Bug Bounty, development updates, and next steps

Development Update — 24th December

Tangram
Tangram
Dec 24, 2019 · 6 min read

Bug Bounty

Moving forward, the bug bounty program scope and rewards will grow and continue to be actively updated as we extend and expand the Tangram network, hit important development milestones, and ship new features into the wild. As the network evolves, so will the bug bounties. The scope of the bug bounty program will be progressively updated to include more of Tangram’s code, and also specific files, vulnerabilities, and areas which may need to be focused on.

Vulnerabilities which may be eligible for the bug bounty include; memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, Denial of Service (DDoS) issues, lost write bugs, payloads/transactions, and other creative bugs and vulnerabilities.

There is no maximum bug bounty reward, but we will reward creative or severe bugs appropriately. The Tangram team will evaluate each report, and rate the severity of each bug submitted. Depending on the severity of a bug and the quality of report, we may choose to reward a lower-tier bug at a higher-tier level or vice versa.

If we receive duplicate bug reports, the bounty will be awarded chronologically (the first person to report the issue).

Any valid vulnerabilities reported to this program will be disclosed publicly after the issue has been resolved.

github.com/tangramproject/Tangram.Vector

github.com/tangramproject/Cypher

  1. Server or Client: RCE-type of vulnerabilities
  2. Cryptographic flaws which would break the underlying protocol confidentiality.

For up to date details, please check the following link periodically:

Out of scope:

Network assessment reports and other assessment generated and “Advisory” or “informational” reports that do not include any Tangram-specific testing and / or context are ineligible for rewards.

Additionally, vulnerabilities which rely on social engineering are ineligible for reward.

To report a security vulnerability through an encrypted channel, please email or contact any of the core developers so that they can verify and exchange public keys with you.

A complete report includes:

  • A detailed description of the issues being reported (Please be succinct);
  • Any prerequisites and steps to get the network and / or system to an impacted state;
  • A reasonably reliable exploit for the issue being reported;
  • Enough information to be able to reasonably reproduce the issue.

Submit questions, report a bug and fixes to bugs:
dev@getsneak.com

The reward for a vulnerability will vary depending on Severity. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood (see below):

OWASP Risk Rating Model

Reward sizes are guided by the below, but are determined at the sole discretion of the Tangram vulnerability panel and as mentioned above are not capped.

  • Critical: up to 10 000 TGM (not capped)
  • High: up to 5000 TGM
  • Medium: up to 2000 TGM
  • Low: up to 1000 TGM
  • Note: up to 500 TGM

Important Information

The bug bounty program currently has very limited bounty scope, and DOES NOT as of yet span end-to-end soundness of protocols (such as the blockchain consensus model and p2p protocols, etc), these will come into play once the network is production ready. The program currently includes classical client security as well as security of cryptographic primitives. When in doubt, please check by sending an email to dev@getsneak.org.

Tangram’s core team and community managers are ineligible to submit any vulnerabilities.

The Tangram bug bounty program is an experimental and discretionary program for our active Tangram community members to encourage and reward those who help to improve the Tangram network. We may cancel the bug bounty program at any time, and as stated, rewards are at the sole discretion of Tangram. Finally, your testing must not violate any law national, international, or otherwise, and must not compromise any data that is not yours.

We are planning and looking to further extend the existing bug bounty in the near future and include further incentives not only to support in identifying security and vulnerability issues but also to enable developers and others to support and grow the Tangram code-base. These include:

  1. Non-core tasks;
  2. Squashing bugs;
  3. Identifying core challenges;
  4. Building out existing already implemented features;
  5. … and who knows what else …

See some of the updates in the past weeks which in the future will be part of the requests for support!


Development Updates

In our previous announcement we announced the release of running a node for Test-net1, Phase 2.

  • Fix clock skew; [97740fe]
  • Tracing with error handling; [84f9e14]
  • Return completed dialing and ignore failed; [c37e9a5]
  • Refactor Dial error tasks; [84f9e14]
  • Return completed dialing and ignore failed; [1194ebe]
  • Dialing tasks refactoring; [ceaa722]
  • Simplifying dial function; [daa114d]
  • Refactor FailureDetection HostedService; [d571d43]
  • Default to 2 days worth of logs for Membership; [c9a0799]
  • Fix timer contention in Membership; [d096670]
  • Cleanup locks; [bf89a4a]
  • Cap BroadcastQueue. Default TorClient timeout to 7 seconds; [e3a9bca]
  • [NEW] Allowing for user defined classes to be passed to Sip/Blockmania actor; [8d1bfbf]
  • Added ack buffer for exactly once delivery; [c742afc]
  • Added Borker.API; [946d318]
  • [NEW] MQTT clustering; [bcb37b9]
  • [NEW] MQTT client managed pub/sub; [6e987b0]
  • [NEW] MQTT RPC client; [d926d3c]
  • [NEW] Added MQTT missing services; [edd2db3]
  • Added Serilog dependency and error handling; [f0db521]
  • Added client storage manager; [bad4f2a]
  • At least once delivery and retrieve stored messages from publisher; [f8b1648]
  • Enabled port setting; [dee4582]
  • [NEW] Internal pub/sub communication. [4d75a97]

“MQTT is a machine-to-machine (M2M)/”Internet of Things” connectivity protocol. It was designed as an extremely lightweight publish/subscribe messaging transport. It is useful for connections with remote locations where a small code footprint is required and/or network bandwidth is at a premium. For example, it has been used in sensors communicating to a broker via satellite link, over occasional dial-up connections with healthcare providers, and in a range of home automation and small device scenarios. It is also ideal for mobile applications because of its small size, low power usage, minimised data packets, and efficient distribution of information to one or many receivers”…

Read more: https://mqtt.org/


Next steps

You may have noticed the initial commit for PoS integration.

The VRF library (libsignal) and documentation can be found here:

As we move closer to a test-net release that includes zk-PoS we’ll be detailing each individual piece and how they pertain to Tangram’s larger architecture. On a very high-level the pieces include:

  1. Non-interactive zero-knowledge proofs (NIZK);
  2. Verifiable Random Function (VRF);
  3. Time-lock puzzles;
  4. Bulletproofs;
  5. Multisig.

Run a node

The guide below assumes that you have an understanding of port forwarding and some advanced computer knowledge:


Thinking of contributing to the code?

Connect with any of the Core and/or Community managers OR simply create an issue/pull request!


If you’re interested, have questions and feedback:

Visit our website: www.tangrams.io

Read our blog: www.medium.com/@tangramd

Join the forum: forum.tangrams.io

Subscribe on Reddit: www.reddit.com/r/Tangrams

Discover us on Discord: www.discord.tangrams.io

Message us on Telegram: https://t.me/Tangrams

Follow us on Twitter: www.twitter.com/tangram

Watch on YouTube: https://www.youtube.com/channel/UCoe5hPG_zjltaG_j2n1Oh4Q

Tangram_tgm

Tangram was created with a singular vision: to inspire, mobilize and empower a new generation of cypherpunks.

Tangram

Written by

Tangram

Tangram was created with a singular vision: to inspire, mobilize and empower a new generation of cypherpunks.

Tangram_tgm

Tangram was created with a singular vision: to inspire, mobilize and empower a new generation of cypherpunks.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade