Bug Bounty: Earn IOTA’s testing

The last few weeks have been busy with development by the Core team. IRI went up on Github and we started the refactoring; the JS Library was fully completed; the GUI Wallet is finished and ready for use; and the Python / C# / Java / C Libraries and tools are under active development.

As it is with software developments: bugs occur. Fixing them is most of the time done fairly quickly, but finding them takes up more effort. But apart from that, we want to provide a direct incentive for people (especially developers) to dig into the code and thoroughly test the tools, libraries and software that we have provided for the community.

Because of this, we at the IOTA Foundation have decided to host the very first public bug bounty program for the next 1 and a half months (45 days). What this basically means is that if you successfully report bugs to any of the listed Github repositories below, you will get paid in IOTA. For newcomers, this should be a wonderful opportunity to earn your first IOTA tokens; for veterans in the community, it is a great way to increase your stack.

So lets get into more details.

Classification of bugs and bounties

In total, the bounty payments range between $25 — $400. Obviously not every bug is the same as the other. That’s why we have different classifications for bugs and how well they pay. To keep things simple, we summarized the bounty program into the following three categories:

  • Minor. Minor bugs are the ones mostly caused by (neglect) from the developer. This is for example using non-instantiated variables (or wrong variable altogether), returning the wrong results and so on. Because they are relatively simple to fix, minor bugs pay between $10 — $100.
  • Medium. Bugs that break the logic, but do not cause any serious problems (in terms of unexpected behavior). For example a non-functional API call in Core, or a library function that (unexpectedly) returns pre-execution can be classified as Medium. Medium bugs pay between $100 — $250.
  • Critical. Critical bugs are the ones that cause unexpected behavior which could even lead to losses (i.e. IOTA’s or transactions being lost) or a non-functional client. Critical bugs are mostly more subtle, and as such are more difficult to find. For example race conditions or any Curl implementation (our trinary hashing function) related bugs fall under this category. Critical bugs pay $250 — $400, depending on the severity.

It should be noted that these bugs are not related to the IOTA protocol itself, which includes Curl and its logic. For these we will host a much larger bug bounty soon and generally pay between $5k — $30k, depending on the severity (especially anything related to Curl).


Scope of the bug bounty

Initially the scope of the bounty program will be limited to 3 of the most important repositories so far:


How the payout works

Once you’ve successfully submitted a bug (please see the instructions below), the core developer team will take a look and assess the bug internally. Once they’ve assessed it and provided a fix (with the corresponding github commit), they will add you to the public repository where all the bug bounty hunters are listed.

The public repository for the bug bounty hunters can be seen here: https://github.com/iotaledger/bug-bounty/blob/master/README.md. This will provide us with a transparent overview of who found what and got paid how much.

Payments for the bugs are made directly once a bug has been validated by core.


How to participate

Currently you can participate in the bug bounty program for IRI, the JS Library and the GUI Wallet.

IRI

In order to participate with IRI, you have to utilize the .jar that is provided here in the Releases (https://github.com/iotaledger/iri/releases), or you can simply follow the steps on the Github readme to compile the package yourself with Maven.

After that, simply run IRI as usual (find neighbors, use the flags etc.) and start testing. Generally try out all API calls (https://iota.readme.io/) or anything that might lead to a bug.

Once you have successfully found a bug or unexpected behavior, please submit it here: https://github.com/iotaledger/iri/issues/new. The Core team will take a look then and assess the gravity of the submitted bug!

JS Library

For the JS library, use the installation instructions on the repository. Try and integrate it into your program (either NodeJS or Browser) and use all API calls, try different things and whatnot.

Once you’ve found a bug or unexpected behavior, please submit it to: https://github.com/iotaledger/iota.lib.js/issues/new

Wallet

Same goes for the wallet, get the latest version from the release page (https://github.com/iotaledger/wallet/releases), or compile the wallet yourself by following the installation instructions.

Once you’ve found a bug or unexpected behavior, please submit it to: https://github.com/iotaledger/wallet/issues/new.


Conclusion

In general, it is good if you join our Slack or the Forum, so that you’re in direct contact with the developers and we can figure things out in a very collaborative manner. Lets get the bug hunting started!