IRISnet Bug Bounty Program III

Published in

IRISnet Blog

3 min readJan 28, 2021

IRISnet (mainnet IRIS Hub) is about to upgrade with the integration of Cosmos IBC module and unique functions such as NFT and enhanced iService.

In order to make sure the upgraded network remains stable and robust, IRISnet is launching the Bug Bounty Program III as part of the mainnet upgrade preparation to timely find and fix potential issues with assistance from skilled developers.

Time

0:00, 29 January, 2021 (UTC+8) — 0:00, 25 Feb, 2021 (UTC+8)

Rules & Rewards

Bounty rewards will be decided based on many factors including impact and risk of the bug, the possibility of bug being exploited, and the report quality. Rewards for bugs will be classified into these categories for payout:

· Critical — $1,500 and up
· Medium — $500 and up
· Low — up to $200

All the bounty rewards will be paid in equivalent IRIS tokens.

IRISnet core dev team will evaluate each bug report and will be responsible for rating the severity of each bug submitted. The reward will be estimated and decided according to the severity of a bug and the quality of a report.

If we receive duplicate bug reports, we will award a bounty (if applicable) to the first person who reported the issue.

Bug Categories (by levels of severity)

· Critical: Stealing and arbitrarily minting or distributing tokens/destroying consensus and halting the block producing/breaking the on-chain governance and software upgrade process/memory leakage and unusual resource consumption.

· Medium: Unexpected behavior under corner cases/illegal Tx being successfully executed/unexpected action after legal Tx being successfully executed/single machine failure with no effect on the consensus.

· Low: Defect of API (LCD) and CLI/failure of none Tx query command/failure of iris or iristool (sub-)commands.

To qualify for a bounty, make sure:

· The voting power of Byzantine nodes cannot exceed 1/3 of the total.
· Server should run 64-bit Linux system with 4G and above storage.
· The security bug must not be a bug/issue in Cosmos-SDK or Tendermint.
· The security bug must not be a known issue that had been documented in GitHub before the bug was reported.
· The security bug can be reproducible in the master branch.
· The security bug should not be located in test code.
· The report should include clear reproducible steps and a certain probability of recurring (docker-compose configuration, log files, shell.sh, etc. should be provided).
· You must not have written the buggy code or otherwise been involved in contributing the buggy code to the IRISnet project.

Program Scope

At present, the following IRISnet repositories are involved in this bug bounty program scope (note some sub-packages and files are not in-scope):

irisnet/irishub

In scope:
· the master branch under github.com/irisnet/irishub

Not in scope:
· github.com/irisnet/irishub/contrib
· github.com/irisnet/irishub/docs
· github.com/irisnet/irishub/scripts
· github.com/irisnet/irishub/simapp
· github.com/irisnet/irishub/third_party

irisnet/irismod

In Scope:
· the master branch under github.com/irisnet/irismod

Not in Scope:
· github.com/irisnet/irismod/contrib
· github.com/irisnet/irismod/simapp
· github.com/irisnet/irismod/scripts
· github.com/irisnet/irismod/third_party

Reporting Bugs

If you have found a bug, please submit a related report to irisnet-bugs@bianjie.ai. The team will evaluate your reports in the order they are received and send an email response to each reporter with severity rating and reward information, within 5 business days.

IRIS Foundation complied with national laws and regulations and reserves the rights of the final interpretation of the IRISnet Bug Bounty Program rules and rewards.

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.