In our previous blog post we disclosed the first batch of patched security vulnerabilities, and made a promise:
The whole security vulnerability disclosure process is being standardized on our end. From now on this process will be streamlined. Public critical disclosure information will be released after said vulnerability has been patched on Ark’s Public Network. We will also notify all the related forks (that we are aware of) in an automated manner after patches are closed so they have every opportunity to patch critical vulnerabilities in a timely manner.
As a next step in the standardization of the disclosure process, we are introducing a new public security vulnerabilities repository.
The Security Vulnerabilities repository can be found here: https://github.com/ArkEcosystem/security-vulnerabilities
This repository series will serve as public disclosure of any discovered and patched vulnerabilities within any component of the ARK Blockchain Platform (Core, Desktop Wallet, Mobile Wallet, ARK Pay & Deployer and any other upcoming project we’ll have under our umbrella).New repository with an overview of all reported security vulnerabilities
The list of known, closed or still open security vulnerabilities can be found in the presented tables. The table consists of four fields, describing the basic information about listed security vulnerabilities and links to a more detailed description, by clicking on the link on the identifier field on the left.
Recently, two security vulnerabilities were closed with the release of version v2.0.17 of the Core:Core-SV-007: Forging multiple blocks in a slot and rewards hijackingCore-SV-008: Forged blocks by anyone can cause the chain to stop/or start recovering
With the introduction of this repository and our new standardized process for reporting and dissemination, we are also ending the security disclosure post series. From now on, security disclosures will be included in monthly GitHub digest posts.
We would also like to invite any and all security researchers to audit the current codebase, to analyze the most critical sections (transaction validation and transaction processing in particular) and share their findings with the team. We are running a Security Bounty Program for all of those who would like to help out and earn some extra money while doing so. You can read more here: https://bounty.ark.io.
We have also partnered with Bugcrowd — the planet’s premier crowdsourced security platform! To learn more click here.
Thank you for all of your hard work and we look forward to working together to keep the ARK Network secure and bug free in 2019!