WeiFund Bug Bounty Program Is Live!

WeiFund is a crowdfunding platform for the blockchain economy. We are happy to announce our bug bounty is live on January 25 2017, and will last for 2 weeks. Successful bug hunters will be rewarded with both ether and recognition on our website and Github page (See Rewards & Rules section for details).

For complete program details see our Github page. If you’ve already read this information and have found a bug you’d like to submit to WeiFund for review, please use this form: Submit a Bug.

A great place to learn about our platform’s technical design and operation is in our concise documentation.

In addition to reviewing our Github repositories, bounty hunters may wish to attempt to hack two live honey pots. WeiFund will be funding these campaigns over the course of the next two weeks.

Rewards

Paid out Rewards in ether are guided by the Severity category and the Quality of the submission.

  • Critical: Up to $5,000
  • High: Up to $3,000
  • Medium: Up to $2,000
  • Low: Up to $400
  • Note: Up to $100

Severity is calculated according to OWASP’s risk model:

Quality of the submission includes (but not limited to):

  • Quality of Description, Attack Scenario & Components: Clear and well-written descriptions will receive higher rewards.
  • Quality of Reproduction: Include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.
  • Quality of Fix: Higher rewards are paid for submissions with clear instructions on how to fix the vulnerability.

Beyond monetary rewards, every bounty hunter is also eligible for being listed on our website and Github for recognition.

Rules

  • Issues that have already been submitted by another user or are already known to WeiFund are not eligible for bounty rewards
  • Public disclosure of a vulnerability without WeiFund’s prior consent results in ineligibility for a bounty
  • ConsenSys’ employees and all other people paid by ConsenSys, directly or indirectly, are not eligible for rewards
  • Determinations of eligibility, award, and all terms related to an award are at the sole and final discretion of WeiFund. Decisions are guided by the submission’s Impact, Likelihood and Quality

Bug Bounty Campaign

The campaigns will be on Ethereum’s Main Net and be constructed using our smart contract templates: two “Standard Campaigns” with “Enhancer Contracts” that issue tokens for each contribution. The Fail Token campaign will have a funding goal of 10,000 ether and the Success Token campaign will have a funding goal of 150 ether with a funding cap of 5000 ether. The Fail Token campaign will fail in raising the required funds and will refund all of its contributors. The Success Token campaign will succeed, and the tokens will be frozen for a limited time before being unfrozen and distributed. The ether funds in the Success Token campaign contract will be sent to a multisig beneficiary.

Targets

In scope:

Out of scope:

  • Bugs related to Internet Explorer and browser-based issues
  • All browser rendering bugs that don’t affect the display of critical information
  • Most user experience improvements on the frontend
  • WeiFund’s website: WeiFund.io
  • Attacks via social engineering

Mailing List

You can join the WeiFund Bounty Hunters mailing list here.

Questions?

Email us at mail@weifund.io

Legal Disclaimer

The bug bounty program is an experimental and discretionary rewards program for our active WeiFund community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the program at any time, and awards are at the sole discretion of WeiFund. The maximum rewards are subject to change without prior notice. In addition, we are not able to issue awards to individuals who are on sanctions lists or who are in countries on sanctions lists (e.g. North Korea, Iran, etc). You are responsible for all taxes. All awards are subject to applicable law. Your testing must not violate any law or compromise any data that is not yours. If you comply with the policy when reporting a security issue to us, we will not initiate a lawsuit or law enforcement investigation against you in response to your report. To be eligible for a reward, you must: 1. Give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others. 2. Avoid privacy violations and disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services. 3. Not exploit a security issue you discover for any reason (This includes demonstrating additional risk, such as attempted compromise of sensitive data or probing for additional issues) We will be using live Ethereum Main Net addresses. Please do not send ether (ETH) to the campaign addresses. WeiFund will not be held accountable for any ether (ETH) sent to the address, and is not held responsible for return of any funds.
 
For more information, please contact us at mail@weifund.io

Copyright © 2017 ConsenSys LLC, All rights reserved.


Originally published at medium.com on January 25, 2017.