Help build the world’s future commerce infrastructure

With Boson Protocol

Published in

BosonProtocol

5 min readNov 25, 2021

Developer Reward Programs like this are a big deal in Web3. While many Web 2.0 platforms also offer rewards to white-hat hackers, the fact that large corporations still rely so heavily on closed-source and proprietary code forms a practical and philosophical obstacle to engaging the white-hat community.

By contrast, the open-source approach of Web3 projects, based on the “Don’t trust — verify!” mantra, lends itself to the wisdom of crowds, where sunlight is the best disinfectant and projects gain resilience by having as many eyes as possible on their code.

In the world of DeFi where millions are at stake, responsible projects put themselves up for scrutiny via their bug programs. Last month, for example, a vulnerability in Polygon’s Plasma Bridge was discovered by security specialist Gerhard Wagner, which saved Polygon from a potential $85 million hack.

At Boson, we take security seriously. We are calling out to all developers and security researchers worldwide to help us identify and fix weaknesses in our solution.

We are reshaping commerce for the new Web3 era and we need your help to succeed! If you have discovered a bug, please contact us as soon as possible and we will make sure that you get your reward!

The Program

Your report will be assessed by the Boson Protocol team and scored using the Common Vulnerability Scoring Scheme (CVSS).

The critical asset reward will only be awarded where there is a serious and potentially permanent impact to a user’s funds, or to the core protocol itself.

The Program considers a number of variables in determining rewards. Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of Boson Protocol. We will not be awarding significant bounties for low severity bugs. Rewards will be paid in USDC.

Issues that have already been submitted by another user or are already known to Boson Protocol are not eligible for rewards.

SLA

Boson Protocol will make a best effort to meet the following SLAs for security researchers participating in our program:

Time to first response (from report submission) — 3 business days
Time to triage (from report submission) — 5 business days
Time to reward (from triage) — 30 business days

We’ll try to keep you informed about our progress throughout the process.

Participation Requirements

Participation in this program requires you to adhere to “Responsible Disclosure”. Responsible Disclosure includes:

Providing a reasonable amount of time to fix a vulnerability prior to sharing details of the said vulnerability with any other party.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
Not defrauding Boson Protocol users, partners or Boson Protocol itself in the process of participating.
Not profiting from or allowing any other party to profit from a vulnerability outside of the payouts made by this program.
Reporting vulnerabilities with no conditions, demands, or ransom threats. Social Engineering attacks against Boson Protocol contributors is deemed a violation with respect to this program. Researchers engaging in Social Engineering attacks against Boson Protocol contributors will be banned from this program. We define Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.
Asking our permission before disclosing the vulnerability

How to submit your vulnerability

Please provide us with the following information when submitting a bug to this program:

Summary of the bug
Severity of the bug
Steps to reproduce
Working proof of concept + any support materials (code, screenshots, logs etc)
Is any private personal data exposed?
Is any partner data exposed
Are user or partner funds at risk of being lost or irretrievable?

Email your report to security@bosonprotocol.io

Please consult our Privacy Policy for further details on how we handle submissions.

What we are interested in

The most important class of bugs we’re looking for are ones that would cause our users to lose access to their funds. Whether this be through gaining admin privileges on the protocol or through a mechanism that renders funds frozen and unusable within the escrow system. These along with any vulnerabilities that could be used to to defraud potential buyers and sellers are deemed the most important class of exploits* for example, vulnerabilities within the NFT Voucher that is used to commit to a sale or purchase.

Of lesser importance but still of interest are any vulnerabilities in the Portal interface that may allow users to gain unauthorized advantage in any of the Quests or to obtain private information about other users or Boson Protocol’s partners.

Scope

We are primarily inviting vulnerability reports relating to the Boson Protocol Contracts repo and to the Boson Portal user interface.

This document contains the most up to date contract addresses on the Ethereum mainnet and on Ethereum’s Ropsten test net.

Note that we are only interested in bugs on the release tagged “Latest” in this document, not in pre-releases or any other branches.

Out of scope

Misconfigurations or operational issues
Browser vulnerabilities
OS vulnerabilities
Spam, Phishing, Vishing, Smishing, Social Engineering of users, partners and contributors
(D)DoS attacks
Issues that have already been submitted, which are known or which are pending review
Our web properties, including but not limited to our website, blog and documentation site
The Leptonite reference application
Vulnerabilities or attacks on third*party providers (unless otherwise specified)
Vulnerabilities on third party libraries without showing specific impact to the target application
Scanner output or Scanner generated reports, including any automated or active exploit tool
Information leaks via code repositories, transparency logs etc
Vulnerabilities on third-party platforms, for example, Decentraland
Vulnerabilities in Ethereum itself, or in client applications such as wallets
Vulnerabilities submitted by individuals who have contributed to the code in the repositories specified directly or indirectly (including external auditors) are not eligible for rewards.

THANK YOU!

Thank you for helping build the world’s future commerce infrastructure!

For more information, including our Legal Notice, visit our documentation site.

About Boson

At Boson Protocol, we are creating a decentralized commerce ecosystem that everyone can use and anyone can trust.

Boson Protocol is a decentralized infrastructure for enabling autonomous commercial exchanges of anyThing, specifically off-chain items. Boson is a peer-to-peer system which replicates the benefits of a market intermediary, without the disbenefits of centralized systems.