Q teams up with Immunefi to launch a bug bounty program
We are happy to announce the launch of our bug bounty program on Immunefi. The program will offer financial rewards for ethical hackers and security researchers who can identify critical and high-severity vulnerabilities.
Its focus is on preventing:
- Total network shutdown (when the network cannot confirm new transactions);
- Network partition requiring a hard fork (an unintended permanent chain split requiring a hard fork);
- Direct loss of funds;
- Any manipulation of governance voting results;
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield;
- Permanent freezing of funds;
- Protocol insolvency;
- Execution of arbitrary system commands;
- Retrieving sensitive data/files from a running server;
- Taking down the application/website.
Rewards
We distribute the rewards according to the impact of the vulnerability and base them on the Immunefi Vulnerability Severity Classification System. The classification is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains. It encompasses everything: the consequence of exploiting the required privilege and the likelihood of a successful exploit.
Blockchain/DLT
Critical USD 50 000
High USD 25 000
Smart Contracts
Critical USD 200 000
High USD 25 000*
Medium USD 5 000
Low USD 1 000
Websites and Applications
Critical USD 10 000
High USD 5 000
To be considered for a reward, all web/app, blockchain/DLT bug reports, and Critical/High/Medium severity smart contract bug reports must come with a PoC with an end-effect issue impacting an asset-in-scope. Explanations and statements are not accepted as PoC, and code is required.
In addition, all Critical severity bug reports must come with a suggestion for a fix to be considered for a reward.
Edit: * was changed on 6th Oct. 2022 from USD 50 000 because the severity high offers the same amount as the critical minimum payout, which turned out to be an unbalanced incentive, as it makes no difference if a bug is critical or high.
It is also more consistent with the Blockchain/DLT category as this often led to questions from the community. This will affect only bugs reported after October 6th 2022.
About Immunefi
Immunefi is the premier bug bounty platform for smart contracts and DeFi projects. It’s where security researchers review code, disclose vulnerabilities and make crypto safer for all participants.
The bug bounty programs protect projects and their users by allowing security researchers to discover and disclose potential vulnerabilities in smart contracts and applications. Immunefi rewards security researchers based on the severity of the vulnerability they discover. The affected projects determine the severity.
About Q
The Q Blockchain is the universal governance layer for the decentralized world.
Q’s unique dual-layer node architecture provides an unparalleled level of security against malicious attacks.
Q’s key benefits:
- Transparent rule-setting and the effective enforcement of these rules;
- Decentralized dispute resolution through private arbitration;
- A full-stack governance framework;
- The core principles of Q are laid down in the Q Constitution — an enforceable contract, so users and devs can rely on them;
- Q allows you to go beyond a “code is law”-framework — this enables novel business models that require sophisticated governance.
