Open in app

Sign in

Write

Sign in

IRISnet
IRISnet Blog
Published in
3 min readJul 29, 2019

--

🐞💰Opened! IRIS Hub Bug Bounty II Program for new version release

IRIS Hub new version v0.15.0 is coming. We invite skilled security researchers across the globe to join us in identifying weaknesses in the technology and preemptively detect and fix bugs/edge cases. The new version includes features and enhancements such as Asset Management, Random Number Generator, Multi-Signature Account & Tx, Keystore File, Tendermint Upgrade, etc.You can check the following link to see details:

https://github.com/irisnet/irishub/blob/release0.15/CHANGELOG.md

To make sure the new release come with no major bugs or security vulnerabilities, we are launching the IRISnet Bug Bounty II Program as a part of v0.15.0 upgrade preparation.

Period

16:00, 28 July, 2019 UTC ~ 16:00, 15 Aug, 2019 UTC

Rules & Rewards

Bounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. Rewards for bugs will be classified into these categories for payout:

· Critical — $1,500 and up

· Medium — $500 and up

· Low — up to $200

· All program rewards will be paid in equivalent IRIS tokens and the amount of IRIS tokens will be calculated using the CMC price at time of payment.

IRISnet core dev team will evaluate each bug report and will be responsible for rating the severity of each bug submitted. We will give you reward according to the severity of a bug and the quality of a report.

If we receive duplicate bug reports, we will award a bounty to the first person who reports the issue.

Bug Categories (by level of severity):

· Critical: Stealing and arbitrarily minting or distributing tokens/destroying consensus and halting the block producing/breaking the on-chain governance and software upgrade process/memory leakage and unusual resource consumption.

· Medium: Unexpected behavior under corner cases/illegal Tx being successfully executed/unexpected action after legal Tx being successfully executed/single machine failure with no effect on the consensus.

· Low: Defect of API (LCD) and CLI/failure of none Tx query command/failure of iris or iristool (sub-)commands.

To be eligible for a reward under this program:

· The voting power of Byzantine nodes cannot exceed 1/3 of the total.

· Server should run 64-bit Linux system with 4G and above storage.

· The security bug must not be a known bug/issue in Cosmos-SDK or Tendermint.

· The security bug must not be a known issue as has been documented in GitHub before the bug is reported.

· The security bug can be reproduced in the release0.15 branch.

· The security bug should not be located in test code.

· The report should include clear reproducible steps and a certain probability of recurring (docker-compose configuration, log files, shell.sh, etc. should be provided).

· You must not have written the buggy code or otherwise been involved in contributing the buggy code to the IRISnet project.

Program Scope:

At present, the following IRISnet repositories are In Scope and thus eligible for the bounty (note some sub-packages and files are not in-scope):

irisnet/irishub

In scope:the release 0.15 branch under github.com/irisnet/irishub

Not in scope:

· github.com/irisnet/irishub/docs

· github.com/irisnet/irishub/scripts

· github.com/irisnet/irishub/tests

· github.com/irisnet/irishub/tools

· github.com/irisnet/irishub/**/mock

irisnet/tendermint

· In scope:the master branch under github.com/irisnet/tendermint

Investigating and Reporting Bugs

If you have found a vulnerability, please submit a report to irisnet-bugs@bianjie.ai. We’ll evaluate your reports in the order they are received and send an email response to each reporter with severity rating and reward information, within 5 business days.

Safe Harbor

IRIS Foundation comply with national laws and regulations and reserve the rights of the final interpretation of the IRISnet Bug Bounty Program rules and rewards.

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Join Our Community

· Follow @irisnetwork on Twitter:https://twitter.com/irisnetwork

· Join our Telegram channel:https://t.me/irisnetwork

· Follow us on Medium:https://medium.com/irisnet-blog

· Contact us through Email:contact@irisnet.org

· join our Wechat group: irisnetwork2018

· Follow us on Weibo: https://www.weibo.com/u/6455513027

Developer Channel

· Join our QQ group:834063323

· Join our Riot Room:https://riot.im/app/#/room/#iris:matrix.org

· GitHub:https://github.com/irisnet

· Official forum:https://forum.irisnet.org/

Bug Bounty
Rewards
Community
Events

--

--

IRISnet
IRISnet Blog

Written by IRISnet

1K Followers
Editor for

Built with Cosmos-SDK, IRISHUB enables cross-chain interoperability while providing modules to support distributed business systems.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams