OpenEthereum Bug Bounty Program

Rewards for our community of white-hat warriors

Illustrations by Lea Filipo.

UPDATE: OpenEthereum is being deprecated. The Bug Bounty Program will be deprecated and not receive more applications after the London Upgrade on August 5th 2021.

We are glad to present the guidelines for our new bug bounty program. Its goal is to deliver a stable and secure Ethereum client while rewarding the community for helping us find and address significant security gaps.

The scope of the program is our OpenEthereum client located in this Github repository and the associated released binaries.

Eligibility

We will consider bugs affecting Ethereum mainnet that threaten the network security and could jeopardize its stability.

Bugs which can be used to bring down or take control of OpenEthereum without direct access to the machine are also considered.

Deprecated features and versions of the software previous to our last release will not be eligible.

The Gnosis core development team, employees, contractors and all other people paid by Gnosis, directly or indirectly (including the external auditors), are not eligible for rewards.

The program is currently active and will remain so until further notice.

Rules

  • Do not harm OpenEthereum or its users during your research; make a good faith effort not to interrupt or break the client. You can start or fork a private chain for bug hunting.
  • Do not use social engineering, spam or distributed denial of service attacks.
  • Report to core@openethereum.org and not to anyone else. Public disclosure of a vulnerability makes it ineligible for a bounty.
  • Include your Ethereum address in your submission.
  • Give us time to fix the bug and adequate written warning before disclosing it to anyone else.
  • Consult our Privacy Policy for further details on how to handle submissions.
  • Follow the legal disclaimer at the end of this article.

Rewards

The rewards are at the sole and final discretion of the OpenEthereum bug bounty panel and will be proportionate to the risk based score of the bug. Other factors that will be considered are the quality of the test code, scripts, detailed instructions, and the quality of description for the fix if it is included.

The bounties are denominated in US dollars equivalent to $USDC.

  • Score 9: up to $25 000
  • Score 6: up to $15 000
  • Score 3–4: up to $10 000
  • Score 2: up to $2 000
  • Score 1: up to $500

Legal

The OpenEthereum Bug Bounty Program is a discretionary rewards program by Gnosis Limited for our active community to encourage and reward those who are helping to improve our software. It is not a competition. We can cancel the program at any time and awards are at the sole discretion of Gnosis Limited. We are not able to issue awards to persons who are on any sanctions lists maintained by Gibraltar, the EU or the UK or who are in a jurisdiction sanctioned by the same. We make no representation regarding the tax consequences of any rewards and you are responsible for all taxes payable in connection with the receipt of any rewards.

By submitting your content (your “Submission”) to us, you agree that Gnosis Limited may take all steps needed to validate, mitigate, and disclose the vulnerability, and that you grant Gnosis Limited any and all rights to your Submission needed to do so.

Your testing must not violate any law or compromise any data that is not yours. We will do our best to respond to your submission as quickly as possible, keep you updated on the fix, and award a bounty where appropriate. Any conduct by you that appears to be unlawful, malicious, or criminal in nature will immediately disqualify any Submission from the OpenEthereum Bug Bounty Program. Please do not engage in extortion. Please be aware that testing can be designated as a criminal act by the relevant authorities if you are violating Gibraltar or any other laws. Our rules do not supersede any applicable laws. If you do your best to follow these guidelines in discovering and disclosing a vulnerability, we will not consider your actions as an attack and won’t take any legal action against you.

Any obligations arising out of or in connection with this Bug Bounty Program or its subject matter will be governed by and construed in accordance with the laws of Gibraltar, and the courts of Gibraltar shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this OpenEthereum Bug Bounty Program.

If you have any further questions please contact us at core@openethereum.org, Discord or Twitter.

OpenEthereum

OpenEthereum Ethereum client (ex-Parity client)