogzPJqjMH5Kna/24PqKiR9KpI8NYjUbiRlhuJj2q
SjOvks9bJ4Qf+yp7o7qA41TCecsVxdciqtnJABEBAAG0IVNpbW9uIEhhcm1hbiA8
c2ltb25AbG9raS5uZXR3b3JrPokBPAQTAQoAJgUCWuaeGAIbAwUJCWaEyAULCQgH
AwUVCgkICwQWAgEAAh4BAheAAAoJECJG36gJRaW9G9QH+gLTCoILegkdJDqGvjsK
r7eeD4jxuuRWcWohf+g/Xt9WUR4vOYdUY5+zXwpB7jMK0TKfNt2XMuWU6s32baXT
M5dpQs7np5lCkFl7KFyz6AZtz5l8f1pW3PevMDILmqDiljFAXCYzG6GZ4AaB9s5c
ikyrnRKreMdFLNR62pOCb5B8PAUBkT4BA5q2Yzfjo8oPX325zdsIlIOLvGDL8E2B
28vzm0MCbnwiimCb8GlddjjpLWMjNe/SU4YeSOUxK0/zr902+X3ooJPmDtDnC5rs
I5Kdfh7H9wWPbOcZhfYGL/pNZHIfIErY17qpNyv+s3YJNh/Be5dXG3QBbTcLH5xV
sK65AQ0EWuaeGAEIAL3piiswJOJQHNtTbdwSc0xzTm/iPfpZUyobcSSZpVzOZUPQ
D3ULlx/5RGO6cdwq+8Tz/OR+mUJHCJSxOnI+/PWMs+3ZyKPMIlhC9Khq3RiWHPQt
aRD7USRSWXWwZH6JVCCFpMnhnnHfY+eJzlZC7G8nCJzUk15s/3425HTRlavfRaf7
S6i28wQ98AEUBTITOx3mesnKF7oprZX89El/ToplC0QGRNJj7ZPPNw3QAC244u7B
ExKiZKSWjDpcLANB6ORQv1eriy/VuIg/dDwwVIi9pR561tmqbVM7QeIsg52QpY63
ctyHa2CrCyBt4ceR5mqJLuAWow7xmZWrT2+LA2cAEQEAAYkBJQQYAQoADwUCWuae
GAIbDAUJCWaEyAAKCRAiRt+oCUWlvQL2B/9gcSBhf0FwAmVUVM/OFe1yww38i/xA
IMUI5rPO8bKh5i3uOVZx7QucY9xPctu4YkCI8SgWLfOnQJtNbjbvduSVlWMjlmGW
9qDOpjiFX95AFlUboZ5ii4hxAetFjCOqpMamd6DAFP7ojIbrOE3chN8axqOe4Lx0
Ydsi20b25qT+IRAoIFWker14PHoAo8Xh+JgQ7tCijS8FzLpLZh/K99qhCz32FMIH
5cMPQTI3EPCo+08tWpkjC/a/vtm/Q9/55+5mbdwRVpWfmQ1X0881PybvGqQbmfrT
tnRmtnBe0ZSQ8P79bMq+OQMVdrCDTUEp3JqFgH1z2yd4BIeEKN69fy6Q
=iGxZ
-----END PGP PUBLIC KEY BLOCK-----

2. Incident response

  1. Researcher submits report via PGP encrypted email to the relevant Disclosure manager (DA), use the appropriate public keys listed in section 1 to contact specific DA’s, the subject of the email should be “Vulnerability disclosure”

  2. In no more than 3 working days, the DA should respond to the researcher using encrypted, secure channels

  3. DA makes inquiries to satisfy any needed information to confirm if submission is indeed a vulnerability

    • a. If submission proves to be vulnerable with PoC code / exploit, proceed to next step
    • b. If not vulnerable:
      • i. DA responds with reasons why submission is not a vulnerability
      • ii. DA moves discussion to a new or existing ticket on GitHub if necessary
  4. DA Establishes severity of vulnerability:

    • a. HIGH: impacts network as a whole, has potential to break entire Loki network, or service nodes, could result in the loss of Loki.
    • b. MEDIUM: impacts individual nodes, routers, wallets, or must be carefully exploited
    • c. LOW: is not easily exploitable or is low impact
    • d. If there are any disputes regarding bug severity, the Loki Foundation will ultimately define bug severity
  5. Respond according to the severity of the vulnerability:

    • a. HIGH severities must be notified on website and reddit /r/LokiProject within 3 working days of classification
      • i. The notification should list appropriate steps for users to take, if any
      • ii. The notification must not include any details that could suggest an exploitation path
      • iii. The latter takes precedence over the former
    • b. MEDIUM and HIGH severities will require a Point Release
    • c. LOW severities will be addressed in the next Regular Release
  6. DA and Loki project team will apply appropriate patch(es)

    • a. DA designates a PRIVATE git "hotfix branch" to work in
    • b. Patches are reviewed with the researcher
    • c. Any messages associated with PUBLIC commits during the time of review should not make reference to the security nature of the PRIVATE branch or its commits
    • d. Vulnerability announcement is drafted
      • i. Include the severity of the vulnerability
      • ii. Include all vulnerable systems/apps/code
      • iii. Include solutions (if any) if patch cannot be applied
    • e. Release date is discussed
  7. At release date, DA coordinates with developers to finalize update:

    • a. Response Manager propagates the "hotfix branch" to trunk
    • b. Response Manager includes vulnerability announcement draft in release notes
    • c. Proceed with the Point or Regular Release

3. Post-release disclosure process

  1. The DA has 90 days to fulfill all points within section 2

  2. If the Incident Response process in section 2 is successfully completed:

    • a. Researcher decides whether or not to opt out of receiving name/handle/organization credit. By default, the researcher will receive name/handle/organization credit.
      • i. If bounty is applicable, release bounty to the researcher as defined in section "Bounty Distribution"
    • b. Finalize vulnerability announcement draft and include the following:
      • i. Project name and URL
      • ii. Versions known to be affected
      • iii. Versions known to be not affected (for example, the vulnerable code was introduced in a recent version, and older versions are therefore unaffected)
      • iv. Versions not checked
      • v. Type of vulnerability and its impact
      • vi. If already obtained or applicable, a CVE-ID
      • vii. The planned, coordinated release date
      • viii. Mitigating factors (for example, the vulnerability is only exposed in uncommon, non-default configurations)
      • ix. Workarounds (configuration changes users can make to reduce their exposure to the vulnerability)
      • x. If applicable, credits to the original reporter
    • c. Release finalized vulnerability announcement on website and reddit
    • d. If applicable, developers request a CVE-ID
      • i. The commit that applied the fix is made reference too in a future commit and includes a CVE-ID
  3. If the Incident Response process in section 2 is not successfully completed:

    • a. DA and developers organize a meeting to discuss why/what points in section 2 were not resolved and how the team can resolve them in the future
    • b. If disputes arise about whether or when to disclose information about a vulnerability, the DA will publicly discuss the issue via IRC and attempt to reach consensus
    • c. If consensus on a timely disclosure is not met (no later than 90 days), the researcher (after 90 days) has every right to expose the vulnerability to the public

4. Bounty Amount and distribution

  • The Total Pool of Loki bounties is 100,000 LOK this will decrease over time as bugs are claimed, rewards are given as a percentage of the reward pool size, incentivizing fast disclosure
  • Bug bounties are rewarded by the severity of the Bug
    1. 10% reserved for LOW severity bugs
    2. 30% reserved for MEDIUM severity bugs
    3. 60% for HIGH severity bugs
  • Each bug will receive at most 10% of their relevant category dependent on the inter-category classification by the DA, the DA also reserves the right to give less than the 10% specified depending on the severity of the bug.
Updated last on 14/11/2018