Block recognizes the important contributions our open source community makes. We welcome contributions, including any bug fixes or vulnerabilities that you find. We encourage you to privately report it in the repository’s Security tab -> Report a vulnerability. Block Open Source is exploring a bug bounty reward program to further engage our open source community in enhancing security and resilience.

Please see Privately reporting a security vulnerability for more information.

Projects hosted in the block GitHub organization.

We do not publicly disclose vulnerabilities by default. We take the security of our services very seriously and monitor their use for indications of a malicious attack. In order to distinguish legitimate security research from malicious attacks against our services, we promise not to bring legal action against researchers who:

• Share with us the full details of any problem found.
• Do not disclose the issue to others until we’ve had a reasonable time to address it and disclosure has been approved by us.
• Do not intentionally harm the experience or usefulness of the service to others.
• Never attempt to view, modify, access, disclose, exfiltrate, use or damage data belonging to Block, its customers, or others.
• Do not attempt a denial-of-service attack.
• Do not perform any research or testing in violation of the law.

For assistance or escalation, please contact the Block Open Source Governance Committee: [email protected]