Key Points:
- The initial bug bounty program will run from 3/27/2018 to 4/13/2018.
- The scope for the current bug bounty program includes the Livepeer protocol smart contracts ONLY, which can be found here.
- The protocol smart contracts has been audited — you can find the report here.
The Livepeer protocol launch will mark the very beginning of an iterative process to validate the protocol and the assumptions in its design. Since proper validation of the protocol requires some “skin in the game”, a small amount of tokens will be distributed. Livepeer has taken steps to ensure the security of the protocol via an external audit, and we believe a bug bounty program is another great way to ensure a safe release. We would like to invite anyone in the Livepeer community to participate.
Scope
The scope for the current bug bounty program ONLY includes the Livepeer protocol smart contracts found here. The final commit hash for the repo is 47fe7e28d2f1f0d6b950d60ff580dbfcf55e3831, from which all bug bounty submissions must be based off of. Note Livepeer uses external libraries like the Open Zeppelin framework. Bugs in external libraries should be reported to bounties programs ran by the external organizations. Livepeer plans to run more bounty programs in the future with larger scopes, including the go-livepeer client and its dependencies. The specifics of those programs will be announced on a later date.
Reward:
Like many other bug bounty programs in the space, we are using the OWASP risk rating model to determine threat level of the bug. Bounties rewards can be paid in BTC/Eth with equivalent USD value.
Note: Up to $50 USD
Low: Up to $100 USD
Medium: Up to $250 USD
High: Up to $500 USD
Critical: Up to $1000 USD
Our goal for the bounties is to prioritize critical issues that will affect protocol liveness or ownership over the upgrade and governance mechanisms, or significant user values like stealing or locking stakes / deposits.
Important Legal Information
The bug bounty program is an experimental and discretionary rewards program for the active Livepeer community to encourage and reward those who are helping to improve the network. It is not a competition. You should know that we can cancel the program at any time, and awards are at the sole discretion of Livepeer. In addition, we are not able to issue awards to individuals who are on sanctions lists or who are in countries on sanctions lists. You are responsible for all taxes. All awards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours.
We will do our best to respond to your submission as quickly as possible, keep you updated on the fix, and award a bounty where appropriate.
How to report a bug:
Please report your submissions to security@livepeer.org
Public disclosure of the bug or indication of an intention to exploit it on the mainnet will make the report ineligible for a bounty.
Submitting anonymously or with a pseudonym is OK, but will make you ineligible for BTC/Eth rewards. To be eligible for BTC/Eth rewards, we require your real name and a proof of your identity. Donating your bounty to a charity doesn’t require your identity.
To report the issue through a PGP-encrypted email, here is our pubkey fingerprint: B550-B5D5-704B-CA07
References
