🐞💰Opened! IRISnet Bug Bounty Program for Mainnet Launch
IRIS Network (a.k.a. IRISnet) aims to establish a technology foundation to facilitate construction of next-generation distributed applications. By incorporating a comprehensive service infrastructure and an enhanced IBC protocol into Cosmos stack, IRISnet enables integration and interoperability of business services offered by heterogeneous blockchains including public chains as well as consortium chains.
No technology is perfect. We believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology.
After reaching fundamental milestones in recent months, the preparations for the IRIS Betanet (which marks the start of mainnet launch) are underway. To preemptively detect and fix bugs/edge cases, we are launching the IRISnet Bug Bounty Program as a part of Betanet launch preparation.
Note: This is the first Bug Bounty Program released by IRIS Foundation. There will be subsequent Programs after the mainnet launch where security bugs will be collected in a private manner — stay tuned.
0:00, 28 Dec, 2018 (UTC+8)～ 0:00, 12 Feb, 2019 (UTC+8)
Rules & Rewards
Bounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. Rewards for bugs will be classified into these categories for payout:
- Critical — $2,000 and up
- Medium — $600 and up
- Low — up to $200
All program rewards will be paid in USDT or IRIS tokens, and will be calculated using the prices at time of payment.
IRISnet core dev team will evaluate each report and will be responsible for rating the severity of each bug submitted. We will give you reward according to the severity of a bug and the quality of a report.
If we receive duplicate bug reports, we will award a bounty to the first person who reported the issue.
Bug Categories (by level of severity)：
- Critical: Destroying consensus and halting the block producing/unfair treatment to the honest nodes/stealing and arbitrarily distributing tokens/breaking the on-chain governance and software upgrade process/memory leakage and unusual resource consumption
- Medium: Unexpected behavior under corner cases/illegal Tx being successfully executed/unexpected action after legal Tx being successfully executed/single machine failure with no affect on the consensus.
- Low: Defect of LCD client and CLI/failure of none Tx query command/failure of tooling command (key/sign/gentx/collect-gentxs)
To be eligible for a reward under this program：
- The security bug must not be a known bug in Cosmos-SDK/Tendermint
- The security bug must not be a known issue as has been documented in GitHub before the bug is reported
- The voting power of Byzantine nodes cannot exceed 1/3 of the total
- The report should include clear reproducible steps and a certain probability of recurring (docker-compose configuration, log files, shell.sh, etc. should be provided)
- Server should run 64-bit Linux system with 4G and above storage
- The security bug can be reproduced in the develop branch against a commit that has been made before the bug is reported
- The security bug should not be test related code issues
- You must not have written the buggy code or otherwise been involved in contributing the buggy code to the IRISnet project
At present, the following IRISnet repositories are “In Scope” and thus eligible for the bounty (note some sub-packages and files are not in-scope):
Not in scope：
In scope: the
In scope: the
In scope: the
Investigating and Reporting Bugs
If you have found a vulnerability, please submit a report through creating an issue (the topic begin with [Bounty]) under the corresponding GitHub repo. Note that we are only able to answer to technical vulnerability reports. It will be labelled valid or not, and the level of the issues, according to our core dev team’s review.
IRIS Foundation comply with national laws and regulations and reserve the rights of the final interpretation of the IRISnet Bug Bounty Program rules and rewards.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.