Witnet Incentive Program Phase 2: Bug Bounty š
As part of the Witnet Testnet Incentive Program, the Witnet Foundation has allocated up to 30,000 $DAI to hackers and bug-hunters.
For uncovering a critical bug or successfully attacking the network, participants can receive bounty awards of up to 10,000 $DAI, according to the guidelines laid out below.
Allocations will be made on a discretionary basis by the Witnet Foundation, using the guidelines outlined by OWASP and HackerOne. For full terms and conditions, please click here.
Whatās Eligible for Reward?
Submit before 7th October 2020 and your reward may be applicable for a multiplier, as specified in the Reward Criteria below.
Generally speaking, any bug that poses a significant vulnerability, either to the soundness of protocol and protocol/implementation compliance to network security, to classical client security as well as security of cryptographic primitives, could be eligible for a reward.
The Witnet Foundation will take into account:
- Depth and scope of research from the Bug Hunter, and the quality of analysis
- The criticality of the bugs/vulnerabilities
- Ease at which the Witnet Foundation is able to recreate the vulnerability
Whatās Eligible for Reward?
Uncovering a bug that poses a significant vulnerability to:
- the soundness of the protocol
- protocol / implementation compliance to network security
- classical client security
- the security of cryptographic primitives
- security issues with certain services that the Witnet Foundation offer
Attacking the Witnet network by:
- specifying an attack which potentially affects liveness, safety or censorship resistance on the Network
- eclipsing a particular node and running a double-spend attack
Creating a data request that:
- potentially affects the long-term or short-term fairness of distribution, liveness or security of the network
Running a Witnet<> Ethereum bridge node that:
- breaks the security assumptions offered by the interaction with the Ethereum chain and convinces a client smart contract of a fake result
Whatās Not Eligible for Reward?
These bugs and attacks will NOT be eligible for any reward:
- any vulnerability or limitation already known by the Witnet Foundation, as listed on this document
- any bug found on the Witnet websites witnet.io and all the third-level websites on those domains
- any bug found on an application built by the Witnet Foundation or by the Witnet community
- any bug found on the third-party libraries that the Witnet Protocol utilizes
- bugs which have already been submitted by another user or are already known to the Witnet team or have already been publicly disclosed
- any other bug deemed irrelevant or insignificant by the Witnet Foundation
- any bug found by Witnet Foundation employees or any other person employed in any way by the Foundation, directly or indirectly, or anyone engaged by a user of the Witnet codebase to review or audit Witnet code (which has been specifically developed for that user) in exchange for remuneration
Please note: itās entirely at the Witnet Foundationās discretion to decide whether a bug or an attack is significant enough to be eligible for reward.
Report a Bug or Attack
- You must be signed up for Phase 2 of the Testnet Incentive Program. You can sign up here.
2. Send your report to testnet@witnet.foundation and include the following:
- your name
- your Witnet ID (which you will receive on signing up for the Testnet Incentive Program)
- a description of the bug or attack
- a severity level of the bug (based on the OWASP guidelines)
- a description of the attack scenario (if any)
- a list of the components affected
- a report on how to reproduce the bug or attack
- any other details
- On the email subject, please use the following format:
WITNET BUG/ATTACK[SEVERITY LEVEL](the severity level of the issue is discretional to your understanding of the submission, and will be later reviewed by the Witnet Foundation)
3. Please allow 10 business days for us to respond before taking any further action
Once the issue has been submitted, the Witnet Foundation will review the information, assign a severity level (that may or may not be similar to your choice) and redirect this to one member of the Witnet Foundation, who will contact you with more details on the next steps.
Try to include as much information in your report as you can, including a description of the bug or attack, its severity level (detailing the identified risks and the estimated impact and likelihood), and steps for reproducing it or proof of concept.
