IoTeX Bug Bounty Program — For iotex-core

IoTeX is excited to announce the brand new rewards program for developers in our community! A Bug Bounty program is an open offer to external individuals to receive compensation for reporting iotex-core bugs, specifically related to security of the core functionality.

No technology is perfect, and IoTeX one believes that working with researchers, developers, engineers and technologists across the globe is crucial in identifying weaknesses in our blockchain infrastructure while we are building. If you believe you’ve found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Campaign Period

02/11/19 10:00 PM PST to 03/31/19 10:00 PM PST

Scope

The scope of the program is limited to technical vulnerabilities in the latest IoTeX blockchain software,

iotexproject/iotex-core

with especially focus on vulnerabilities at:

• The P2P networking layer
• The consensus processing layer
• The business logic layer for processing blocks and transactions
• The execution layer for running smart contracts
• 3rd-party software/lib that are used in the above four layers

The following commonly reported items are known to us and should NOT be reported:

• Security practice for DNS setup and email authentication
• Security practice for our websites (iotex.io, iotexscan.io, etc.)
• Social media spams
• Phishing attacks

Qualifying vulnerabilities

To qualify for bounty, the security bug must be original and previously unreported.

Only the following design or implementation issues that substantially affect the stability or security of IoTeX blockchain is in qualified for the reward. Common examples include:

• Leak of private key while the host machine is not compromised
• Trigger unauthorized actions on accounts, e.g., unauthorizedly transfer out of coins from accounts
• A special package/message/call that causes the process to crash
• Send a contract into an infinite loop or use large amount of memory

For scenarios that do not fall within one of the above categories, we still appreciate reports that help us secure our infrastructure and our users, and will reward those reports on a case-by-case basis. Note that the reward decisions are up to the discretion of IoTeX Foundation.

Rewards

For qualified findings,

• The base amount of a reward is currently 10,000 IOTX, and the concrete amount is subjected to the severity of the reported bug, according to the following table.
• The final amount is always chosen at the discretion of the reward panel.
• We pay higher rewards for unusually clever or severe vulnerabilities, and pay lower rewards for vulnerabilities that require unusual user interaction. We also decide that a single report actually constitutes multiple bugs, or that multiple reports are so closely related that they only warrant a single reward.
• For multiple vulnerabilities with one underlying root cause, where one fix can be applied to remediate, we consider this as one vulnerability and only award once.

Reporting Bugs

If you have found a vulnerability, please submit a report through http://iotex.io/bugs with the following information:

1. The severity of the issue
2. Summary of the vulnerability
3. Any additional details about this vulnerability
4. Steps to reproduce
5. Supporting Material/References, e.g., source code, scripts
6. The security impact an attacker could achieve
7. Your name and country, e.g., unidentified submitters will not be eligible for reward

Note that

• You will qualify for a reward only if you were the first person to alert us to a previously unknown flaw. We will update you on the progress of your report ­when it is accepted, validated, fixed and when the bounty is repaid.
• Technical discussions in https://gitter.im/iotex-dev-community/Lobby are encouraged but do not disclose bug details without informing us first.
• Our engineering team (who will communicate with a valid @iotex.io email) may outreach to you for further information on the bug if needed.

Disclaimer

This is an experimental and discretionary rewards program, and IoTeX Foundation can cancel the program at any time and the decision as to whether or not to pay a reward has to be entirely at IoTeX Foundation’s discretion. The participants’ exploit or testing should not violate any law, or disrupt or compromise any data unauthorizedly.

Finally

IoTeX always want our community to take part in the exciting and cutting-edge technology of blockchain platforms. We look forward to interacting with more enthusiastic developers who will change the world with products built on IoTeX and rewarding their contributions. Happy hunting!

About IoTeX

Founded as an open-source project in 2017, IoTeX is building the world’s leading privacy-centric blockchain platform for the Internet of Things (IoT). Their mission is to build a decentralized trust fabric for a new era of collaboration and data exchange among devices, applications and people. Backed by a global team of research scientists and top engineers, IoTeX combines blockchain, trusted hardware and edge computing to realize the full potential of IoT.

Stay connected with us!

Website: https://iotex.io/
Twitter: https://twitter.com/iotex_io
Telegram Announcement Channel: https://t.me/iotexchannel
Telegram Group: https://t.me/IoTeXGroup
Medium: https://medium.com/@iotex
Reddit: https://www.reddit.com/r/IoTeX/
Join us: https://iotex.io/careers