-
Notifications
You must be signed in to change notification settings - Fork 34
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Provides info on the new bug bounty programme.
- Loading branch information
Showing
4 changed files
with
111 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,111 @@ | ||
--- | ||
layout: update | ||
tag: Developer Update | ||
date: 2024-01-10 | ||
author: CjS77 | ||
thumbnail: hacker_bg.webp | ||
title: A new bug bounty program! | ||
class: subpage | ||
--- | ||
|
||
When we updated our Responsible Disclosure policy | ||
[last year](https://github.com/tari-project/tari/blob/72daaf5ef614ceb805f690db12c7fefc642d5453/SECURITY.md), we did so | ||
with a very limited budget. | ||
|
||
Members of the community were very quick to point out that the size of the rewards were not commensurate with the scale | ||
of the issues we were asking the community to help us find. | ||
|
||
Now that 2024 has rolled in, and we're in touching distance of the Minotari mainnet launch, we're able to | ||
substantially increase the value of the rewards we're offering; primarily in the form of Tari tokens. | ||
|
||
<style> | ||
.blink { | ||
animation: blinker 2s linear infinite; | ||
text-align: center; | ||
} | ||
|
||
@keyframes blinker { | ||
0%, 100% { opacity: 1; transform: scale(1); } | ||
50% { opacity: 0.25; transform: scale(1.1); } | ||
} | ||
</style> | ||
|
||
<p class="blink"> | ||
🎉🎉🎉 Bounties up to $250,000 worth of XTR 🎉🎉🎉 | ||
</p> | ||
|
||
Yes, for all intents and purposes, we'll pay you a quarter bar in Minotari tokens for consensus-breaking bugs. | ||
|
||
There are some Ts & Cs. I've highlighted the major ones below, but you can skip all of | ||
this and go and read the full, updated [Tari Security Policy] right away. | ||
|
||
We are still offering cash rewards, but the lion's share of the reward value will be coming from | ||
the token bounty allocation. | ||
|
||
Get cracking! | ||
|
||
![Hacker](/assets/img/posts/hacker2.webp) | ||
|
||
### Cash bounties | ||
|
||
The payouts for cash bounties have actually gotten a slight boost. We have partnered with HackerOne for our new bounty | ||
programme, and the payouts are as follows: | ||
|
||
| Severity | Maximum bounty | Example of vulnerability | | ||
|----------|----------------|----------------------------------------------------------------------------------------------------------------| | ||
| Critical | $5,000 | Inflation bugs, spending unowned funds, Producing valid blocks without mining | | ||
| High | $2,000 | Double spends, Severe DoS, Forcing hard forks, severe TariScript vulnerabilities, remote access of wallet keys | | ||
| Medium | $750 | Other DoS, other TariScript vulnerabilities | | ||
| Low | $100 | Minor bugs or non-blockchain issues (e.g. on tari.com, explore.tari.com etc.) | | ||
|
||
### Token-based bounties | ||
|
||
If you make use of the HackerOne programme, we may issue a token reward _in addition_ to the cash bounty. The | ||
token rewards are awarded according to the following schedule: | ||
|
||
| Severity | Bounty Range\* | Example of vulnerability | | ||
|----------|---------------------|----------------------------------------------------------------------------------------------------------------| | ||
| Critical | $100,000 - $250,000 | Inflation bugs, spending unowned funds, Producing valid blocks without mining | | ||
| High | $25,000 - $75,000 | Double spends, Severe DoS, Forcing hard forks, severe TariScript vulnerabilities, remote access of wallet keys | | ||
| Medium | $5,000 - $15,000 | Other DoS, other TariScript vulnerabilities | | ||
| Low | $500 - $5,000 | | | ||
|
||
*As the Minotari price is unknown prior to launch, values are quoted in USD-equivalent terms at time of delivery. The | ||
bounties will be paid out in Minotari. For example, if the trading price of Minotari was $0.04, a | ||
medium-severity award of $10,000 would be converted to 250,000 Minotari tokens. | ||
|
||
## Terms and conditions apply | ||
|
||
### Tokens will be distributed after launch | ||
|
||
So, firstly, the token rewards can only be paid once Minotari actually exist. Obviously. But we'd love to have any | ||
bugs that warrant the highest payout to be found _before_ launch. Obviously. | ||
|
||
So we're kicking off the bounty program now, | ||
and handing out IOUs for the tokens to be paid out a few months after launch. The delay is there to let the Minotari | ||
price stabilise for a period before issuing the awards. | ||
|
||
The cash rewards are a little sweetener, in addition to the tokens, to | ||
compensate for the time delay between disclosure and token payout. | ||
|
||
### Cash rewards can only be claimed on HackerOne | ||
|
||
We're working with HackerOne to manage the bounty program. **All** the cash rewards will be paid out through that | ||
program, and you'll need to register with HackerOne to claim them. | ||
|
||
If you find a bug but don't want to register with HackerOne, you can still claim the token reward but will forego the | ||
cash bounty. | ||
|
||
Non-critical, non-HackerOne disclosures will likely take much longer to triage, since these disclosures must be | ||
processed by the core developers, and they're rather busy prepping for mainnet launch. | ||
|
||
### Read the full disclosure policy | ||
|
||
You can read all the fine print, along with instructions on how to join the HackerOne bounty program in the | ||
[Tari Security Policy] document. Thank you for helping us make Tari more secure! | ||
|
||
![Hacker](/assets/img/posts/hacker.webp) | ||
|
||
|
||
[Tari Security Policy]: https://github.com/tari-project/tari/security/policy "Tari Responsible Disclosure Policy" | ||
|
Binary file not shown.
Binary file not shown.
Binary file not shown.