Announcing the Starfleet bug bounty program
It is with great pleasure that we kick off the final stages of the preparation phase of the Starfleet stage today by launching the official Starfleet bug bounty program. The OriginTrail Core developers are inviting all security researchers and community members to participate in securing the implementation of Starfleet stage technical components. A significant reward budget in TRAC tokens has been allocated to ensure that Starfleet boarding and launch are in line with the highest security standards.
Bug bounty scope
The following projects are in scope for the Starfleet bug bounty program:
- The Starfleet Boarding Solidity smart contract — focusing on securing the boarding process against any potential smart contract attacks starting from January 6, 2021 (today). A detailed specification for the smart contract is presented in the OT-RFC-10;
- The Starfleet Boarding website — ensuring the secure interaction of the Dapp with the Starfleet boarding smart contract, starting from January 25, 2021 (after the website launch); and
- The Starfleet blockchain source code: To be released prior to the mainnet launch, securing the implementation (starting date TBA).
Rewards
The bug bounty rewards are:
- Low severity bugs: ~ 1000 TRAC
- Medium severity bugs: ~ 5000 TRAC
- High severity bugs: ~ 25000 TRAC
Bug bounty instructions
The following bug bounty rules apply to all of the above-listed projects:
- First come, first served.
- Issues that have already been submitted by another person are not eligible for bounty rewards.
- Public disclosure of a vulnerability makes it ineligible for the bounty reward.
- Hired auditors are not eligible for rewards.
- Determination of eligibility, score, and all terms related to the reward is at the sole and final discretion of OriginTrail core developers.
In addition to bug severity, the core developers will also consider the following information to determine the rewards:
- Quality of description: higher rewards are paid for clear, well-written submissions.
- Reproducibility: please include test code, scripts, or detailed instructions.
- Quality of fix, if included: higher rewards will be paid for submissions with a clear description of how to fix the issue.
All bug bounty submissions are to be sent EXCLUSIVELY via email to bounty@tracelabs.io
Please ensure that you are not harming any data present on our servers while testing. We will not take any legal action against you unless you are harming / changing / removing / deleting any data.
We urge bounty hunters to:
- Give the team a reasonable amount of time to resolve any submitted vulnerabilities.
- Not to use any other channel to submit vulnerabilities other than the provided email address.
- Not damage OriginTrail and its stakeholders or disclose any data in the process of discovery.
Anyone interested in participating in the Starfleet bug bounty campaign should read the following relevant blog posts:
- OriginTrail Development Update — en route to the Knowledge Economy
- OriginTrail development update: Starfleet, AAP machine learning plugin, and how to contribute
- Trace Labs, OriginTrail core developers, selected for Parity’s Substrate Builders Program
- Towards a #Google4SupplyChains: A Roadmap update & the Starfleet proposal
Happy bounty hunting, Tracers!
LEGAL NOTICE
We cannot issue rewards to individuals on sanctions lists or those in countries on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions depending on your local law.
This is a discretionary rewards program. We can cancel the program at any time and the decision to pay a reward is entirely at OriginTrail core developers’ discretion.
Your testing must not violate any law, or disrupt or compromise any data that is not your own. To avoid potential conflicts of interest, we will not grant rewards to OriginTrail Core Developers and contractors.
