Gifto Token Sale Bug Bounty Program
We are starting a bug bounty program for GIFTO (https://gifto.io) token sale smart contracts:
Our token sale smart contract along with the multisig wallet have already been reviewed by Smartdec and are currently being reviewed by BlockchainLabs and Casaba.
Major bugs discoveries will be rewarded up to $10,000 (in GIFTO). Higher rewards are possible (up to $20,000 in GIFTO) in case of very severe vulnerabilities.
Most of the rules on https://bounty.ethereum.org apply in our bounty program:
- First come, first serve
- Issues that have already been submitted by another user or are already known to the GIFTO team are not eligible for bounty rewards
- Public disclosure of a vulnerability makes it ineligible for a bounty
- Paid auditor(s) of this code is(are) not eligible for rewards
- Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the GIFTO team
The following file is in scope:
As of this post, the bug bounty program has already started and valid bug reports will be compensated. The offer will end on December 10, 2017.
The value of rewards will vary depending on Severity. The severity of a bug is determined according to the OWASP risk rating model based on Impact and Likelihood, as employed in the Ethereum bug bounty campaign:
- Note: Up to $100 in GIFTO
- Low: Up to $2,000 in GIFTO
- Medium: Up to $5,000 in GIFTO
- High: Up to $10,000 in GIFTO
- Critical: Up to $20,000 in GIFTO
Example: If you found a way to steal the funds raised from token sale, the bug will be considered a critical bug. If you found a way to mint GIFTO, it is will be regarded as bug with high severity.
The quality of submission will also affect the compensation. A high quality submission would consist of:
- An explanation of how the bug can be reproduced
- A failing test case
- A fix that makes the test case pass.
High quality submissions may be awarded amounts higher than the amounts specified above.
We request that you please give us reasonable amount of time to reply to your inquiry, and that you do not exploit any vulnerability you discover.
Please send your report to email@example.com.