Bug Bounty, development updates, and next steps
Development Update — 24th December
Moving forward, the bug bounty program scope and rewards will grow and continue to be actively updated as we extend and expand the Tangram network, hit important development milestones, and ship new features into the wild. As the network evolves, so will the bug bounties. The scope of the bug bounty program will be progressively updated to include more of Tangram’s code, and also specific files, vulnerabilities, and areas which may need to be focused on.
Vulnerabilities which may be eligible for the bug bounty include; memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service (DDoS) issues, lost write bugs, payloads/transactions, and other creative bugs and vulnerabilities.
There is no maximum bug bounty reward, but we will reward creative or severe bugs appropriately. The Tangram team will evaluate each report, and rate the severity of each bug submitted. Depending on the severity of a bug and the quality of report, we may choose to reward a lower-tier bug at a higher-tier level or vice versa.
If we receive duplicate bug reports, the bounty will be awarded chronologically (the first person to report the issue).
Any valid vulnerabilities reported to this program will be disclosed publicly after the issue has been resolved.
- Server or Client: RCE-type of vulnerabilities
- Cryptographic flaws which would break the underlying protocol confidentiality.
For up to date details, please check the following link periodically:
Tangram Vector Node. Contribute to tangramproject/Tangram.Vector development by creating an account on GitHub.
Out of scope:
Network assessment reports and other assessment generated and “Advisory” or “informational” reports that do not include any Tangram-specific testing and / or context are ineligible for rewards.
Additionally, vulnerabilities which rely on social engineering are ineligible for reward.
Reporting a bug
To report a security vulnerability through an encrypted channel, please email or contact any of the core developers so that they can verify and exchange public keys with you.
A complete report includes:
- A detailed description of the issues being reported (Please be succinct);
- Any prerequisites and steps to get the network and / or system to an impacted state;
- A reasonably reliable exploit for the issue being reported;
- Enough information to be able to reasonably reproduce the issue.
Submit questions, report a bug and fixes to bugs:
The reward for a vulnerability will vary depending on Severity. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood (see below):
Reward sizes are guided by the below, but are determined at the sole discretion of the Tangram vulnerability panel and as mentioned above are not capped.
- Critical: up to 10 000 TGM (not capped)
- High: up to 5000 TGM
- Medium: up to 2000 TGM
- Low: up to 1000 TGM
- Note: up to 500 TGM
The bug bounty program currently has very limited bounty scope, and DOES NOT as of yet span end-to-end soundness of protocols (such as the blockchain consensus model and p2p protocols, etc), these will come into play once the network is production ready. The program currently includes classical client security as well as security of cryptographic primitives. When in doubt, please check by sending an email to email@example.com.
Tangram’s core team and community managers are ineligible to submit any vulnerabilities.
The Tangram bug bounty program is an experimental and discretionary program for our active Tangram community members to encourage and reward those who help to improve the Tangram network. We may cancel the bug bounty program at any time, and as stated, rewards are at the sole discretion of Tangram. Finally, your testing must not violate any law national, international, or otherwise, and must not compromise any data that is not yours.
We are planning and looking to further extend the existing bug bounty in the near future and include further incentives not only to support in identifying security and vulnerability issues but also to enable developers and others to support and grow the Tangram code-base. These include:
- Non-core tasks;
- Squashing bugs;
- Identifying core challenges;
- Building out existing already implemented features;
- … and who knows what else …
See some of the updates in the past weeks which in the future will be part of the requests for support!
In our previous announcement we announced the release of running a node for Test-net1, Phase 2.
- Fix clock skew; [97740fe]
- Tracing with error handling; [84f9e14]
- Return completed dialing and ignore failed; [c37e9a5]
- Refactor Dial error tasks; [84f9e14]
- Return completed dialing and ignore failed; [1194ebe]
- Dialing tasks refactoring; [ceaa722]
- Simplifying dial function; [daa114d]
- Default to 2 days worth of logs for
- Fix timer contention in Membership; [d096670]
- Cleanup locks; [bf89a4a]
TorClienttimeout to 7 seconds; [e3a9bca]
- [NEW] Allowing for user defined classes to be passed to
ackbuffer for exactly once delivery; [c742afc]
- [NEW] MQTT clustering; [bcb37b9]
- [NEW] MQTT client managed pub/sub; [6e987b0]
- [NEW] MQTT RPC client; [d926d3c]
- [NEW] Added MQTT missing services; [edd2db3]
- Added Serilog dependency and error handling; [f0db521]
- Added client storage manager; [bad4f2a]
- At least once delivery and retrieve stored messages from publisher; [f8b1648]
- Enabled port setting; [dee4582]
- [NEW] Internal pub/sub communication. [4d75a97]
“MQTT is a machine-to-machine (M2M)/”Internet of Things” connectivity protocol. It was designed as an extremely lightweight publish/subscribe messaging transport. It is useful for connections with remote locations where a small code footprint is required and/or network bandwidth is at a premium. For example, it has been used in sensors communicating to a broker via satellite link, over occasional dial-up connections with healthcare providers, and in a range of home automation and small device scenarios. It is also ideal for mobile applications because of its small size, low power usage, minimised data packets, and efficient distribution of information to one or many receivers”…
Read more: https://mqtt.org/
You may have noticed the initial commit for PoS integration.
- [NEW] Initial PoS. Lottery system that works with Verifiable Random Function (VRF); [94dacb2]
- [NEW] Anti-Emulation (Time-lock puzzle); [b7402cc]
- [NEW] Initial MuSig. [28c877c]
The VRF library (libsignal) and documentation can be found here:
The XEdDSA and VXEdDSA Signature Schemes
The XEdDSA and VXEdDSA Signature Schemes
This document describes how to create and verify EdDSA-compatible signatures using public key and private key formats…
As we move closer to a test-net release that includes zk-PoS we’ll be detailing each individual piece and how they pertain to Tangram’s larger architecture. On a very high-level the pieces include:
Run a node
The guide below assumes that you have an understanding of port forwarding and some advanced computer knowledge:
If you’re interested, have questions and feedback:
Visit our website: www.tangrams.io
Read our blog: www.medium.com/@tangramd
Join the forum: forum.tangrams.io
Subscribe on Reddit: www.reddit.com/r/Tangrams
Discover us on Discord: www.discord.tangrams.io
Message us on Telegram: https://t.me/Tangrams
Follow us on Twitter: www.twitter.com/tangram
Watch on YouTube: https://www.youtube.com/channel/UCoe5hPG_zjltaG_j2n1Oh4Q