Hey folks! 👋
Everyone knows how much we care about security. Still, we have never had an actual process for reporting and disclosing vulnerabilities. We wanted to fix this, which is why we are proud to present our new security policy and a HackerOne Vulnerability Disclosure Program. We hope this will allow us to receive more reports and handle them in a consistent, structured way, avoiding public disclosures of Solidus security issues.
For the time being, the program is limited to free security vulnerability reports, but we have already started discussing a bounty program that will reward hackers to improve our platform. These costs would be supported by our OpenCollective balance.
If you have any suggestions on how we can improve our security policy or our disclosure process, feel free to share them in our Slack !