April 2024

When we first started Decentraland Studios, penetration testing was not anticipated, like probably most similar projects in the DAO. While our primary focus was on frontend development and enhancing user experience, we operated without following any specific security specifications.

Unfortunately, we have received some threats but all reported vulnerabilities through the Immunefi program have been successfully addressed and fixed. We have reinforced our systems against potential threats, maintaining a secure platform for our community with the help of our developer Pejo. Most of the fixes we have already implemented to address several security concerns were related to the backend (Directus), and frontend.

Given that Decentraland Studios operates under the domain of Decentraland Foundation for visibility and to provide a better product and user experience, we are required to comply with the policies of the Decentraland Foundation vulnerability bounty program.

We wanted to share with the community and users an update on the fixes we have recently implemented:

• Disabled file uploads and downloads on job posts and conversations
• Ensured new user registration, preventing skipping the mail verification
• Sanitized some endpoints for data fetching on the Studios database
• Improved search result display to avoid potential scripting allocated in project titles
• Improved security on job manager, un-manage and invited API
• Improved security on job creation API to avoid injecting fake user data
• Improved role checking on job apply API