OriginTrail Bug Bounty Program
[This bounty program is now finished. Thank you for your support!]
As already announced in our Whitepaper, we have allocated a portion of our bounty Trace Tokens for the Bug Bounty. This will have up to a total of 1,000,000 TRAC allocated. Finding alid major bugs will be rewarded with up to 10,000 USD value of Trace tokens equivalent to our bounty tokens calculated in Token Sale rate ETH:TRAC (value around 0.10$ per TRAC).
The bounty judges, in their sole discretion, will determine the reward based on their evaluation of both the likelihood and impact of the bug. All reward decisions are final.
Bug & Vulnerability reports:
● Minor Bug: 1,000 TRAC
● Small Bug: 10,000 TRAC
● Medium Bug: 20,000 TRAC
● Serious Bug: 50,000 TRAC
● Crash Bug: 100,000 TRAC
Please send your bug reports to bounty@origin-trail.com, with the subject “BUG BOUNTY.” As soon as your bug report is received, our bounty judges will evaluate the severity of the bug and will contact you. Bounties will be paid in TRAC within a week after the crowdsale has concluded.
Bug Bounty Instructions
Most of the rules on the Ethereum Foundation bug bounty program apply:
● First come, first served.
● Issues that have already been submitted by another user are not eligible for bounty rewards.
● Public disclosure of a vulnerability makes it ineligible for a bounty.
● Paid auditors of the code are not eligible for rewards.
● Determinations of eligibility, score and all terms related to the reward are at the sole and final discretion of OriginTrail.
In addition to bug severity, other variables are also considered when the bug bounty panel decides the score, including (but not limited to):
● Quality of description. Higher rewards are paid for clear, well-written submissions.
● Quality of reproducibility. Please include test code, scripts or detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.
● Quality of fix, if included. Higher rewards are paid for submissions with a clear description of how to fix the issue.
Scope
There are two parts of the bug bounty based on subject: website bounty and smart contracts bounty.
Smart contacts
Find bugs in all contracts related to the OriginTrail Token Generating Event (crowdsale and presale process). You may find them in our GitHub repository. OriginTrail smart contract was audited by industry leaders. Despite this fact, we are offering a reward to any security specialists who can find any major bugs in our smart contract.
Website
OriginTrail would like the Bug Bounty Hunters to also test the security of our website from the hacking point of view (Vulnerability testing). Our main website is www.origintrail.io, but we have made the most recent copy of the website on bounty.origintrail.io for the Bounty. Please try to find bugs in bounty website, so the main website will not be disrupted by the bounty process.
Here are some of the guidelines:
● It is important to do testing on computers that comply with the minimum configuration.
● Test the platform. Provide us with the information on ways to disable or disrupt the security system and its database.
● Find an attack on the website or via a user account. Please describe the way attackers deceive contributors.
● If none of the above describes your request, you still have a chance to receive a reward by sending the found vulnerabilities to us.
Word of Caution
Please ensure that while doing penetration testing you are not harming any data present on OriginTrail servers.
Please ensure that you are not changing any details related to the ICO and wallet addresses on the main website.
If you find any critical/severe issues with the OriginTrail website. Please do let us know the possible solution. Report to us immediately; we will get it fixed at our end.
We ensure that from the OriginTrail side we will not take any legal action against you until and unless you are not harming/changing/removing/deleting any data or webpage present on otbounty.io website.
Be WARNED that leaking any vulnerability of the platform on any social media platforms or channels will lead to cancellation of Bounty and might also invite legal action.
We would be happy to reward you Bug Bounty in the form of Trace tokens if you find out vulnerabilities which would affect the OriginTraile TGE event, in case those backdoors are left open.
Reporting
We Urge Submitters to:
- Give us reasonable amount of time to close any submitted vulnerabilities
- Not use any other channel to submit vulnerabilities other that email.
- Not damaging OriginTrail stakeholders, OriginTrail itself or disclosing any data in the process of discovery
Caveat
IMPORTANT: Please take note before making your submission!
To be eligible for rewards the following conditions must first be met:
- Vulnerabilities must be submitted to our designated email bounty@origin-trail.com
- The security vulnerabilities have to be applicable in a real-world attack scenario.
- The vulnerability has to be demonstrated to our team in a comprehensible/reproducible way.
LEGAL NOTICE
We cannot issue rewards to individuals on sanctions lists, or who are in countries on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions depending upon your local law.
This is a discretionary rewards program. We can cancel the program at any time, and the decision to pay a reward is entirely at OriginTrail’s discretion.
Your testing must not violate any law, or disrupt or compromise any data that is not your own.
To avoid potential conflicts of interest, we will not grant rewards to OriginTrail employees and contractors.
Any reward of TRAC tokens are subject to OriginTrail’s Terms and Conditions of Token Generation (“T&C”), and you acknowledge receipt of, and understand and agree to the T&C. The T&C is located at the following website: https://origintrail.io/whitelist/.
