docs: add update 125 (#194)

Provides info on the new bug bounty programme.

_updates/2024-01-10-update-125.md

@@ -0,0 +1,111 @@
+---
+layout: update
+tag: Developer Update
+date: 2024-01-10
+author: CjS77 
+thumbnail: hacker_bg.webp
+title: A new bug bounty program!
+class: subpage
+---
+
+When we updated our Responsible Disclosure policy
+[last year](https://github.com/tari-project/tari/blob/72daaf5ef614ceb805f690db12c7fefc642d5453/SECURITY.md), we did so
+with a very limited budget.
+
+Members of the community were very quick to point out that the size of the rewards were not commensurate with the scale
+of the issues we were asking the community to help us find.
+
+Now that 2024 has rolled in, and we're in touching distance of the Minotari mainnet launch, we're able to
+substantially increase the value of the rewards we're offering; primarily in the form of Tari tokens.
+
+<style>
+.blink {
+ animation: blinker 2s linear infinite;
+ text-align: center;
+}
+
+@keyframes blinker {
+ 0%, 100% { opacity: 1; transform: scale(1); }
+ 50% { opacity: 0.25; transform: scale(1.1); }
+}
+</style>
+
+<p class="blink">
+🎉🎉🎉 Bounties up to $250,000 worth of XTR 🎉🎉🎉
+</p>
+
+Yes, for all intents and purposes, we'll pay you a quarter bar in Minotari tokens for consensus-breaking bugs.
+
+There are some Ts & Cs. I've highlighted the major ones below, but you can skip all of
+this and go and read the full, updated [Tari Security Policy] right away.
+
+We are still offering cash rewards, but the lion's share of the reward value will be coming from
+the token bounty allocation.
+
+Get cracking!
+
+![Hacker](/assets/img/posts/hacker2.webp)
+
+### Cash bounties
+
+The payouts for cash bounties have actually gotten a slight boost. We have partnered with HackerOne for our new bounty
+programme, and the payouts are as follows:
+
+| Severity | Maximum bounty | Example of vulnerability |
+|----------|----------------|----------------------------------------------------------------------------------------------------------------|
+| Critical | $5,000 | Inflation bugs, spending unowned funds, Producing valid blocks without mining |
+| High | $2,000 | Double spends, Severe DoS, Forcing hard forks, severe TariScript vulnerabilities, remote access of wallet keys |
+| Medium | $750 | Other DoS, other TariScript vulnerabilities |
+| Low | $100 | Minor bugs or non-blockchain issues (e.g. on tari.com, explore.tari.com etc.) |
+
+### Token-based bounties
+
+If you make use of the HackerOne programme, we may issue a token reward _in addition_ to the cash bounty. The
+token rewards are awarded according to the following schedule:
+
+| Severity | Bounty Range\* | Example of vulnerability |
+|----------|---------------------|----------------------------------------------------------------------------------------------------------------|
+| Critical | $100,000 - $250,000 | Inflation bugs, spending unowned funds, Producing valid blocks without mining |
+| High | $25,000 - $75,000 | Double spends, Severe DoS, Forcing hard forks, severe TariScript vulnerabilities, remote access of wallet keys |
+| Medium | $5,000 - $15,000 | Other DoS, other TariScript vulnerabilities |
+| Low | $500 - $5,000 | |
+
+*As the Minotari price is unknown prior to launch, values are quoted in USD-equivalent terms at time of delivery. The
+bounties will be paid out in Minotari. For example, if the trading price of Minotari was $0.04, a
+medium-severity award of $10,000 would be converted to 250,000 Minotari tokens.
+
+## Terms and conditions apply
+
+### Tokens will be distributed after launch
+
+So, firstly, the token rewards can only be paid once Minotari actually exist. Obviously. But we'd love to have any
+bugs that warrant the highest payout to be found _before_ launch. Obviously.
+
+So we're kicking off the bounty program now,
+and handing out IOUs for the tokens to be paid out a few months after launch. The delay is there to let the Minotari
+price stabilise for a period before issuing the awards.
+
+The cash rewards are a little sweetener, in addition to the tokens, to
+compensate for the time delay between disclosure and token payout.
+
+### Cash rewards can only be claimed on HackerOne
+
+We're working with HackerOne to manage the bounty program. **All** the cash rewards will be paid out through that
+program, and you'll need to register with HackerOne to claim them.
+
+If you find a bug but don't want to register with HackerOne, you can still claim the token reward but will forego the
+cash bounty.
+
+Non-critical, non-HackerOne disclosures will likely take much longer to triage, since these disclosures must be
+processed by the core developers, and they're rather busy prepping for mainnet launch.
+
+### Read the full disclosure policy
+
+You can read all the fine print, along with instructions on how to join the HackerOne bounty program in the
+[Tari Security Policy] document. Thank you for helping us make Tari more secure!
+
+![Hacker](/assets/img/posts/hacker.webp)
+
+
+[Tari Security Policy]: https://github.com/tari-project/tari/security/policy "Tari Responsible Disclosure Policy"
+