PIVX security bounty FAQ

On July 23rd we flipped the switch and launched the PIVX security bounty campaign for the public at https://hackerone.com/pivx-project. You can check my previous posts for some more background information eg. here, here and here.

Over the past few weeks running the PIVX security bounty campaign, there have been a couple of questions that we do answer on a regular basis and that i collected for a dedicated post.

As time goes by, i will extend this post with the most common questions.

“Pick Your Method of Security” by Alan Levine is licensed under CC BY 2.0

Q: Where can i read everything about the program?
A: Please make sure to read the instructions & policy at https://hackerone.com/pivx-project before starting your work. We do update the scope and policy on a regular basis based on your feedback and technical developments.

Q: How do i access the PIVX security bounty program?
A: To start testing / working on the bounty, please sign up on https://hackerone.com/users/sign_up. After the registration, you can start working on _all_ listed bounties and submit issues to https://hackerone.com/pivx-project.

Q: What is the best way to get some tPIV (Testnet PIV) for testing?
A: Please join the PIVX discord to receive some tPIV for testing.

Q: Can i use the public testnet for security testing?
A: Testing by specifying the “testnet” parameter to the wallet and demon is perfectly fine.

Q: What are the nodes listed on the PIVX bounty page?
A: These dedicated nodes listed on https://hackerone.com/pivx-project (see “In Scope”) are provided for your convenience in case you want to experiment with eg a remote code execution or DoS attack vector. They are also connected to the public testnet.

“3 Knights” by mac_filko is licensed under CC BY 2.0

Q: Can you provide a local test environment with multiple nodes?
A: We created a dedicated, local docker testnet setup for you. The dockerized testnet setup can be found here. This setup can be used to start a local testnet node (connected to the official testnet) with very little effort.

Q: What will my reward be for a serious vulnerability?
A: Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). The exact amount depends on the attack scenario / exploitability and potential security impact of the bug. Critical vulnerabilities (a score of 9.0–10.0) are awarded at least 5000 USD.

That’s about it for the most burning questions you had. Feel free to get back to us with everything else.

How to get in touch

• Please send any requests for interviews, articles, videos, podcasts or questions about the bug bounty program to security@pivx.org or support@pivx.org.
• PIVX Security issues: Please report all security issues via the hackerone platform. This ensures the process is running smooth and the right persons are triggered with the proper urgency.

“LEGO MARVEL Super Heroes — 12K” by Joshua | Ezzell is licensed under CC BY 2.0

About hackerone

PIVX and HackerOne have a lot in common. H1 was started by hackers and security leaders who are driven by a passion to make the internet safer. Their platform is the industry standard for hacker-powered security. Companies like Starbucks, Twitter, Airbnb and many others trust their services.

About PIVX

PIVX is a Bitcoin-based community-centric cryptocurrency with a focus on decentralization, privacy, and real-world use. It utilizes an energy efficient Proof of Stake protocol and a second-tier Masternode network for inclusive community-based governance along with a blockchain based self-funding treasury system ensuring its sustainability.

PIVX has implemented a well known highly-vetted protocol called Zerocoin with many custom enhancements allowing blockchain-level transaction anonymity in the way of unlinkability.